Zed Attack Proxy 2.0.0!

[Nytro]

[h=1]Zed Attack Proxy 2.0.0![/h]by Mayuresh on February 13, 2013

Wow! It’s been some time since we last posted about ZAProxy! Our first post regarding the Zed Attack Proxy or the OWASP Zed Attack Proxy can be found here. Now, an updated Zed Attack Proxy version 2.0.0 was released! This version includes an integrated add-ons marketplace, a new Ajax spider, Session scope, and various other features and improvements have been added.

“The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. ZAProxy provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.”

[h=2]Zed Attack Proxy 2.0.0 official change log:[/h]

• An integrated add-ons marketplace: ZAP can be extended by add-ons that have full access to all of the ZAP internals. Anyone can write add-ons and upload them to the ZAP Add-on Marketplace (OK, so its a Google code project called zap-extensions, but you get the idea).More importantly you can now browse, download and install those add-ons from within ZAP. Most add-ons can be dynamically installed (and uninstalled) so you wont even need a restart.You can choose to be notified of updates, and even be automatically updated. And as the scan rules are now implemented as add-ons you can get the latest rules as soon as they are published.
  
• A replacement for the ‘standard’ Spider: The ‘old’ Spider was showing its age, so its been completely rewritten, and is much faster and more comprehensive than the old one. This is still a ‘traditional’ spider that analyses the HTML code for any links it can find.
  
• A new ‘Ajax’ spider: In addition to the ‘traditional’ spider we’ve added an Ajax spider which is more effective with applications that make heavy use of JavaScript. This uses the Crawljax project which drives a browser (using Selenium) and so can discover any links an application generates, even ones generated client side.
  
• Web Socket support: ZAP now supports WebSockets, so ZAP can now see all WebSocket messages sent to and from your browser. As with HTTP based messages, ZAP can also intercept WebSocket messages and allows you to change them on the fly. You can also fuzz WebSockets messages as well using all of the fuzzing payloads included in ZAP from projects like JBroFuzz and fuzzdb. And of course you can easily add your own fuzzing files.
  
• Quick Start tab: The first main tab you will now see is a ‘Quick Start’ tab which allows you to just type in a URL and scan it with one click. This is an ideal starting point for people new to application security, but experts can easily remove it if they find it distracting.
  
• Session awareness: ZAP is now session aware, so it can recognise and keep track of multiple sessions. It allows you to create new sessions, switch between them, and applies to all of the other components, like the Spider and Active Scanner.
  
• User defined Contexts: You can now define any number of ‘contexts’ – related sets of URLs which make up an application. You can then target all URLs in a context, for example using the Spider or Active Scanner. You can also add the contexts to the scope, and associate other information, such as authentication details.
  
• Session scope: The session scope allows you to specify which contexts you are interested at any one time. You can restrict what you see in various tabs to just the URLs in scope, and prevent accidentally attacking URLs not in scope by using the Protected mode.
  
• Different modes: ZAP now supports 3 modes:
  
  • Safe, in which no potentially dangerous operations permitted
    
  • Protected, in which you can perform any actions on URLs in scope
    
  • Standard, in which you can do anything to any URLs
    

  [*]A scripting console: This allows you to access any internal ZAP data structures dynamically using any scripting language that supports JSR 223,

  [*]Authentication handling: You can now associate authentication details with any context, which allows ZAP to do things like detect if and when you are logged out and automatically log you back in again. This is especially useful when used via the API in security regression tests.

  [*]More API support: The REST API has been significantly extended, giving you much more access to the functionality ZAP provides.

  [*]Fine grained scanning controls

  [*]The active scan rules can now be tuned to adjust their strength (the number of attacks they perform) and the threshold at which they report potential issues.

  [*]New and improved active and passive scanning rules

  [*]We have uploaded the results from running ZAP 2.0.0 against wavsep (the most comprehensive open source evaluation project we are aware of) to the ZAP wiki: TestingWavsep - zaproxy - OWASP ZAP: An easy to use integrated penetration testing tool for finding vulnerabilities in web applications. - Google Project Hosting

  [*]Many stability and usability fixes

[h=3]Download Zed Attack Proxy:[/h] Zed Attack Proxy 2.0.0 – ZAP_2.0.0_Windows.exe/ZAP_2.0.0_Linux.tar.gz/OWASP_ZAP_2.0.0_OSX-b.zip

Sursa: Zed Attack Proxy version 2.0.0! — PenTestIT