Release 2.3.0
The following changes were made in this release:
Significant changes:
ZAP ‘lite’ version
For this release we are providing a ‘lite’ version of ZAP in addition to the ‘full’ version.
This contains exactly the same core code, but it just includes fewer default add-ons.
Of course, you can download all of the ‘missing’ add-ons from the ZAP marketplace to ‘upgrade’ the lite version to a full one.
The ‘lite’ version is aimed at people new to security who need less initial functionality which will hopefully be easier to get started with. It will also be suitable for people looking for a smaller download or those wishing to customize exactly which add-ons they install.
Support for client-side (browser) events
You can now view, intercept, manipulate, resend and fuzz client-side events. This includes postMessages, so you can now detect DOM based XSS vulnerabilities in postMessages. This is the first phase in a series of planned changes to support the testing of AJAX and HTML5 applications even more effectively.
Enhanced authentication support
ZAP's support for authentication has been completely revamped to easily handle complex types of authentication methods and scenarios. Support has also been added for user-defined scripts which allow you to handle custom authentication schemes. In addition, now ZAP understands and allows you to configure web applications' Users so various actions throughout ZAP can be performed from the point of view of defined users. To get started, check out the new Authentication and Users panels in the Session Properties for each of the defined Contexts.
Support for non standard apps
This release includes support for ‘single page’ applications and non standard key-value separators. You can now control these settings via the new Structure panel in the Session Properties.
New Input Vectors including user-defined scripts
ZAP supports new options for defining the input vectors i.e. the elements of a request that ZAP will attack. The new options are available in the Active Scan Input Vectors panel of the Options. Support has also been added for defining custom scripts that define new input vectors.
Scan policy - fine grained control
The scan policy now has a fine grained control, allowing you to tweak individual scanner rules. You can also define, load and save scan policies, allowing you to maintain a set of policies that work well in different circumstances.
In addition, by default ZAP will not now scan well-known service parameters (e.g. __VIEWSTATE) speeding up the overall scanning process. This is completely user configurable, allowing you to specify exactly which parameters ZAP should ignore.
Advanced Active Scan dialog
A new 'Advanced Active Scan' dialog allows you to specify exactly how you want the active scanner to function. It allows you to specify ‘custom vectors’ that explicitly define which strings you want to attack. It also supports the option to scan as any of the Users you have defined for the application under test. Start an Advanced Active Scan via the Tools menu or via the Attack section of the right click popup menu.
Extended command line options
You can now run ZAP ‘inline’ i.e. without starting the ZAP UI or a daemon. In this mode you can run simple attacks or run scripts which can access all of the ZAP functionality. You can also now override any of the options defined in the configuration file via command line parameters.
More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.net/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bosnian
- French
- Japanese
- Spanish
Keyboard shortcuts
All menu items can now be invoked via keyboard shortcuts. Defaults are defined for virtually all cases, but you can configure your own preferences in the Keyboard panel of the Options.
New UI options
There is a new option to change the display so that the selected tab takes up the full screen. This is useful when using ZAP on small screens.
There is also an option to toggle the visibility of the tab names on an off to further conserve space.
Most of the UI lists have also been converted to tables, which allow you to change column widths and define exactly which columns are displayed, and how the tables are sorted.
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
This includes the language packs, so translations made to the ZAP UI via https://crowdin.net/project/owasp-zap can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release quality active and passive scanning rules have been improved. There are new alpha and beta quality rules and many rules have been promoted from alpha to beta and from beta to release quality.
Other miscellaneous changes and additions
- A new option to stop individual scan rules without stopping the whole scan
- A new toolbar button that allows you to quickly and easily record Zest scripts.
- A new group for sharing ZAP scripts (http://groups.google.com/group/zaproxy-scripts) has been created.
