OWASP ZAP (Zed Attack Proxy) is a powerful tool meant to help web developers and IT security professionals find security vulnerabilities in web applications, either automatically trough a series of scanners or manually through classic penetration testing methods.
As you've probably already figured out, OWASP ZAP is not a tool for any casual users. It's meant to be used by functional testers, web developers, and other people with enough experience in penetration testing or at least in general IT security. Anyway, its interface is intuitive and self-explanatory, and that's quite surprising when taking into consideration the fact that OWASP ZAP is also a comprehensive and feature-rich tool. For example, it can be used as an accurate intercepting proxy that lets you view the requests made to a web app and their responses, including AJAX calls. By setting breaking points one can even control these requests and responses live as they happen. Another cool feature of this powerful tool is the fact that it provides multiple “spiders” (tools to discover new resources (URLs) on a specific website), including one that supports AJAX. There are also both passive and active scanners that look to detect potential vulnerabilities by using known attacks against the selected target, as well as a “fuzzer” that lets you submit a large amount of invalid or unexpected data to a target to test its reaction. These are just a few of the many features, functions and built-in tools that OWASP ZAP provides. And the best thing about it is that it's an open source tool that can be used and modified freely by anyone.
It's also easy to install, as it only requires Java, and impressively effective, as it's a community-based utility that resulted from the collaboration of brilliant minds.
v2.4 [Apr 16, 2015]
Enhancements:
Issue 1576 : Define URL path elements as 'non structural'
Issue 1711 : Feature request: Option to specify number of token to be generated.
Issue 1768 : Update to use a more recent user-agent
Issue 1894 : ZAP only scans "User-Agent", "Referer", and "Host" request headers
Issue 1911 : Search AJAX spider requests
Issue 1913 : Pass all params across to zap.sh - debian package
Issue 1914 : Multiple add-on directories
Issue 1920 : Report the host:port ZAP is listening on in daemon mode, or exit if it cant
Issue 1927 : Enhancement: Break only for in-scope URLs.
Issue 1944 : Chart responses per second in ascan progress
Issue 1953 : Allow to spider a context through the ZAP API
Issue 1962 : Install and update add-ons from the command line
Issue 1975 : RC4-SHA SSL cipher suite not supported
Issue 1980 : Add ZAP CLI to Docker images
Issue 1985 : Bring up the Modify dialog if the user doubles on a row in a AbstractMultipleOptionsBaseTablePanel
Issue 2009 : Add Online links to the FAQ and Newsletter pages
Issue 2084 : Warn users if they are probably using out of date versions
Issue 2086 : Report request counts per plugin
Issue 2088 : Support an 'update all' button for installing all updated add-ons
Issue 2094 : Support a '-addoninstallall' command line option
Issue 2102 : Allow ajax spider options to be set via the API
Bug fixes:
Issue 1070 : Breaking on custom URL with query parameters does not work.
Issue 1555 : SAXParseException while generating the report
Issue 1617 : ZAP 2.4.0 throws HeadlessExceptions when running in daemon mode on headless machine
Issue 1877 : fix path to .ZAP_JVM.properties in zap.sh
Issue 1893 : Regression: Can't disable and enable specific scanners through the API
Issue 1910 : API does not return content in the expected encoding, on errors
Issue 1917 : Request and Response tabs dont scale the text
Issue 1939 : Scripts - Save Button Enablement Issue
Issue 1949 : Script with missing type prevents scripts and templates from being loaded
Issue 1950 : Connection closed without response, with an Authentication script with errors
Issue 1951 : Exception when trying to add users before loading an authentication script
Issue 1960 : Active Scan dialogue might use outdated scan policy
Issue 1969 : Issues with installation of scanners
Issue 1970 : Installed add-on dependencies might not be taken into account when installing add-ons
Issue 1973 : Returned HAR/list does not contain correct redirection messages
Issue 1981 : Spider might not report the correct number of URIs found
Issue 2005 : Active scanning incorrectly performed on sibling nodes
Issue 2044 : Issues in Hirschberg's algorithm implementation
Issue 2045 : Dont copy old configs if -dir option used
Issue 2052 : Authentication changes done through the API not saved to session
The Remote Debugger Installation is intended for computers without Visual Studio
