There are various ways you can extend ZAP, as documented below.
Note that this is just an overview, there are some basic working examples in the ZAP Extensions project which will be added to in the future.
If you have any questions then please ask them on the zaproxy-develop Google Group.
You can get ZAP to automatically tag requests and responses via:
Tools / Options... / Passive Scan / "Add / Edit scan definition"
You can invoke other applications from ZAP passing across the context information.
For more details see the Options Application screen in the User Guide.
You can add your own fuzzing files by via:
Tools / Options... / Fuzzer / Add custom Fuzz file
You can add your own forced browse files by via:
Tools / Options... / Forced Browse / Add custom Forced Browse file
The REST based API allows 'external' applications to access ZAP data and to invoke ZAP functionality.
For more details see the ZAP API section of this wiki.
Filters add extra features that can be applied to every request and response.
To implement a new Filter extend the class FilterAdaptor
For examples see the org.parosproxy.paros.extension.filter package.
Filters are loaded from the 'filters' directory.
Active Scan rules find potential vulnerabilities by attacking the target application.
New Active Scan rules should be added to org.zaproxy.zap.extension.ascanrulesAlpha package.
Active scan rules are loaded from the 'plugins' directory.
Passive Scan rules find potential vulnerabilities just by examining the requests and responses in a background thread. They should not make any changes.
New Passive Scan rules should be added to org.zaproxy.zap.extension.pscanrulesAlpha package.
Passive scan rules are loaded from the 'plugins' directory.
Full extensions can add functionality to ZAP, including new tabs, pop windows, menu items etc.
For more details see ZAP Extensions