- The ability to spider applications based on source control metadata (SVN and Git) exposed via a web server
- The ability to force breaks from within Proxy scripts
Full list of changes:
- 122 : ProxyThread logging timeout readings with incorrect message (URL)
- 207 : Enhancement: Hotkeys
- 362 : Allow Alerts lists to be filtered by selection in Sites pane
- 399 : zap.sh directory handling
- 412 : Enable unsafe SSL/TLS renegotiation option not saved
- 416 : Normalise how multiple related options are managed throughout ZAP and enhance the usability of some options Usability
- 485 : Make language packs into add-ons
- 503 : Change the footer tabs to display the data with tables instead of lists Usability
- 572 : Change the generate_root_ca property to a function in the Python API
- 575 : Return the list of alerts in the Python API instead of a dictionary with one entry
- 585 : Proxy - "502 Bad Gateway" errors responded as "504 Gateway Timeout"
- 589 : Move Reveal extension to ZAP extensions project
- 590 : Forced Browse uses wrong scheme when "attacking" a site accessed over a secure connection (HTTPS) on a non-default port
- 591 : Available sites/hosts (in the footer panels) disappear when mode changed to "Safe"
- 595 : Spider fails to start (footer panel) with a site accessed over a secure connection (HTTPS) on a non-default port
- 606 : Disable the "Start" scan button when the "--Select Site--" option is selected
- 607 : Manual requested sites shown as scanned in the footer panels when selected in the "Sites" tab
- 609 : Provide a common interface to query the state and access the data (HttpMessage and HistoryReference) displayed in the tabs
- 613 : Move Save Raw HttpMessage extension to ZAP extensions project
- 619 : Move Forced Browse extension to ZAP extensions project
- 620 : Move Forced Browse files to ZAP extensions project
- 783 : shutdown should be a method in the python zap.core api
- 788 : Update Java for Mac release
- 793 : Authentication / SessionManagement Methods dynamic loading in APIs not reliable
- 799 : Add HttpAuthentication as an Authentication Method
- 803 : Patch for /trunk/src/help/zaphelp/zaphelp/credits.html
- 804 : Add Support for various types of Authentication for a Context
- 805 : Add Support for various types of Session Management for a Context
- 806 : Add Support for webapp Users
- 807 : Error while loading ZAP when Quick Start Tab is closed
- 816 : Add right-click Copy/Paste & Find options in the Encode/Decode/Hash dialog
- 817 : Python API doesn't handle "other" operations correctly
- 822 : Java API: ApiResponseSet.getAttributes() not working
- 825 : Old version of Rhino included in lib directory
- 827 : Default session tokens are not lower cased when added through options dialogue
- 828 : NullPointerException while accessing HttpSessions API view "sessionTokens" when a site doesn't exist or doesn't have tokens
- 829 : JSONException while calling an API view without the required parameter(s)
- 830 : Java Client API doesn't encode query parameters when sending requests to ZAP API
- 832 : Http Sessions tab should be cleared when a new session is created
- 837 : Update, always, the HTTP request sent/forward by ZAP's proxy
- 838 : Search API - Add search views that return HTTP messages
- 839 : Search API - Add search views that return messages in HTTP Archive format
- 840 : Core API - Allow to get the messages in HTTP Archive format
- 841 : NullPointerException after sending a manual HTTP request with ExtensionHistory disabled
- 842 : NullPointerException while active scanning with ExtensionAntiCSRF disabled
- 843 : NullPointerException after sending/proxying a HTTP request with ExtensionAntiCSRF disabled
- 844 : NullPointerException while invoking the "Scan policy" dialogue with ExtensionPassiveScan disabled
- 845 : AbstractPanel added twice to TabbedPanel2 in ExtensionLoader#addTabPanel
- 846 : NullPointerException while active scanning with ExtensionScript disabled
- 849 : NullPointerException while authenticating with ExtensionHistory disabled
- 852 : Search API - URL views return the same URL several times
- 853 : Core API - Allow to get the number of alerts
- 854 : Core API - Allow to get the number of messages
- 855 : Core API - Allow to get a message by ID
- 856 : Core API - Allow to get an alert by ID
- 857 : Core API - "alerts" view might return unexpected alerts when pagination is used
- 858 : Core API - "messages" view might return unexpected messages when pagination is used
- 859 : PScan API - Allow to enable/disable the passive scan
- 860 : PScan API - Allow to list/get the passive scanners
- 861 : PScan API - Allow to enable/disable all the passive scanners
- 862 : PScan API - Allow to enable/disable a given passive scanner
- 863 : AScan API - Allow to list/get the active scanners
- 864 : AScan API - Allow to enable/disable all the active scanners
- 865 : AScan API - Allow to enable/disable a given active scanner
- 866 : Alert keeps HttpMessage longer than needed when HistoryReference is set/available
- 867 : HttpMessage#getFormParams should return an empty TreeSet if the request body is not "x-www-form-urlencoded"
- 868 : Core API - "messages" view shouldn't return internal/temporary messages
- 869 : Differentiate proxied requests from (ZAP) user requests
- 870 : Change the MainToolbarPanel's expand buttons to use ButtonGroup and Action
- 871 : Title not updated when session name is changed through the main tool bar button "Session Properties..."
