What's new in ZAP 2.4.2
Sep 8, 2015
- bug fix and minor enhancement release
New in ZAP 2.4.1 (Sep 8, 2015)
- includes important security fixes - users are urged to upgrade asap
New in ZAP 2.4.0 (Sep 8, 2015)
- includes attack mode, adv fuzzing, adv scan options and much more
New in ZAP 2.3.1 (Sep 8, 2015)
New in ZAP 2.2.0 (Sep 12, 2013)
- Major changes:
- Issue 717: Scripts: support multiple scripts and embedding within ZAP components
- Support for Mozilla Zest: https://developer.mozilla.org/en-US/docs/Zest
- Support for Mozilla Plug-n-Hack: https://developer.mozilla.org/en-US/docs/Plug-n-Hack
- Minor changes:
- Issue 711: Support scanning of XML requests
- Issue 713: Add CWE and WASC numbers to issues
- Issue 719: Custom http break points with more options
- Issue 738: Options to hide tabs / windows
- Issue 750: Upgrade script console to support non textbased scripting languages
- Issue 752: Create a new root CA when first run
- Issue 775: Allow host to be set via the command line
- Bug Fixes:
- Issue 555: Http panels default to hex view
- Issue 599: The save session api does not allow to overwrite session already has same name
- Issue 630: URLCanonicalizer.getCanonicalURL produces URIs "half" decoded
- Issue 631: URLCanonicalizer.buildCleanedParametersURIRepresentation returns URIs in percent-encoded form and decoded
- Issue 652: Shutdown after a big scan takes too long (deleting ascan records)
- Issue 655: API encoding issues
- Issue 665: NullPointerException while proxying with a URI with an empty path component
- Issue 666: JSONException while calling an API action without the required parameter(s)
- Issue 669: Certificate algorithm constraints in Java 1.7
- Issue 674: Add HttpSessionAPI to ApiGeneratorUtils
- Issue 685: Add dummy file to "fuzzers" directory
- Issue 686: Log HttpException (as error) in the ProxyThread
- Issue 687: Change HTTP response header parser to be less strict
- Issue 690: Context Authentication URLs don't fail manual overwriting.
- Issue 691: Handle old plugins
- Issue 692: Report the version of java found by zap.sh
- Issue 693: Command line should show all options
- Issue 694: API UI fails on IE
- Issue 695: Sites tree doesnt clear on new session created by API
- Issue 696: Change "Ajax Spider" add-on options to use ZapNumberSpinner
- Issue 697: API action "proxy.pac" might return wrong domain/port
- Issue 698: Passive Scanner API view "recordsToScan" returns -1 after finish scanning the messages
- Issue 699: Fix HTML errors in the help pages
- Issue 702: Do not load newer add-on versions if they are not targeted for the running ZAP version
- Issue 703: Add-on ZAP version constraints "not-before-version" and "not-from-version" are not respected for already "installed" add-ons
- Issue 706: ZAP API doesn't parse correctly query parameters with "&" characters
- Issue 710: URLCanonicalizer.getCanonicalURL fails to correctly parse query parameters with "&" and "=" characters
- Issue 712: HttpSessions API action "setSessionTokenValue" should add the session token name to the site's session tokens
- Issue 720: Cannot send non standard http methods
- Issue 721: Non POST and PUT requests receive a 504 when server expects a request body
- Issue 724: Do not clone the alert's message that will be shown in message panels
- Issue 725: Clear alert's panel fields
- Issue 726: Catch active scanner variants' exceptions
- Issue 727: Name of automatically created HTTP sessions is always in English
- Issue 728: Allow to create a session with a given name through the HttpSessions API
- Issue 729: Update NTLM authentication code
- Issue 730: MissingResourceException while selecting a disabled extension (from an add-on) in the "Extensions" options panel
- Issue 731: MissingResourceException with ExtensionFuzz enabled and ExtensionBruteForce disabled
- Issue 736: Change add-on class loading strategy to parent-last
- Issue 737: Restore "Ajax spider" add-on dependencies
- Issue 756: Allow Context Panels intercommunication
- Issue 763: XML report empty when used in daemon mode
- Issue 764: HTTP fuzz results dont support right click menus
- Issue 766: Searching fuzz results doesnt include the header
- Issue 767: HTTP Session API could be less strict
- Issue 772: Restructuring of Saving/Loading Context Data
- Issue 774: Build doesnt include scripts directory
- Issue 776: Allow add-ons to warn user if they're closing ZAP with unsaved resources open
- Issue 777: Unable to cancel changes when using Include in/Exclude from Context
- Issue 782: NoSuchMethodError when excluding a WebSocket channel URL from context
- Issue 785: Change zap.sh to cope with Java 1.8
- Issue 786: Snapshot session menu item not working
New in ZAP 2.1.0 (Apr 19, 2013)
- Minor changes:
- Issue 355: Allow Positional Fuzzing
- Issue 475: Http Sessions custom cookie value
- Issue 484: Check java version in zap.sh
- Issue 496: Allow to see the request and response at the same time in the main window
- Issue 505: Http Session API Implementation
- Issue 515: Change add-ons to make use of automatic load of messages
