Re: Zed Attack Proxy (ZAP)
Just my 2 cents on the matter.Originally Posted by psiinon
My comments about Ratproxy, skipfish and Fiddler2 + Watcher are based on my current understanding of these tools - please correct me if I'm wrong about anything
[snip]
ZAP is not really aimed at such people, although I'm sure they can have a quick look at the functionality it provides and work out if it could fit into their toolbox. They might find it useful for an initial assessment before breaking out the specialist tools.
Does that answer your question?
Psiinon
You cannot (and should not) compare skipfish or ratproxy with ZAP, webscarab, burp, fiddler or any other intercepting proxy.
Skipfish is a pattern recognition based scanner (much like nikto) with a focus on web apps. It tries to identify files with known vulnerabilities based on a fingerprint. As such it does not try to find issues based on request/response and it does not work well with custom software.
Ratproxy does try to find vulnerabilities based on requests and responses but can only be used as a parallel scanner. So you start ratproxy, browse the website, stop the proxy and read the report. It is not possible to modify requests on-the-run and you have to stop the proxy before you can see the results.
ZAP is an intercepting proxy and should be compared with other intercepting proxies (as mentioned before). If you look at the 'competition' I think ZAP can claim a good spot in the market. Paros (free (on which ZAP is based)) hasn't had an update in ages and although nightly builds for webscarab are being greated each night no real new functionalities have been added for the last year (correct me if I'm wrong on this one, but looking at the java package I cannot find any).
Burp is being maintained fairly well, but you need to buy a (although cheap) license to really unleash it's power. Fiddler/watcher is nice, but targeted at a Windows/IE platform and does indeed not include an active scanner.
Concluding; I think ZAP has great potential and is not just a 'beginners' tool. I think with a few releases it will outperform paros, webscarab, and fiddler and will only have Burp Suite Pro as it's master ...
(for the record; I am not involved whatsoever in the development of ZAP, webscarab or any other tool but I am speaking from professional experience with the tools).
