Zed Attack Proxy - An easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

OWASP Zed Attack Proxy Project

OWASP Zed Attack Proxy Project (ZAP), provides an easy to use integrated penetration testing tool for testing web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Some of ZAP's features:

• Intercepting Proxy
• Automated scanner
• Passive scanner
• Brute Force scanner
• Spider
• Fuzzer
• Smartcard and Client Digital Certificates support
• Port scanner
• Dynamic SSL certificates
• API
• Beanshell integration

Current Release - 
ZAP 1.4.0 - 08/04/2012 - (download)

Release description: This release includes the following significant changes:

• Plugable extensions: Full extensions can now be plugged into ZAP dynamically with full access to all of ZAPs features.
• Syntax highlighting in the Response Panel: The HTML panels now support switchable syntax highlighting.
• fuzzdb integration: The fuzzer now includes fuzzdb (http://code.google.com/p/fuzzdb/) fuzzing files.
• Parameter analysis: A new Params tab shows a summary of all of the parameters a site has used.
• Enhanced XSS scanner: The Cross Site Scripting active scanner has been rewritten from scratch to find more potential XSS issues and report fewer false positives.
• Watcher passive checks ported to ZAP: Different checks have been ported from Watcher to ZAP (thanks to Chris Weber for permission).
• Tons of bug-fixes and minor improvements. 

The current version of ZAP is 1.4.0.1.
ZAP is ideal for Security Regression Tests - see this video on Youtube

Visit Website -

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

For more information -

http://blog.spiderlabs.com/2012/03/modsecurity-advanced-topic-of-the-week-automated-virtual-patching-using-owasp-zed-attack-proxy.html

http://sourceforge.net/projects/zap.owasp/

http://holisticinfosec.org/toolsmith/pdf/november2011.pdf

http://blog.jaffamonkey.com/2011/11/03/zed-attack-proxy/

Installation -

1. Download Zed Attack Proxy (ZAP), and install
2. Run Zed Attack Proxy (ZAP)
3. Go to Tools -> Options -> Connections, and set proxy settings to match your browser proxy settings (and proxy exclusions)
4. Go to Tools -> Options -> Local proxy and enter localhost (port: 85),
5. In your browser of choice, set proxy in LAN settings to localhost (port: 85), and clear the proxy exclusions list.
6. Access a test site URL to verify settings all applied correctly (The Zed Attack Proxy “Sites” window should populate with all URL’s visited)
7. If the site requires Authentication, go to Tools -> Options -> Authentication, and add details in the table.
8. Run Active Scan on root URL (Click Active Scan tab, and select URL from dropdown if not already selected).
9. Click Report -> Generate HTML report, to view issues found.
10. Run Spider test, which will pick up on 404 errors, missing URL references, and help you identify redundant file calls.