OWASP ZAP Changelog

What's new in OWASP ZAP 2.7.0

Nov 29, 2017

Enhancements:
Issue 1015 : Support Server Name Indication
Issue 1313 : Spider - Allow to configure the size limit of parseable responses
Issue 1604 : Import policy file via API
Issue 1620 : Add endpoint to get number of alerts grouped by risk level
Issue 1681 : Change 'Active Scan' to show the last n requests instead of the first ones
Issue 2411 : Warn if dynamic SSL root CA certificate is expired
Issue 2615 : Filtering ZAP Reports to Show High Risk Items
Issue 3040 : Export param tab contents
Issue 3101 : Allow add-ons to use Semantic Versioning
Issue 3156 : Use G1 as default garbage collector
Issue 3253 : Export URLs Per Context
Issue 3365 : Enhancement: Additional Global Exclude default patterns
Issue 3367 : Expose ZAP's home dir path through the ZAP API
Issue 3374 : Adjust to more user favorable column widths
Issue 3381 : i18n Core Extension Names
Issue 3387 : Allow esc to close AbstractFormDialog
Issue 3392 : Show all messages sent by the Spider
Issue 3395 : Add option to spider anonymously with a session
Issue 3398 : Increase limit of global script variables' value
Issue 3404 : Add new Default CSRF Token for OWASP CSRF Guard
Issue 3408 : Improve error handling when resetting the options
Issue 3443 : Expose Alerts options through the ZAP API
Issue 3446 : Enhancement: Add ability to export a Site Map via Context Menu
Issue 3457 : Allow to filter core view "urls" by base URL
Issue 3460 : Enhancement: Provide help finding the Log directory in the UI
Issue 3461 : Enhancement: Browse API Doesn't work when browser isn't using ZAP as proxy
Issue 3476 : Allow passive rules to choose the type of msgs
Issue 3481 : Export Tables via UI
Issue 3498 : Minor Enhancement: Support Same Columns in Search Results as History Tab
Issue 3500 : Allow to manage messages' tags in multiple tabs
Issue 3508 : Use newer ECMAScript engine if available
Issue 3514 : Allow to obtain multiple messages by ID
Issue 3521 : Enhancement Request: Add Filter To Passive Scan Rules Options Panel
Issue 3527 : Update baseline script to support python 3
Issue 3529 : Allow to add tags with Passive Rules
Issue 3533 : Additional Table Export Buttons
Issue 3539 : Enhancement: Collect messages to scan before active scanning
Issue 3552 : Expose message's tags through the ZAP API
Issue 3559 : ZAP API option to output report in JSON format
Issue 3574 : Show the add-on name in Extensions panel
Issue 3587 : Allow to use system's locale for formatting
Issue 3594 : ZAP API Ability to specify domains/addresses that API will be served from
Issue 3595 : Print args and error msg when failed to parse args
Issue 3599 : Always attack Data Driven Nodes
Issue 3619 : Show plugin as OFF, in policy panels, if disabled
Issue 3626 : Allow to delete messages with keyboard shortcut
Issue 3676 : Enhancement: Delete single Alert using the api
Issue 3681 : Use number spinner for connection timeout
Issue 3686 : Allow to select alert's CWE/WASC IDs and Source
Issue 3688 : Show scanner's ID/name in Alert tab
Issue 3691 : Modernized and refined HTML reports
Issue 3700 : Ensure panel with validation errors is visible
Issue 3714 : Spider - report # of new endpoints discovered
Issue 3727 : Sites Tree Alpha Sort should ignore HTTP Method
Issue 3733 : Ascan API - Return alert count for each scanner
Issue 3739 : Allow to skip pending scanners
Issue 3765 : Show alert count in Scan Progress dialogue
Issue 3769 : Add Check for Updates toolbar button
Issue 3770 : Clear dockerfiles
Issue 3782 : Add msg and alert count to active scans API view
Issue 3787 : Added passive scan timeout
Issue 3793 : Allow to filter Keyboard options panel
Issue 3808 : added bare docker image file
Issue 3810 : Add JSON output support to zap-full-scan.py
Issue 3818 : Change right-click "Resend..." to "Send to Manual Request Editor"
Issue 3836 : Allow IPv6 loopback address to access the API by default
Issue 3837 : Add anoncsrf as anticsrf token name
Issue 3851 : Spider New Scan UI Consistency
Issue 3871 : Default to checking for updates on start
Issue 3878 : Support persistent connections in the API
Issue 3910 : Allow to skip scanners through the API
Issue 3918 : improved docker file
Issue 3922 : Refactor target access in docker scripts
Issue 3931 : Minor Enhancement to Very large response body message
Issue 3977 : Include spider messages when comparing sessions
Issue 3983 : Allow ZAP to listen on multiple addresses/ports
Issue 3992 : Allow to enable code folding in body text views
Issue 3993 : Added checkbox secure to callback option dialog.