- 872 : Core API - Allow to send a manual request
- 873 : Core API - Allow to send a manual request in HAR format
- 874 : Change BreakPanelToolbarFactory to use Actions
- 875 : Remove i18n directory
- 876 : Deprecate FuzzerPanel#PANEL_NAME
- 877 : ExtensionPopupMenuItem#isEnableForComponent called twice on some pop up menus each time is shown using the MainPopupMenu
- 878 : ExtensionPopupMenuItem#getMenuIndex() as no effect in MainPopupMenu
- 879 : Pop up menu "Spider Context..." is enabled even if ExtensionSpider is disabled
- 880 : Remember last selected directory when adding custom fuzz files
- 881 : Fail immediately if zapdb.script file is not found
- 882 : Remove "Copy" pop up menu item shown in the "Forced Browse" tab
- 884 : Plug-n-Hack phase 2
- 885 : API - Actions' response not shown when using HTML format
- 886 : Main pop up menu invoked twice on some components
- 887 : Scanners' pause button with inconsistent selection/enabled state
- 888 : Search API - URL views might return unexpected URLs when pagination is used
- 889 : JSONException while calling an API "other" without the required parameter(s)
- 890 : Allow to clear "Output" tab
- 891 : Target build "generate-javadocs" should apply SVN mime-type property to all generated files
- 892 : Cache of response body length in HistoryReference might not be correct
- 896 : PnH: Flag any fuzz attacks that hit the DOM XSS oracle
- 897 : Add a JToggleButton that allows to set a tool tip text based on button's state
- 898 : Replace all toggle buttons that set a tool tip text based on button's state with ZapToggleButton
- 899 : Remove "manual" update of toggle buttons' icon based on button's state
- 900 : IllegalArgumentException when invoking the main pop up menu with menus or super menus with high menu index
- 901 : Pop up menu "succeed" separator is not added when using sub-menu in MainPopupMenu
- 902 : Change all ExtensionAdaptor#hook(ExtensionHook) overriding methods to call the base implementation
- 903 : Change options' thread sliders to use the same component
- 904 : Add a button group that allows to deselect the selected button
- 905 : Incorrect link in "Break tab" help pages
- 910 : Forced User cannot be changed
- 911 : AScan API - Change the "scanners" view to include the state of the active scanner
- 912 : PScan API - Change the "scanners" view to include the state of the passive scanner
- 913 : AScan API - Allow to list/get the active scanner policies
- 914 : AScan API - Allow to set the active scanner policies enabled
- 915 : Dynamically filter history based on selection in the sites window
- 919 : Allow vulnerabilities.xml to be localized IdealFirstBug
- 920 : Add include/exclude url patterns to history filter
- 921 : PnH2: open as monitored url
- 923 : Allow individual rule thresholds and strengths to be set via GUI
- 925 : HTML report issues
- 929 : AScan API - Allow to set the attack strength and alert threshold of active scanner policies and active scanners
- 930 : AScan API - Allow to list/get the active scanners by policy ID
- 931 : Allow extensions to pick up command line args in GUI mode
- 932 : Allow scripts to be specified on the command line
- 933 : Automatically determine install dir
- 934 : Handle files on the command line via extension
- 935 : Improve the identification of Java version
- 939 : ZAP should accept SSL connections on non-standard ports automatically
- 947 : Spider fails on URLs with illegal characters
- 950 : Cope with add-ons containing files copied directly into the plugins directory
- 951 : TLS' versions 1.1 and 1.2 not enabled by default
- 954 : Changes to certain fields in the GUI are not saved after clicking OK/Proceed
- 955 : keyboard focus lost when large body found
- 956 : Copy URLs doesn't copy multiple
- 957 : Reference for alert "X-Content-Type-Options header missing"
- 963 : Add-on added to blocklist if it cant be deleted on update
- 965 : Support 'single page' apps and 'non standard' parameter separators
