Softpedia >Mac >Security >ZAP >  Changelog

ZAP Changelog

What's new in ZAP 2.4.2

Sep 8, 2015
  • bug fix and minor enhancement release

New in ZAP 2.4.1 (Sep 8, 2015)

  • includes important security fixes - users are urged to upgrade asap

New in ZAP 2.4.0 (Sep 8, 2015)

  • includes attack mode, adv fuzzing, adv scan options and much more

New in ZAP 2.3.1 (Sep 8, 2015)

  • bug fix release

New in ZAP 2.3.0 (May 22, 2014)

  • Changes:
  • Issue 122: ProxyThread logging timeout readings with incorrect message (URL)
  • Issue 207: Enhancement: Hotkeys
  • Issue 362: Allow Alerts lists to be filtered by selection in Sites pane
  • Issue 399: zap.sh directory handling
  • Issue 412: Enable unsafe SSL/TLS renegotiation option not saved
  • Issue 416: Normalise how multiple related options are managed throughout ZAP and enhance the usability of some options Usability
  • Issue 485: Make language packs into add-ons
  • Issue 503: Change the footer tabs to display the data with tables instead of lists Usability
  • Issue 572: Change the generate_root_ca property to a function in the Python API
  • Issue 575: Return the list of alerts in the Python API instead of a dictionary with one entry
  • Issue 585: Proxy - "502 Bad Gateway" errors responded as "504 Gateway Timeout"
  • Issue 589: Move Reveal extension to ZAP extensions project
  • Issue 590: Forced Browse uses wrong scheme when "attacking" a site accessed over a secure connection (HTTPS) on a non-default port
  • Issue 591: Available sites/hosts (in the footer panels) disappear when mode changed to "Safe"
  • Issue 595: Spider fails to start (footer panel) with a site accessed over a secure connection (HTTPS) on a non-default port
  • Issue 606: Disable the "Start" scan button when the "--Select Site--" option is selected
  • Issue 607: Manual requested sites shown as scanned in the footer panels when selected in the "Sites" tab
  • Issue 609: Provide a common interface to query the state and access the data (HttpMessage and HistoryReference) displayed in the tabs
  • Issue 613: Move Save Raw HttpMessage extension to ZAP extensions project
  • Issue 619: Move Forced Browse extension to ZAP extensions project
  • Issue 620: Move Forced Browse files to ZAP extensions project
  • Issue 783: shutdown should be a method in the python zap.core api
  • Issue 788: Update Java for Mac release
  • Issue 793: Authentication / SessionManagement Methods dynamic loading in APIs not reliable
  • Issue 799: Add HttpAuthentication as an Authentication Method
  • Issue 803: Patch for /trunk/src/help/zaphelp/zaphelp/credits.html
  • Issue 804: Add Support for various types of Authentication for a Context
  • Issue 805: Add Support for various types of Session Management for a Context
  • Issue 806: Add Support for webapp Users
  • Issue 807: Error while loading ZAP when Quick Start Tab is closed
  • Issue 816: Add right-click Copy/Paste & Find options in the Encode/Decode/Hash dialog
  • Issue 817: Python API doesn't handle "other" operations correctly
  • Issue 822: Java API: ApiResponseSet.getAttributes() not working
  • Issue 825: Old version of Rhino included in lib directory
  • Issue 827: Default session tokens are not lower cased when added through options dialogue
  • Issue 828: NullPointerException while accessing HttpSessions API view "sessionTokens" when a site doesn't exist or doesn't have tokens
  • Issue 829: JSONException while calling an API view without the required parameter(s)
  • Issue 830: Java Client API doesn't encode query parameters when sending requests to ZAP API
  • Issue 832: Http Sessions tab should be cleared when a new session is created
  • Issue 837: Update, always, the HTTP request sent/forward by ZAP's proxy
  • Issue 838: Search API - Add search views that return HTTP messages
  • Issue 839: Search API - Add search views that return messages in HTTP Archive format
  • Issue 840: Core API - Allow to get the messages in HTTP Archive format
  • Issue 841: NullPointerException after sending a manual HTTP request with ExtensionHistory disabled
  • Issue 842: NullPointerException while active scanning with ExtensionAntiCSRF disabled
  • Issue 843: NullPointerException after sending/proxying a HTTP request with ExtensionAntiCSRF disabled
  • Issue 844: NullPointerException while invoking the "Scan policy" dialogue with ExtensionPassiveScan disabled
  • Issue 845: AbstractPanel added twice to TabbedPanel2 in ExtensionLoader#addTabPanel
  • Issue 846: NullPointerException while active scanning with ExtensionScript disabled
  • Issue 849: NullPointerException while authenticating with ExtensionHistory disabled
  • Issue 852: Search API - URL views return the same URL several times