Issue 4001 : Allow to delete a Context with keyboard shortcut
Issue 4049 : Allow to delete alerts with keyboard shortcut
Issue 4053 : AlertViewPanel line wrapping
Issue 4055 : New splash screen
Issue 4061 : Update NTLM engine implementation
Issue 4063 : Validate that -cmd and -daemon are not both set
Issue 4066 : Improve error message in script API
Bug fixes:
Issue 765 : Ctrl-F key doesnt work on Resend / Manual Request Editor dialogs
Issue 1222 : False positive: XSS scanning
Issue 1984 : Alerts API should always return 'evidence' (and all other keys)
Issue 2375 : Unable to change Mode without main tool bar
Issue 2496 : ZAP only report the first alert in array
Issue 2744 : Unable to enable/disable Forced User mode without main tool bar
Issue 2756 : Class loading deadlock when loading httpsender script from API call and spidering
Issue 2989 : Redirect history not recorded when resend request
Issue 3154 : Execution Order for Plugins Displayed in Scan Progress Details, Progress Tab
Issue 3207 : History tab cleared when session persisted
Issue 3284 : Accept underscores in hostnames
Issue 3289 : Proxy excluded URLs still processed by ZAP
Issue 3350 : wrong comparison of HTTP Messages in queryEquals() method of HttpMessage class
Issue 3351 : the url disappear when i click it
Issue 3353 : ZAP API View:contextList method returns a string instead of JSON list
Issue 3359 : Missing Help details Options Connection screen
Issue 3363 : Spider Messages View Includes Underused Tags Column
Issue 3377 : ZAP can no longer load non UTF8 scripts
Issue 3382 : Fix "internal error" in ScriptAPI
Issue 3394 : Enable Session Tracking (Cookie) option not persisted
Issue 3397 : Do not uninstall a file if it no longer exists
Issue 3411 : Clear cached certs when setting Root CA cert
Issue 3440 : Log Exception when the provided config file could not be parsed
Issue 3456 : Bug: Paused Scans Wiped Out when Persisting a Session
Issue 3459 : Enhancement: Prescan Output is Confusing. Please Clarify.
