The Zed Assault Proxy (ZAP) staff has launched the OWASP PTK add-on, model 0.2.0 alpha, integrating the OWASP Penetration Testing Equipment (PTK) browser extension instantly into ZAP-launched browsers.
This streamlines utility safety testing by embedding DAST, IAST, SAST, SCA, and specialised instruments like JWT and cookie editors with out handbook setup. Out there through the ZAP Market, the add-on pre-installs PTK in Chrome, Edge, and Firefox periods proxied via ZAP.
Customers set up the OWASP PTK add-on from ZAP’s Market, then launch a supported browser through ZAP’s characteristic. The PTK icon seems instantly, permitting login to targets and initiation of scans. ZAP handles visitors seize, web site tree, historical past, and session administration, whereas PTK supplies browser-native testing instruments.
PTK’s DAST allows runtime scans throughout regular looking: begin scan, navigate key flows like kinds and admin pages, cease, and evaluate findings.
Very best for SPAs reliant on consumer interactions, it recommends tuning requests per second and concurrency for manufacturing stability, with tight area scoping to reduce noise. Findings combine with ZAP for re-testing through request instruments.
IAST screens browser runtime conduct, injecting brokers throughout scans for alerts past response evaluation. Begin monitoring, browse authenticated routes, then triage DOM mutations and client-side rendering points.
This excels in UI-state dependent apps, providing fast context for pen testers staying throughout the browser workflow.
SAST analyzes inline and exterior scripts loaded in manufacturing, recognizing sinks and patterns with out repo entry. Run on present pages, pivot findings to DAST/IAST for validation, particularly helpful for third-party scripts in SPAs. SCA reveals dependency dangers from working apps, reviewing packages with ZAP context for loading behaviors.
Request Builder facilitates speedy iteration: edit visitors from ZAP historical past, replay assaults, clone as cURL, or manipulate headers. JWT instruments decode tokens, alter claims/algorithms, and take a look at enforcement like exp or weak HMAC, replaying through ZAP for response diffs. Cookie instruments allow modifying, blocking, or exporting for session reproducibility.
A sensible routine begins with ZAP-proxied browser login, adopted by PTK DAST/IAST throughout flows, SAST/SCA for static alerts, and JWT/cookie validation.
This combo leverages ZAP because the proxy hub and PTK for focused browser testing, enhancing protection on trendy net apps. Emphasize permission-based lively scans and conservative settings.
The discharge, introduced January 19, 2026, marks a milestone in ZAP-PTK synergy, developed with contributions from Denis Podgurskii. Pen testers acquire environment friendly, context-aware testing for authenticated, dynamic functions.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