  • Issue 853: Core API - Allow to get the number of alerts
  • Issue 854: Core API - Allow to get the number of messages
  • Issue 855: Core API - Allow to get a message by ID
  • Issue 856: Core API - Allow to get an alert by ID
  • Issue 857: Core API - "alerts" view might return unexpected alerts when pagination is used
  • Issue 858: Core API - "messages" view might return unexpected messages when pagination is used
  • Issue 859: PScan API - Allow to enable/disable the passive scan
  • Issue 860: PScan API - Allow to list/get the passive scanners
  • Issue 861: PScan API - Allow to enable/disable all the passive scanners
  • Issue 862: PScan API - Allow to enable/disable a given passive scanner
  • Issue 863: AScan API - Allow to list/get the active scanners
  • Issue 864: AScan API - Allow to enable/disable all the active scanners
  • Issue 865: AScan API - Allow to enable/disable a given active scanner
  • Issue 866: Alert keeps HttpMessage longer than needed when HistoryReference is set/available
  • Issue 867: HttpMessage#getFormParams should return an empty TreeSet if the request body is not "x-www-form-urlencoded"
  • Issue 868: Core API - "messages" view shouldn't return internal/temporary messages
  • Issue 869: Differentiate proxied requests from (ZAP) user requests
  • Issue 870: Change the MainToolbarPanel's expand buttons to use ButtonGroup and Action
  • Issue 871: Title not updated when session name is changed through the main tool bar button "Session Properties..."
  • Issue 872: Core API - Allow to send a manual request
  • Issue 873: Core API - Allow to send a manual request in HAR format
  • Issue 874: Change BreakPanelToolbarFactory to use Actions
  • Issue 875: Remove i18n directory
  • Issue 876: Deprecate FuzzerPanel#PANEL_NAME
  • Issue 877: ExtensionPopupMenuItem#isEnableForComponent called twice on some pop up menus each time is shown using the MainPopupMenu
  • Issue 878: ExtensionPopupMenuItem#getMenuIndex() as no effect in MainPopupMenu
  • Issue 879: Pop up menu "Spider Context..." is enabled even if ExtensionSpider is disabled
  • Issue 880: Remember last selected directory when adding custom fuzz files
  • Issue 881: Fail immediately if zapdb.script file is not found
  • Issue 882: Remove "Copy" pop up menu item shown in the "Forced Browse" tab
  • Issue 884: Plug-n-Hack phase 2
  • Issue 885: API - Actions' response not shown when using HTML format
  • Issue 886: Main pop up menu invoked twice on some components
  • Issue 887: Scanners' pause button with inconsistent selection/enabled state
  • Issue 888: Search API - URL views might return unexpected URLs when pagination is used
  • Issue 889: JSONException while calling an API "other" without the required parameter(s)
  • Issue 890: Allow to clear "Output" tab
  • Issue 891: Target build "generate-javadocs" should apply SVN mime-type property to all generated files
  • Issue 892: Cache of response body length in HistoryReference might not be correct
  • Issue 896: PnH: Flag any fuzz attacks that hit the DOM XSS oracle
  • Issue 897: Add a JToggleButton that allows to set a tool tip text based on button's state
  • Issue 898: Replace all toggle buttons that set a tool tip text based on button's state with ZapToggleButton
  • Issue 899: Remove "manual" update of toggle buttons' icon based on button's state
  • Issue 900: IllegalArgumentException when invoking the main pop up menu with menus or super menus with high menu index
  • Issue 901: Pop up menu "succeed" separator is not added when using sub-menu in MainPopupMenu
  • Issue 902: Change all ExtensionAdaptor#hook(ExtensionHook) overriding methods to call the base implementation
  • Issue 903: Change options' thread sliders to use the same component
  • Issue 904: Add a button group that allows to deselect the selected button
  • Issue 905: Incorrect link in "Break tab" help pages
  • Issue 910: Forced User cannot be changed
  • Issue 911: AScan API - Change the "scanners" view to include the state of the active scanner
  • Issue 912: PScan API - Change the "scanners" view to include the state of the passive scanner
  • Issue 913: AScan API - Allow to list/get the active scanner policies
  • Issue 914: AScan API - Allow to set the active scanner policies enabled
  • Issue 915: Dynamically filter history based on selection in the sites window
  • Issue 919: Allow vulnerabilities.xml to be localized IdealFirstBug
  • Issue 920: Add include/exclude url patterns to history filter
  • Issue 921: PnH2: open as monitored url
  • Issue 923: Allow individual rule thresholds and strengths to be set via GUI
  • Issue 925: HTML report issues
  • Issue 929: AScan API - Allow to set the attack strength and alert threshold of active scanner policies and active scanners
