Modern Dynamic Analysis suggestions - OWASP ZAP and w3af 404/timeout

[cipherboy]

Under the dynamic analysis tools:

A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

AFL/OSS-Fuzz aren't applicable in all situations and general REST API analysis tooling recommendations are useful. It looks like w3af hasn't seen commits in years: https://github.com/andresriancho/w3af -- and OWASP ZAP might have moved to a new home at https://github.com/zaproxy ?

Are there other recommendations for dynamic analysis tools, especially for API-driven services? Perhaps based on OpenAPI scanning?

[psiinon]

ZAP is no longer an OWASP project, and the correct URL is https://www.zaproxy.org/
For other DAST tools see https://github.com/psiinon/open-source-web-scanners 😁