- 966 : Quickstart command line option
- 967 : InvalidParameterException while updating the "Script Console" add-on
- 968 : Allow to choose the enabled SSL/TLS protocols
- 969 : Proxy - Do not include the response body when answering unsuccessful HEAD requests
- 970 : Body of DELETE requests should be sent/forward
- 974 : Scan URL path elements
- 975 : Inverse Search Fuzz Results Buggy
- 976 : Spider Context Attack causes spidering outside of context
- 979 : Sites and Alerts trees can get corrupted
- 981 : Internationalize help file
- 982 : API key
- 986 : New ScanProgress dialog implementation and plugin skipping functionality
- 987 : Allow arbitrary config file values to be set via the command line
- 988 : ZAP Help crashes before starting
- 989 : Add a right click option "Add user" on an HTTP session
- 991 : Add-on/Scan rule review request - Persistent XSS
- 996 : Ensure all dialogs close when the escape key is pressed
- 997 : Session.open complains about improper use of addPath
- 998 : Silly regexp search kills ZAP
- 999 : History loaded in wrong order
- 1002 : Add support for Authentication via Scripts
- 1003 : XXE Vulnerability Testing Plugin
- 1004 : Source Code disclosure using Git meta-data
- 1005 : Source Code disclosure using Subversion meta-data
- 1006 : Spidering of web applications using using Git meta-data
- 1007 : Spidering of web applications using using Subversion (SVN) meta-data
- 1010 : Allow to sort fuzz results
- 1012 : Encode / Decode dialog - support HTML and JavaScript encoding IdealFirstBug
- 1016 : HTML encoding display issue in credits.html
- 1017 : Proxy set to 0.0.0.0 causes incorrect PAC file to be generated
- 1018 : Give AbstractAppParamPlugin implementations access to the parameter type
- 1019 : ZAP startup with bad JAVA_HOME shows confusing error message
- 1020 : Duplicate "Body: Table" plug-able view on Request/Break tabs
- 1021 : OutOutOfMemoryError while running the active scanner
- 1022 : Proxy - Allow to override a proxied message
- 1023 : Script Console - Run/Stop buttons with inconsistent state
- 1024 : Large Response view is shown even if a response body is not present
- 1025 : NullPointerException while pressing a key with "Script Console" text areas selected
- 1030 : Load and save scan policies
- 1031 : Adding Parameter Exclusion capabilities to the Active Scanner
- 1032 : Add API support for Script Based Authentication
- 1033 : org.zaproxy.clientapi.core.Alert does not override equals() method
- 1037 : JSON RPC parameters are not set correctly
- 1039 : Improve External Redirect plugin Accuracy
- 1041 : Active Scan plugins don't start if the site is local to 127.0.0.1
- 1042 : Having significant issues opening a previous session
- 1043 : Custom active scan dialog
- 1044 : Forced User Mode is not persisted across Session saves/loads
- 1046 : The getHttpCookies() method in the HttpResponseHeader does not properly set the domain
- 1047 : Backup Files not detected by Zap
- 1049 : Fast multiple pattern search component
- 1050 : Scripting based Input Vectors
- 1051 : Zap can bound services to all network interfaces
- 1052 : Callback API for active scan plugins
- 1053 : String similarity and LCS algorithm component
- 1055 : Load extensions before plugins
- 1057 : Add a Extension.postInstall() method for post install actions
- 1059 : Add Jython support for Script-Based Authentication
- 1060 : Add JRuby support for Script-Based Authentication
- 1061 : Select proper Script Type, Engine and Template when creating new script
- 1063 : Option to decode add gzipped content (was handle compression for scripts)
- 1065 : Rename ExtensionScripts to ExtensionScriptsConsole Maintainability
- 1066 : Add support for quickly setting Script Based Authentication from scripts UI
- 1068 : Zap does not detect source code in responses
- 1069 : Support .-: in Zest variable names
- 1071 : Using Zest-Script "Replace in response-body" delivers wrong Content-Length header.