  • Issue 930: AScan API - Allow to list/get the active scanners by policy ID
  • Issue 931: Allow extensions to pick up command line args in GUI mode
  • Issue 932: Allow scripts to be specified on the command line
  • Issue 933: Automatically determine install dir
  • Issue 934: Handle files on the command line via extension
  • Issue 935: Improve the identification of Java version
  • Issue 939: ZAP should accept SSL connections on non-standard ports automatically
  • Issue 947: Spider fails on URLs with illegal characters
  • Issue 950: Cope with add-ons containing files copied directly into the plugins directory
  • Issue 951: TLS' versions 1.1 and 1.2 not enabled by default
  • Issue 954: Changes to certain fields in the GUI are not saved after clicking OK/Proceed
  • Issue 955: keyboard focus lost when large body found
  • Issue 956: Copy URLs doesn't copy multiple
  • Issue 957: Reference for alert "X-Content-Type-Options header missing"
  • Issue 963: Add-on added to blocklist if it cant be deleted on update
  • Issue 965: Support 'single page' apps and 'non standard' parameter separators
  • Issue 966: Quickstart command line option
  • Issue 967: InvalidParameterException while updating the "Script Console" add-on
  • Issue 968: Allow to choose the enabled SSL/TLS protocols
  • Issue 969: Proxy - Do not include the response body when answering unsuccessful HEAD requests
  • Issue 970: Body of DELETE requests should be sent/forward
  • Issue 974: Scan URL path elements
  • Issue 975: Inverse Search Fuzz Results Buggy
  • Issue 976: Spider Context Attack causes spidering outside of context
  • Issue 979: Sites and Alerts trees can get corrupted
  • Issue 981: Internationalize help file
  • Issue 982: API key
  • Issue 986: New ScanProgress dialog implementation and plugin skipping functionality
  • Issue 987: Allow arbitrary config file values to be set via the command line
  • Issue 988: ZAP Help crashes before starting
  • Issue 989: Add a right click option "Add user" on an HTTP session
  • Issue 991: Add-on/Scan rule review request - Persistent XSS
  • Issue 996: Ensure all dialogs close when the escape key is pressed
  • Issue 997: Session.open complains about improper use of addPath
  • Issue 998: Silly regexp search kills ZAP
  • Issue 999: History loaded in wrong order
  • Issue 1002: Add support for Authentication via Scripts
  • Issue 1003: XXE Vulnerability Testing Plugin
  • Issue 1004: Source Code disclosure using Git meta-data
  • Issue 1005: Source Code disclosure using Subversion meta-data
  • Issue 1006: Spidering of web applications using using Git meta-data
  • Issue 1007: Spidering of web applications using using Subversion (SVN) meta-data
  • Issue 1010: Allow to sort fuzz results
  • Issue 1012: Encode / Decode dialog - support HTML and JavaScript encoding IdealFirstBug
  • Issue 1016: HTML encoding display issue in credits.html
  • Issue 1017: Proxy set to 0.0.0.0 causes incorrect PAC file to be generated
  • Issue 1018: Give AbstractAppParamPlugin implementations access to the parameter type
  • Issue 1019: ZAP startup with bad JAVA_HOME shows confusing error message
  • Issue 1020: Duplicate "Body: Table" plug-able view on Request/Break tabs
  • Issue 1021: OutOutOfMemoryError while running the active scanner
  • Issue 1022: Proxy - Allow to override a proxied message
  • Issue 1023: Script Console - Run/Stop buttons with inconsistent state
  • Issue 1024: Large Response view is shown even if a response body is not present
  • Issue 1025: NullPointerException while pressing a key with "Script Console" text areas selected
  • Issue 1030: Load and save scan policies
  • Issue 1031: Adding Parameter Exclusion capabilities to the Active Scanner
  • Issue 1032: Add API support for Script Based Authentication
  • Issue 1033: org.zaproxy.clientapi.core.Alert does not override equals() method
  • Issue 1037: JSON RPC parameters are not set correctly
  • Issue 1039: Improve External Redirect plugin Accuracy
  • Issue 1041: Active Scan plugins don't start if the site is local to 127.0.0.1
  • Issue 1042: Having significant issues opening a previous session
  • Issue 1043: Custom active scan dialog
  • Issue 1044: Forced User Mode is not persisted across Session saves/loads
  • Issue 1046: The getHttpCookies() method in the HttpResponseHeader does not properly set the domain
  • Issue 1047: Backup Files not detected by Zap
  • Issue 1049: Fast multiple pattern search component
  • Issue 1050: Scripting based Input Vectors
  • Issue 1051: Zap can bound services to all network interfaces
  • Issue 1052: Callback API for active scan plugins
  • Issue 1053: String similarity and LCS algorithm component
  • Issue 1055: Load extensions before plugins