- Issue 516: Change add-ons messages keys to have unique prefix
- Issue 518: Add OData support
- Issue 537: Option to Force Browse files/resources with user-defined extensions
- Issue 538: Allow non sequential lines to be selected in the history log
- Issue 542: browse api - prompt window to enable
- Issue 551: Add csrfmiddlewaretoken to list of default Anti csrf tokens
- Issue 552: Make ZapPortNumberSpinner a subclass of ZapNumberSpinner
- Issue 553: Add option to filter alerts by scope
- Issue 561: Copy URLs right click option
- Issue 566: Abstract class for creating generic popups
- Issue 568: Allow extensions to run from the command line
- Issue 569: Allow Spider Scan to start without prior visit
- Issue 587: Upgrade to JBroFuzz 2.5
- Issue 592: Do not show the main pop up menu if it doesn't have visible pop up menu items
- Issue 597: Shown "Author" field on available add-ons ("Marketplace" tab)
- Issue 602: Allow to (explicitly) choose the file type when exporting URLs to file
- Issue 621: Handle requests to the proxy URL (and generate a PAC file)
- Issue 638: Persist and snapshot sessions instead of saving them
- Bug Fixes:
- Issue 150: java.io.IOException at org.owasp.jbrofuzz.system.Logger.checkOrCreateDirs
- Issue 205: A previously saved option (Toolbar) is not set on start up when "Prompt for proxy credentials on start up" is hecked.
- Issue 317: Move (or protect) the 'Bin' button
- Issue 452: API - shutdown asynchronously
- Issue 488: Fuzz categories available for the default category not updated after installing/uninstalling an add-on (with fuzz files)
- Issue 490: Re-authentication only works with the active scanner
- Issue 499: NullPointerException while uninstalling an add-on with a manual request editor
- Issue 500: NullPointerException while uninstalling an add-on manually installed
- Issue 501: ExtensionFactory keeps references to uninstalled add-ons (with extensions)
- Issue 502: Manually installed add-ons don't remain installed
- Issue 504: Table of installed add-ons may not update after manually installing an add-on
- Issue 507: Quick start tab doesnt have a scroll pane
- Issue 508: Some add-ons are not unloading all its components when uninstalled
- Issue 509: Remove add-on ResourceBundle when an add-on is uninstalled
- Issue 510: Remove add-on HelpSet when an add-on is uninstalled
- Issue 511: Allow add-ons to remove footer status labels
- Issue 512: Allow to remove the footer status label added by the ScanPanel
- Issue 513: Footer status labels not immediately shown when an add-on is installed
- Issue 514: Forced Browse footer status label still uses spanner icon
- Issue 517: Add-ons are added to "main" class loader when installed
- Issue 520: MissingResourceException when generating "Alerts" report
- Issue 524: Host authentication is used even when disabled
- Issue 525: "Report / Export all URLs to File ..." fails
- Issue 528: Scan progress dialog can show negative progress times
- Issue 533: Default ports 80 and 443 are appended to sites in site tree Interworking Usability
- Issue 540: Maximised work tabs hidden when response tab position changed
- Issue 548: Diff messages are appended to the "Diff" dialogue
- Issue 549: Diff menu item enabled when "Sites" tree root node and a child node are selected
- Issue 550: Fuzzer - Buffer Overflow stops because of java.sql.SQLDataException: data exception: string data, right truncation
- Issue 558: Auto tagging broken
- Issue 564: Active scanner can hang if dependencies used
- Issue 565: Marketplace: Downloads won't use configured upstream Proxy
- Issue 567: Spelling mistake
- Issue 574: Spider fails when invoked via the API
- Issue 579: Some (build) targets are incorrectly relying on the platform default encoding
- Issue 582: NullPointerException while opening a session in daemon mode
- Issue 583: NullPointerException while managing a session in daemon mode with "WebSockets" add-on installed
- Issue 588: ExtensionHistory.historyIdToRef should be cleared when changing session
- Issue 593: Quick Start may start the active scan before waiting for the spider to finish
- Issue 614: SessionFixation labels wrong
- Issue 616: Spider handles incorrectly form actions containing fragments (#)
- Issue 617: NullPointerException when spidering a context
- Issue 622: Local proxy unable to correctly detect requests to itself
- Issue 626: Scroll bar of alert text areas is always at the bottom Usability
- Issue 627: Allow add-ons to remove main tool bar buttons/separators
- Issue 628: Allow add-ons to remove the registered API
- Issue 632: Manual Request Editor dialogue (HTTP) configurations not saved correctly
- Issue 633: Auto tag scanners are shown in passive scanners table
- Issue 634: Empty passive scanner shown in the passive scanners table
New in ZAP 2.0.0 (Mar 5, 2013)
- Significant changes:
- An integrated add-ons marketplace:
- ZAP can be extended by add-ons that have full access to all of the ZAP internals. Anyone can write add-ons and upload them to the ZAP Add-on Marketplace (OK, so its a Google code project called zap-extensions, but you get the idea).
