OWASP ZAP — Security testing technique

OWASP stands for Open Web Application Security Project. It will help to developers, web architects and QA analyzers about the risks associated with the most common Web application security vulnerabilities.

It is free and open source for the developers. It provides the Web application security tools, libraries and standards for the developers.Developers can gather complete books on secure code development, web application security testing, and security code review. So who are new to the industry, they don’t worry about the security problems while developing.All the materials for the development and testing will be provided through the OWASP.

OWASP ZAP stands for Open Web Application Security Project Zed Attack Proxy. ZAP is penetration testing tool for finding vulnerabilities in web applications.It was designed to be used by developing people with a wide range of security experience and quality analysis.It is an awesome tool for new developers and QA testers who are new to penetration testing and industry. The common features of the ZAP is listed below,

• ZAP is extremely free to all and an open source project.
• It is the Cross-platform project.
• Zap is easy to install and quietly easy to use for the developers(for the freshers also).
• It is internationalized project which is moderated by the security specialists. and fully documented project also. So it is very useful to the developers.
• It provides tools to intercept and modify HTTPS, HTTP and WebSocket traffic.
• It provides three types of scanners, which are the Automated scanner, Passive scanner, and Brute force scanner.
• ZAP works as a Spider. Spiders crawl through data and find connection points in nodes. Web spiders follow links, sources, anchors in HTML, JS, and CSS. Every time a connection is found, it is added to the source tree, creating a hierarchical data structure knows as a search tree[1].

source tree created by ZAP Spiner (source)

• ZAP contains the Fuzzer techniques. Fuzzing is the process through which testers feed the invalid or unexpected information/data to the target Application. Developers or testers use Fuzzing in their application to break their application or crash it using unexpected inputs[2].
• It provides Dynamic SSL Certificates and required APIs

Reference
[1] https://security.stackexchange.com/questions/135442/what-wordlist-does-owasp-zap-spider-use
[2] http://findnerd.com/list/view/Fuzzing-with-ZAP/4684/