  • Issue 1057: Add a Extension.postInstall() method for post install actions
  • Issue 1059: Add Jython support for Script-Based Authentication
  • Issue 1060: Add JRuby support for Script-Based Authentication
  • Issue 1061: Select proper Script Type, Engine and Template when creating new script
  • Issue 1063: Option to decode add gzipped content (was handle compression for scripts)
  • Issue 1065: Rename ExtensionScripts to ExtensionScriptsConsole Maintainability
  • Issue 1066: Add support for quickly setting Script Based Authentication from scripts UI
  • Issue 1068: Zap does not detect source code in responses
  • Issue 1069: Support .-: in Zest variable names
  • Issue 1071: Using Zest-Script "Replace in response-body" delivers wrong Content-Length header.
  • Issue 1072: SQLDataException: data exception: string data, right truncation
  • Issue 1074: Add option to only display output from the displayed script
  • Issue 1075: Change TableHistory to delete records in batches Performance
  • Issue 1076: Change active scanner to not delete the temporary messages generated Performance
  • Issue 1077: Change (HTTP) fuzzer to not delete the temporary messages generated Performance
  • Issue 1078: Change ExtensionBreak to fallback to base message type breakpoint manager implementation
  • Issue 1079: Remove misplaced main pop up menu separators
  • Issue 1080: User Guide HTML pages incorrectly relying on the platform default encoding
  • Issue 1081: ExtensionPopupMenu should "notify" child ExtensionPopupMenu (and ExtensionPopupMenuItem) when the pop up is invoked
  • Issue 1082: Search URL matches highlighted in incorrect position
  • Issue 1083: Deprecate the method ExtensionPopupMenuItem#isSuperMenu()
  • Issue 1084: NullPointerException while selecting a node in the "Sites" tab
  • Issue 1085: Do not add/remove pop up menu items through the method View#getPopupMenu()
  • Issue 1086: Allow to dynamically add/remove passive scanners
  • Issue 1087: Change extensions to dynamically add passive scanners
  • Issue 1088: Deprecate the method ExtensionPopupMenu#prepareShow
  • Issue 1089: Change ExtensionPopupMenu to honour the extension pop up methods
  • Issue 1090: Do not add pop up menus if target extension is not enabled
  • Issue 1091: CoreAPI - Do not get the IDs of temporary history records
  • Issue 1092: SearchThread - Do not get the IDs of discarded messages
  • Issue 1093: Add an HTTP request body view that warns of large body
  • Issue 1094: Change ExtensionManualRequestEditor to only add view components if in GUI mode
  • Issue 1095: Replace main pop up sub menus with ExtensionPopupMenu when appropriate
  • Issue 1096: AddOnLoader calls incorrect notify method after uninstalling add-on files
  • Issue 1097: Move "Run applications" (invoke) extension to zap-extensions project
  • Issue 1098: Move AJAX Spider help pages to "Ajax Spider" add-on (and update them)
  • Issue 1099: Allow to annotate option methods as ignored for ZAP API
  • Issue 1100: Annotate option methods that shouldn't be exposed in the ZAP API
  • Issue 1101: Change passive scanners to expose its IDs
  • Issue 1102: Ajax Spider - Replace ajax spider proxy with core proxy
  • Issue 1103: Script Console - Allow to clear output even if "clear on run" is enabled
  • Issue 1104: Replace all toggle buttons that set a tool tip text based on button's state with ZapToggleButton (add-ons)
  • Issue 1105: Remove "manual" update of toggle buttons' icon based on button's state (add-ons)
  • Issue 1106: HistoryList's mapping of history ID to list indexes not updated when history entry is deleted
  • Issue 1110: Spider API - Unable to set how parameters are handled using API
  • Issue 1111: Check for Updates on startup gets (automatically) disabled when accessing the "Options" dialogue
  • Issue 1112: Change ZAP (core) to support new add-on dir structure
  • Issue 1113: Change add-on dir structure (help and resources)
  • Issue 1118: Alerts Tab can get out of sync
  • Issue 1120: Uninstall add-on fails if rules use message bundle in uninstall
  • Issue 1121: Scan progress dialog can cause UI freezes
  • Issue 1122: Add-on additional info
  • Issue 1125: Can't re-import jython script as a proxy script
  • Issue 1126: Bugs in breakpoint filters
  • Issue 1127: Feature request: Allow scripts to generate breaks
  • Issue 1131: Support Zest Intercept actions in add-on
  • Issue 1132: HttpSender ignores the "Send single cookie request header" option
  • Issue 1134: Passive Scan Rule regexes not validated
  • Issue 1135: Marketplace tab cant be updated if cfu runs on start
  • Issue 1137: ZAP locks up when deleting nodes
  • Issue 1138: Passive Scan Rule changes not saved
  • Issue 1145: Cookie parsing error if a comma is used