- More importantly you can now browse, download and install those add-ons from within ZAP. Most add-ons can be dynamically installed (and uninstalled) so you wont even need a restart.
- You can choose to be notified of updates, and even be automatically updated. And as the scan rules are now implemented as add-ons you can get the latest rules as soon as they are published.
- A replacement for the 'standard' Spider:
- The 'old' Spider was showing its age, so its been completely rewritten, and is much faster and more comprehensive than the old one. This is still a 'traditional' spider that analyses the HTML code for any links it can find.
- A new 'Ajax' spider:
- In addition to the 'traditional' spider we've added an Ajax spider which is more effective with applications that make heavy use of JavaScript. This uses the Crawljax project which drives a browser (using Selenium) and so can discover any links an application generates, even ones generated client side.
- Web Socket support:
- ZAP now supports WebSockets, so ZAP can now see all WebSocket messages sent to and from your browser. As with HTTP based messages, ZAP can also intercept WebSocket messages and allows you to change them on the fly.
- You can also fuzz WebSockets messages as well using all of the fuzzing payloads included in ZAP from projects like JBroFuzz and fuzzdb. And of course you can easily add your own fuzzing files.
- Quick Start tab:
- The first main tab you will now see is a 'Quick Start' tab which allows you to just type in a URL and scan it with one click.
- This is an ideal starting point for people new to application security, but experts can easily remove it if they find it distracting.
- Session awareness:
- ZAP is now session awareness, so that ZAP can recognise and keep track of multiple sessions. It allows you to create new sessions, switch between them, and applies to all of the other components, like the Spider and Active Scanner.
- User defined Contexts;
- You can now define any number of 'contexts' - related sets of URLs which make up an application. You can then target all URLs in a context, for example using the Spider or Active Scanner. You can also add the contexts to the scope, and associate other information, such as authentication details.
- Session scope:
- The session scope allows you to specify which contexts you are interested at any one time. You can restrict what you see in various tabs to just the URLs in scope, and prevent accidentally attacking URLs not in scope by using the Protected mode.
- Different modes:
- ZAP now supports 3 modes:
- Safe, in which no potentially dangerous operations permitted
- Protected, in which you can perform any actions on URLs in scope
- Standard, in which you can do anything to any URLs
- Authentication handling
- You can now associate authentication details with any context, which allows ZAP to do things like detect if and when you are logged out and automatically log you back in again. This is especially useful when used via the API in security regression tests.
- More API support;
- The REST API has been significantly extended, giving you much more access to the functionality ZAP provides.
- Fine grained scanning controls:
- The active scan rules can now be tuned to adjust their strength (the number of attacks they perform) and the threshold at which they report potential issues.