- 1072 : SQLDataException: data exception: string data, right truncation
- 1074 : Add option to only display output from the displayed script
- 1075 : Change TableHistory to delete records in batches Performance
- 1076 : Change active scanner to not delete the temporary messages generated Performance
- 1077 : Change (HTTP) fuzzer to not delete the temporary messages generated Performance
- 1078 : Change ExtensionBreak to fallback to base message type breakpoint manager implementation
- 1079 : Remove misplaced main pop up menu separators
- 1080 : User Guide HTML pages incorrectly relying on the platform default encoding
- 1081 : ExtensionPopupMenu should "notify" child ExtensionPopupMenu (and ExtensionPopupMenuItem) when the pop up is invoked
- 1082 : Search URL matches highlighted in incorrect position
- 1083 : Deprecate the method ExtensionPopupMenuItem#isSuperMenu()
- 1084 : NullPointerException while selecting a node in the "Sites" tab
- 1085 : Do not add/remove pop up menu items through the method View#getPopupMenu()
- 1086 : Allow to dynamically add/remove passive scanners
- 1087 : Change extensions to dynamically add passive scanners
- 1088 : Deprecate the method ExtensionPopupMenu#prepareShow
- 1089 : Change ExtensionPopupMenu to honour the extension pop up methods
- 1090 : Do not add pop up menus if target extension is not enabled
- 1091 : CoreAPI - Do not get the IDs of temporary history records
- 1092 : SearchThread - Do not get the IDs of discarded messages
- 1093 : Add an HTTP request body view that warns of large body
- 1094 : Change ExtensionManualRequestEditor to only add view components if in GUI mode
- 1095 : Replace main pop up sub menus with ExtensionPopupMenu when appropriate
- 1096 : AddOnLoader calls incorrect notify method after uninstalling add-on files
- 1097 : Move "Run applications" (invoke) extension to zap-extensions project
- 1098 : Move AJAX Spider help pages to "Ajax Spider" add-on (and update them)
- 1099 : Allow to annotate option methods as ignored for ZAP API
- 1100 : Annotate option methods that shouldn't be exposed in the ZAP API
- 1101 : Change passive scanners to expose its IDs
- 1102 : Ajax Spider - Replace ajax spider proxy with core proxy
- 1103 : Script Console - Allow to clear output even if "clear on run" is enabled
- 1104 : Replace all toggle buttons that set a tool tip text based on button's state with ZapToggleButton (add-ons)
- 1105 : Remove "manual" update of toggle buttons' icon based on button's state (add-ons)
- 1106 : HistoryList's mapping of history ID to list indexes not updated when history entry is deleted
- 1110 : Spider API - Unable to set how parameters are handled using API
- 1111 : Check for Updates on startup gets (automatically) disabled when accessing the "Options" dialogue
- 1112 : Change ZAP (core) to support new add-on dir structure
- 1113 : Change add-on dir structure (help and resources)
- 1118 : Alerts Tab can get out of sync
- 1120 : Uninstall add-on fails if rules use message bundle in uninstall
- 1121 : Scan progress dialog can cause UI freezes
- 1122 : Add-on additional info
- 1125 : Can't re-import jython script as a proxy script
- 1126 : Bugs in breakpoint filters
- 1127 : Feature request: Allow scripts to generate breaks
- 1131 : Support Zest Intercept actions in add-on
- 1132 : HttpSender ignores the "Send single cookie request header" option
- 1134 : Passive Scan Rule regexes not validated
- 1135 : Marketplace tab cant be updated if cfu runs on start
- 1137 : ZAP locks up when deleting nodes
- 1138 : Passive Scan Rule changes not saved
- 1145 : Cookie parsing error if a comma is used
See also