New in ZAP 2.2.0 (Sep 12, 2013)

  • Major changes:
  • Issue 717: Scripts: support multiple scripts and embedding within ZAP components
  • Support for Mozilla Zest: https://developer.mozilla.org/en-US/docs/Zest
  • Support for Mozilla Plug-n-Hack: https://developer.mozilla.org/en-US/docs/Plug-n-Hack
  • Minor changes:
  • Issue 711: Support scanning of XML requests
  • Issue 713: Add CWE and WASC numbers to issues
  • Issue 719: Custom http break points with more options
  • Issue 738: Options to hide tabs / windows
  • Issue 750: Upgrade script console to support non textbased scripting languages
  • Issue 752: Create a new root CA when first run
  • Issue 775: Allow host to be set via the command line
  • Bug Fixes:
  • Issue 555: Http panels default to hex view
  • Issue 599: The save session api does not allow to overwrite session already has same name
  • Issue 630: URLCanonicalizer.getCanonicalURL produces URIs "half" decoded
  • Issue 631: URLCanonicalizer.buildCleanedParametersURIRepresentation returns URIs in percent-encoded form and decoded
  • Issue 652: Shutdown after a big scan takes too long (deleting ascan records)
  • Issue 655: API encoding issues
  • Issue 665: NullPointerException while proxying with a URI with an empty path component
  • Issue 666: JSONException while calling an API action without the required parameter(s)
  • Issue 669: Certificate algorithm constraints in Java 1.7
  • Issue 674: Add HttpSessionAPI to ApiGeneratorUtils
  • Issue 685: Add dummy file to "fuzzers" directory
  • Issue 686: Log HttpException (as error) in the ProxyThread
  • Issue 687: Change HTTP response header parser to be less strict
  • Issue 690: Context Authentication URLs don't fail manual overwriting.
  • Issue 691: Handle old plugins
  • Issue 692: Report the version of java found by zap.sh
  • Issue 693: Command line should show all options
  • Issue 694: API UI fails on IE
  • Issue 695: Sites tree doesnt clear on new session created by API
  • Issue 696: Change "Ajax Spider" add-on options to use ZapNumberSpinner
  • Issue 697: API action "proxy.pac" might return wrong domain/port
  • Issue 698: Passive Scanner API view "recordsToScan" returns -1 after finish scanning the messages
  • Issue 699: Fix HTML errors in the help pages
  • Issue 702: Do not load newer add-on versions if they are not targeted for the running ZAP version
  • Issue 703: Add-on ZAP version constraints "not-before-version" and "not-from-version" are not respected for already "installed" add-ons
  • Issue 706: ZAP API doesn't parse correctly query parameters with "&" characters
  • Issue 710: URLCanonicalizer.getCanonicalURL fails to correctly parse query parameters with "&" and "=" characters
  • Issue 712: HttpSessions API action "setSessionTokenValue" should add the session token name to the site's session tokens
  • Issue 720: Cannot send non standard http methods
  • Issue 721: Non POST and PUT requests receive a 504 when server expects a request body
  • Issue 724: Do not clone the alert's message that will be shown in message panels
  • Issue 725: Clear alert's panel fields
  • Issue 726: Catch active scanner variants' exceptions
  • Issue 727: Name of automatically created HTTP sessions is always in English
  • Issue 728: Allow to create a session with a given name through the HttpSessions API
  • Issue 729: Update NTLM authentication code
  • Issue 730: MissingResourceException while selecting a disabled extension (from an add-on) in the "Extensions" options panel
  • Issue 731: MissingResourceException with ExtensionFuzz enabled and ExtensionBruteForce disabled
  • Issue 736: Change add-on class loading strategy to parent-last
  • Issue 737: Restore "Ajax spider" add-on dependencies
  • Issue 756: Allow Context Panels intercommunication
  • Issue 763: XML report empty when used in daemon mode
  • Issue 764: HTTP fuzz results dont support right click menus
  • Issue 766: Searching fuzz results doesnt include the header
  • Issue 767: HTTP Session API could be less strict
  • Issue 772: Restructuring of Saving/Loading Context Data
  • Issue 774: Build doesnt include scripts directory
  • Issue 776: Allow add-ons to warn user if they're closing ZAP with unsaved resources open
  • Issue 777: Unable to cancel changes when using Include in/Exclude from Context
  • Issue 782: NoSuchMethodError when excluding a WebSocket channel URL from context
  • Issue 785: Change zap.sh to cope with Java 1.8
  • Issue 786: Snapshot session menu item not working