- New and improved active and passive scanning rules:
- We have uploaded the results from running ZAP 2.0.0 against wavsep (the most comprehensive open source evaluation project we are aware of) to the ZAP wiki: http://code.google.com/p/zaproxy/wiki/Testing TODO ;)
- Full list of changes:
- Issue 43 : Scope option for filtering
- Issue 163 : Active scanner failing against DVWA high false positives/true negatives rate
- Issue 175 : Better bruteforce wordlist
- Issue 278 : Root CA Certificate for Dynamic SSL invalid on some platforms due to ExtendeKeyUsage extension
- Issue 281 : Alert class JSON dependency
- Issue 299 : Feature request: Show count of found URIs during Spider
- Issue 305 : Passive scanner rule for suspicious comments like TODO and FIXME
- Issue 326 : Response time and total length in manual request
- Issue 330 : robots.txt parsing
- Issue 332 : Support for modes
- Issue 333 : Spider - add option to crawl everthing in scope
- Issue 335 : Web Sockets - add support for Modes and Scope
- Issue 342 : Add an HttpSenderListener
- Issue 350 : Authentication management
- Issue 354 : Fuzzer attack strings not shown
- Issue 356 : Generate CSRF test form
- Issue 358 : Typo in "XFO Header Not Set" Solution
- Issue 360 : brute force sub directories
- Issue 361 : getHostPort on HttpRequestHeader for HTTPS CONNECT requests returns the wrong port
- Issue 370 : API - save session better error handling
- Issue 374 : API - save session synchronous or provide status
- Issue 376 : Masking the passwords provided for Authentication
- Issue 385 : Support contexts
- Issue 386 : API Web UI - support parameters with views
- Issue 388 : Allow user to specify which technologies apply to a context
- Issue 390 : Spider - Add option to spider all in context
- Issue 393 : More online links from menu
- Issue 397 : Support weekly builds
- Issue 400 : Generate new CA certificate will always produce certificate with same serial number
- Issue 401 : Exception when the (new) Spider is started through the API
- Issue 402 : GUI labels are not properly displayed on Linux (when language set to Polish)
- Issue 403 : Set options via the API using reflection
- Issue 404 : Labels not properly displayed when the Persian language is chosen
- Issue 406 : Spider - Add option to control the effect of parameters on visited URLs
- Issue 410 : charset wrapped in quotation marks
- Issue 411 : Allow proxy port to be specified on the command line
- Issue 417 : IndexOutOfBoundsException in ExtensionHttpSessions in daemon mode
- Issue 419 : Restructure jar loading code
- Issue 420 : API - support absolute session paths
- Issue 421 : Cleanly shut down any active scan threads on shutdown
- Issue 422 : Use exec in zap.sh so a new process is not forked
- Issue 423 : Active scanner and spider can deadlock if ZAP is shutdown while they are running
- Issue 424 : Exceptions in Web Sockets when session opened
- Issue 425 : Add quick start tab
- Issue 429 : Active Scan URL via API scans more than just the specified URL
- Issue 433 : API: introduce mandatory parameters and optional descriptions
- Issue 435 : Active scan alerts may be "lost" after saving the session
- Issue 436 : Locking on session save or shutdown via the API
- Issue 438 : API enhancements
- Issue 441 : View incorrectly initialised in many places when in daemon mode
- Issue 443 : "No Anti-CSRF tokens were found in a HTML submission form" listed as "None. Warning only."
- Issue 446 : KeyStore of a registered PKCS#11 provider is not retrieved if a PKCS#11 provider is already registered
- Issue 447 : Highlight attack when displaying alerts
- Issue 448 : Rename Brute Force ext to Forced Browse and add URLs to the tree
- Issue 449 : Missing help page for "Extensions" panel in the "Options" dialogue
- Issue 451 : Manual check for updates doesn't work correctly in the newest weekly releases
- Issue 453 : Dynamic loading and unloading of add-ons
- Issue 455 : Split fuzzbd out into a new addon
- Issue 456 : Spider session handling tweeks
- Issue 457 : Search Tab arrow key support
- Issue 459 : Active scanner locking
- Issue 460 : Add a scan progress dialog
- Issue 461 : Add help file for Quick Start addon
- Issue 462 : Review: Patch/Review: SSLSocketFactory with TLS enabled and default Cipher options
- Issue 468 : Upgrade SQL Injection rule to 'release'
- Issue 469 : Allow anti csrf token to be added and removed via the API
- Issue 471 : Move BeanSell extension to ZAP extensions project
- Issue 472 : Spider accesses UI panel in daemon mode
- Issue 473 : Allow add-ons to remove views/components added to the message panels
- Issue 474 : Promote quick start to release status
- Issue 478 : Allow to choose to send ZAP's managed cookies on a single Cookie request header and set it as the default
New in ZAP 1.3.4 (Mar 21, 2012)
- Minor changes:
- Issue 146: Inverse regex on search plus fuzz match highlighting
- Issue 202: Option to turn off brute force recursion
- Issue 215: Allow custom brute force files to be added easily. Also added the ability to set the default brute force file.
- Issue 217: Invoke apps - add support for cookies and post data params
- Issue 218: Allow users to easily add their own fuzzer files. Also added the option to append the output to a Note related to the relevant entry.
- Bug fixes:
- Issue 56: Disable POST reqs in Spider
- Issue 186: Connection Options - Prompt for proxy credentials on start up / Address validation not empty
- Issue 188: Problem upgrading ZAP on linux and Windows
- Issue 191: Exception when the URL contains escaped characters
- Issue 196: Multiple dialogs of the same option, opened simultaneously, do not work properly.
- Issue 199: Vulnerabilities with texts truncated
- Issue 204: Search on headers only finds regex in requests
- Issue 206: Exception in "Alerts" tab when choosing a popup option
- Issue 214: No alert message when saving report in a read only location
- Issue 216: Exception when an URI doesn't have the path component
- Issue 219: Break and ignore urls by default include GET/POST
- Issue 220: Incorrect message: Password (stored in clear text)