New in ZAP 2.1.0 (Apr 19, 2013)

  • Minor changes:
  • Issue 355: Allow Positional Fuzzing
  • Issue 475: Http Sessions custom cookie value
  • Issue 484: Check java version in zap.sh
  • Issue 496: Allow to see the request and response at the same time in the main window
  • Issue 505: Http Session API Implementation
  • Issue 515: Change add-ons to make use of automatic load of messages
  • Issue 516: Change add-ons messages keys to have unique prefix
  • Issue 518: Add OData support
  • Issue 537: Option to Force Browse files/resources with user-defined extensions
  • Issue 538: Allow non sequential lines to be selected in the history log
  • Issue 542: browse api - prompt window to enable
  • Issue 551: Add csrfmiddlewaretoken to list of default Anti csrf tokens
  • Issue 552: Make ZapPortNumberSpinner a subclass of ZapNumberSpinner
  • Issue 553: Add option to filter alerts by scope
  • Issue 561: Copy URLs right click option
  • Issue 566: Abstract class for creating generic popups
  • Issue 568: Allow extensions to run from the command line
  • Issue 569: Allow Spider Scan to start without prior visit
  • Issue 587: Upgrade to JBroFuzz 2.5
  • Issue 592: Do not show the main pop up menu if it doesn't have visible pop up menu items
  • Issue 597: Shown "Author" field on available add-ons ("Marketplace" tab)
  • Issue 602: Allow to (explicitly) choose the file type when exporting URLs to file
  • Issue 621: Handle requests to the proxy URL (and generate a PAC file)
  • Issue 638: Persist and snapshot sessions instead of saving them
  • Bug Fixes:
  • Issue 150: java.io.IOException at org.owasp.jbrofuzz.system.Logger.checkOrCreateDirs
  • Issue 205: A previously saved option (Toolbar) is not set on start up when "Prompt for proxy credentials on start up" is hecked.
  • Issue 317: Move (or protect) the 'Bin' button
  • Issue 452: API - shutdown asynchronously
  • Issue 488: Fuzz categories available for the default category not updated after installing/uninstalling an add-on (with fuzz files)
  • Issue 490: Re-authentication only works with the active scanner
  • Issue 499: NullPointerException while uninstalling an add-on with a manual request editor
  • Issue 500: NullPointerException while uninstalling an add-on manually installed
  • Issue 501: ExtensionFactory keeps references to uninstalled add-ons (with extensions)
  • Issue 502: Manually installed add-ons don't remain installed
  • Issue 504: Table of installed add-ons may not update after manually installing an add-on
  • Issue 507: Quick start tab doesnt have a scroll pane
  • Issue 508: Some add-ons are not unloading all its components when uninstalled
  • Issue 509: Remove add-on ResourceBundle when an add-on is uninstalled
  • Issue 510: Remove add-on HelpSet when an add-on is uninstalled
  • Issue 511: Allow add-ons to remove footer status labels
  • Issue 512: Allow to remove the footer status label added by the ScanPanel
  • Issue 513: Footer status labels not immediately shown when an add-on is installed
  • Issue 514: Forced Browse footer status label still uses spanner icon
  • Issue 517: Add-ons are added to "main" class loader when installed
  • Issue 520: MissingResourceException when generating "Alerts" report
  • Issue 524: Host authentication is used even when disabled
  • Issue 525: "Report / Export all URLs to File ..." fails
  • Issue 528: Scan progress dialog can show negative progress times
  • Issue 533: Default ports 80 and 443 are appended to sites in site tree Interworking Usability
  • Issue 540: Maximised work tabs hidden when response tab position changed
  • Issue 548: Diff messages are appended to the "Diff" dialogue
  • Issue 549: Diff menu item enabled when "Sites" tree root node and a child node are selected
  • Issue 550: Fuzzer - Buffer Overflow stops because of java.sql.SQLDataException: data exception: string data, right truncation
  • Issue 558: Auto tagging broken
  • Issue 564: Active scanner can hang if dependencies used
  • Issue 565: Marketplace: Downloads won't use configured upstream Proxy
  • Issue 567: Spelling mistake
  • Issue 574: Spider fails when invoked via the API
  • Issue 579: Some (build) targets are incorrectly relying on the platform default encoding
  • Issue 582: NullPointerException while opening a session in daemon mode
  • Issue 583: NullPointerException while managing a session in daemon mode with "WebSockets" add-on installed
  • Issue 588: ExtensionHistory.historyIdToRef should be cleared when changing session
  • Issue 593: Quick Start may start the active scan before waiting for the spider to finish
  • Issue 614: SessionFixation labels wrong
  • Issue 616: Spider handles incorrectly form actions containing fragments (#)
  • Issue 617: NullPointerException when spidering a context
  • Issue 622: Local proxy unable to correctly detect requests to itself
  • Issue 626: Scroll bar of alert text areas is always at the bottom Usability
  • Issue 627: Allow add-ons to remove main tool bar buttons/separators
  • Issue 628: Allow add-ons to remove the registered API
  • Issue 632: Manual Request Editor dialogue (HTTP) configurations not saved correctly
  • Issue 633: Auto tag scanners are shown in passive scanners table
  • Issue 634: Empty passive scanner shown in the passive scanners table

New in ZAP 2.0.0 (Mar 5, 2013)

  • Significant changes:
  • An integrated add-ons marketplace:
  • ZAP can be extended by add-ons that have full access to all of the ZAP internals. Anyone can write add-ons and upload them to the ZAP Add-on Marketplace (OK, so its a Google code project called zap-extensions, but you get the idea).
  • More importantly you can now browse, download and install those add-ons from within ZAP. Most add-ons can be dynamically installed (and uninstalled) so you wont even need a restart.
  • You can choose to be notified of updates, and even be automatically updated. And as the scan rules are now implemented as add-ons you can get the latest rules as soon as they are published.
  • A replacement for the 'standard' Spider:
  • The 'old' Spider was showing its age, so its been completely rewritten, and is much faster and more comprehensive than the old one. This is still a 'traditional' spider that analyses the HTML code for any links it can find.
  • A new 'Ajax' spider:
  • In addition to the 'traditional' spider we've added an Ajax spider which is more effective with applications that make heavy use of JavaScript. This uses the Crawljax project which drives a browser (using Selenium) and so can discover any links an application generates, even ones generated client side.
  • Web Socket support:
  • ZAP now supports WebSockets, so ZAP can now see all WebSocket messages sent to and from your browser. As with HTTP based messages, ZAP can also intercept WebSocket messages and allows you to change them on the fly.
  • You can also fuzz WebSockets messages as well using all of the fuzzing payloads included in ZAP from projects like JBroFuzz and fuzzdb. And of course you can easily add your own fuzzing files.
  • Quick Start tab:
  • The first main tab you will now see is a 'Quick Start' tab which allows you to just type in a URL and scan it with one click.
  • This is an ideal starting point for people new to application security, but experts can easily remove it if they find it distracting.
  • Session awareness:
  • ZAP is now session awareness, so that ZAP can recognise and keep track of multiple sessions. It allows you to create new sessions, switch between them, and applies to all of the other components, like the Spider and Active Scanner.
  • User defined Contexts;
  • You can now define any number of 'contexts' - related sets of URLs which make up an application. You can then target all URLs in a context, for example using the Spider or Active Scanner. You can also add the contexts to the scope, and associate other information, such as authentication details.
  • Session scope:
  • The session scope allows you to specify which contexts you are interested at any one time. You can restrict what you see in various tabs to just the URLs in scope, and prevent accidentally attacking URLs not in scope by using the Protected mode.
  • Different modes:
  • ZAP now supports 3 modes:
  • Safe, in which no potentially dangerous operations permitted
  • Protected, in which you can perform any actions on URLs in scope
  • Standard, in which you can do anything to any URLs
  • Authentication handling
  • You can now associate authentication details with any context, which allows ZAP to do things like detect if and when you are logged out and automatically log you back in again. This is especially useful when used via the API in security regression tests.
  • More API support;
  • The REST API has been significantly extended, giving you much more access to the functionality ZAP provides.
  • Fine grained scanning controls:
  • The active scan rules can now be tuned to adjust their strength (the number of attacks they perform) and the threshold at which they report potential issues.
  • New and improved active and passive scanning rules:
  • We have uploaded the results from running ZAP 2.0.0 against wavsep (the most comprehensive open source evaluation project we are aware of) to the ZAP wiki: http://code.google.com/p/zaproxy/wiki/Testing TODO ;)
  • Full list of changes:
  •  Issue 43 : Scope option for filtering
  •  Issue 163 : Active scanner failing against DVWA high false positives/true negatives rate
  •  Issue 175 : Better bruteforce wordlist
  •  Issue 278 : Root CA Certificate for Dynamic SSL invalid on some platforms due to ExtendeKeyUsage extension
  •  Issue 281 : Alert class JSON dependency
  •  Issue 299 : Feature request: Show count of found URIs during Spider
  •  Issue 305 : Passive scanner rule for suspicious comments like TODO and FIXME
  •  Issue 326 : Response time and total length in manual request
  •  Issue 330 : robots.txt parsing
  •  Issue 332 : Support for modes
  •  Issue 333 : Spider - add option to crawl everthing in scope
  •  Issue 335 : Web Sockets - add support for Modes and Scope
  •  Issue 342 : Add an HttpSenderListener
  •  Issue 350 : Authentication management
  •  Issue 354 : Fuzzer attack strings not shown
  •  Issue 356 : Generate CSRF test form
  •  Issue 358 : Typo in "XFO Header Not Set" Solution
  •  Issue 360 : brute force sub directories
  •  Issue 361 : getHostPort on HttpRequestHeader for HTTPS CONNECT requests returns the wrong port
  •  Issue 370 : API - save session better error handling
  •  Issue 374 : API - save session synchronous or provide status
  •  Issue 376 : Masking the passwords provided for Authentication
  •  Issue 385 : Support contexts
  •  Issue 386 : API Web UI - support parameters with views
  •  Issue 388 : Allow user to specify which technologies apply to a context
  •  Issue 390 : Spider - Add option to spider all in context
  •  Issue 393 : More online links from menu
  •  Issue 397 : Support weekly builds
  •  Issue 400 : Generate new CA certificate will always produce certificate with same serial number
  •  Issue 401 : Exception when the (new) Spider is started through the API
  •  Issue 402 : GUI labels are not properly displayed on Linux (when language set to Polish)
  •  Issue 403 : Set options via the API using reflection
  •  Issue 404 : Labels not properly displayed when the Persian language is chosen
  •  Issue 406 : Spider - Add option to control the effect of parameters on visited URLs
  •  Issue 410 : charset wrapped in quotation marks
  •  Issue 411 : Allow proxy port to be specified on the command line
  •  Issue 417 : IndexOutOfBoundsException in ExtensionHttpSessions in daemon mode
  •  Issue 419 : Restructure jar loading code
  •  Issue 420 : API - support absolute session paths
  •  Issue 421 : Cleanly shut down any active scan threads on shutdown
  •  Issue 422 : Use exec in zap.sh so a new process is not forked
  •  Issue 423 : Active scanner and spider can deadlock if ZAP is shutdown while they are running
  •  Issue 424 : Exceptions in Web Sockets when session opened
  •  Issue 425 : Add quick start tab
  •  Issue 429 : Active Scan URL via API scans more than just the specified URL
  •  Issue 433 : API: introduce mandatory parameters and optional descriptions
  •  Issue 435 : Active scan alerts may be "lost" after saving the session
  •  Issue 436 : Locking on session save or shutdown via the API
  •  Issue 438 : API enhancements
  •  Issue 441 : View incorrectly initialised in many places when in daemon mode
  •  Issue 443 : "No Anti-CSRF tokens were found in a HTML submission form" listed as "None. Warning only."
  •  Issue 446 : KeyStore of a registered PKCS#11 provider is not retrieved if a PKCS#11 provider is already registered
  •  Issue 447 : Highlight attack when displaying alerts
  •  Issue 448 : Rename Brute Force ext to Forced Browse and add URLs to the tree
  •  Issue 449 : Missing help page for "Extensions" panel in the "Options" dialogue
  •  Issue 451 : Manual check for updates doesn't work correctly in the newest weekly releases
  •  Issue 453 : Dynamic loading and unloading of add-ons
  •  Issue 455 : Split fuzzbd out into a new addon
  •  Issue 456 : Spider session handling tweeks
  •  Issue 457 : Search Tab arrow key support
  •  Issue 459 : Active scanner locking
  •  Issue 460 : Add a scan progress dialog
  •  Issue 461 : Add help file for Quick Start addon
  •  Issue 462 : Review: Patch/Review: SSLSocketFactory with TLS enabled and default Cipher options
  •  Issue 468 : Upgrade SQL Injection rule to 'release'
  •  Issue 469 : Allow anti csrf token to be added and removed via the API
  •  Issue 471 : Move BeanSell extension to ZAP extensions project
  •  Issue 472 : Spider accesses UI panel in daemon mode
  •  Issue 473 : Allow add-ons to remove views/components added to the message panels
  •  Issue 474 : Promote quick start to release status
  •  Issue 478 : Allow to choose to send ZAP's managed cookies on a single Cookie request header and set it as the default

New in ZAP 1.3.4 (Mar 21, 2012)

  • Minor changes:
  • Issue 146: Inverse regex on search plus fuzz match highlighting
  • Issue 202: Option to turn off brute force recursion
  • Issue 215: Allow custom brute force files to be added easily. Also added the ability to set the default brute force file.
  • Issue 217: Invoke apps - add support for cookies and post data params
  • Issue 218: Allow users to easily add their own fuzzer files. Also added the option to append the output to a Note related to the relevant entry.
  • Bug fixes:
  • Issue 56: Disable POST reqs in Spider
  • Issue 186: Connection Options - Prompt for proxy credentials on start up / Address validation not empty
  • Issue 188: Problem upgrading ZAP on linux and Windows
  • Issue 191: Exception when the URL contains escaped characters
  • Issue 196: Multiple dialogs of the same option, opened simultaneously, do not work properly.
  • Issue 199: Vulnerabilities with texts truncated
  • Issue 204: Search on headers only finds regex in requests
  • Issue 206: Exception in "Alerts" tab when choosing a popup option
  • Issue 214: No alert message when saving report in a read only location
  • Issue 216: Exception when an URI doesn't have the path component
  • Issue 219: Break and ignore urls by default include GET/POST
  • Issue 220: Incorrect message: Password (stored in clear text)