Issue 3490 : Poor font rendering on linux
Issue 3531 : Docker scripts might get stuck on "Records to passive scan" seemingly indefinitely
Issue 3555 : Changing Session Name, doesn't Update the Window Name
Issue 3571 : Require extension's dependencies during extension loading
Issue 3590 : Set installation status to marketplace add-ons
Issue 3591 : Correctly check for add-on updates on dep calc
Issue 3620 : Return correct error on missing auth parameters
Issue 3621 : Sync HistoryReference cache in ExtensionHistory
Issue 3632 : Do not close session when changing its properties
Issue 3633 : "Generate Anti-CSRF Test Form" not working
Issue 3648 : Correct state of adv option in Spider dialogue
Issue 3667 : Markdown report heading format issue
Issue 3673 : API: sendHarRequest results in error if redirects are true
Issue 3675 : Sites tree option Show only URLs in Scope not working
Issue 3692 : zap-api-scan.py correct path handling
Issue 3696 : Correct API response for outgoing proxy changes
Issue 3703 : org.parosproxy.paros.db.DatabaseException: java.sql.SQLException: Can not issue executeUpdate() or executeLargeUpdate() for SELECTs
Issue 3711 : Session snapshots might "break" running scans
Issue 3723 : Properly reset Database options panel
Issue 3748 : Automatically skip dependent scanners
Issue 3759 : Update version check in zap.sh script for Java 9
Issue 3771 : Add-on files not updated when running newer ZAP/core version
Issue 3779 : Can't open the Resend window because of missing font
Issue 3799 : Declare ExtensionDynSSL as supporting low mem
Issue 3825 : Show error if failed to active the certificate
Issue 3827 : mysql NULL value in where in CLAUSE
Issue 3832 : Errors in Input Vector Templates
Issue 3849 : Pscanrule Content Type Missing not working with Spider messages
Issue 3854 : Error whilst using Api - ERROR ExtensionUserManagement - Unable to persist Users
Issue 3889 : Initialise the source of the Alert always
Issue 3895 : JSON Input Vector fails if string has quoted chars
Issue 3907 : Normalise form-based login URL validation/usage
Issue 3912 : VariantDirectWebRemotingQuery might hang in infinite loop
Issue 3914 : Use ZapVersions.xml file in Docker images
Issue 3927 : zap-full-scan on docker tries to reach out to external network
Issue 3955 : Database too small to handle large login request bodies
Issue 3965 : Empty Cookie header causes errors
Issue 3969 : Logged in/out indicators not persisted when cleared
Issue 4004 : zap.bat should use %USERPROFILE% instead of %HOMEDRIVE%%HOMEPATH%
Issue 4013 : Sending to the Callback Endpoint while proxying through ZAP logs an error
Issue 4014 : Issue when attempting to ignore all rules for a URL
Issue 4028 : Warn when check for updates fails
Issue 4056 : Use realm as domain for NTLM authentication
Issue 4065 : Deleting a parent URL in History tab should not delete all child URLs
ZAP API Breaking Changes:
ACTION authentication / setAuthenticationMethod:
The authentication type "formBasedAuthentication" will now require the login URL always in encoded form. The change ensures the login URL is used/sent as it was specified. Previously it would accept partially encoded URLs but they would be re-encoded when used, potentially leading to a different URL being used/sent.
VIEW context / contextList:
This change will break the consumers that were manually parsing/extracting the names from the string. The structure of the data returned was changed to properly separate each name
VIEW core / setOptionUseProxyChain:
Changed to return FAIL if the outgoing proxy was not enabled (because the required address/hostname was not previously set), before it would return always OK
ZAP API Changed Endpoints:
VIEW core / alerts:
Added optional riskId parameter to facilitate filtering the risk. Where riskId is in the range 0 for Informational and 3 for High.
VIEW core / numberOfAlerts:
Added optional riskId parameter to facilitate filtering the risk. Where riskId is in the range 0 for Informational and 3 for High.
VIEW core / urls:
Added optional baseurl parameter, to filter the URLs that are returned.
VIEW ascan / scans:
Changed to also return the total number of alerts raised and messages sent during each scan.
VIEW ascan / scanProgress:
Changed to also return the number of alerts raised by each scanner.
ZAP API New Endpoints:
VIEW core / alertsSummary:
A new summary view for Alerts which displays counts of Alerts per Risk level. Optionally, filtered by a baseurl value.
VIEW core / messagesById:
Gets the HTTP messages with the given IDs.
VIEW core / messagesHarById:
Gets the HTTP messages with the given IDs, in HAR format.
VIEW core / optionAlertOverridesFilePath:
Gets the path to the file with alert overrides.
VIEW core / optionMaximumAlertInstances:
Gets the maximum number of alert instances to include in a report.
VIEW core / optionMergeRelatedAlerts:
Gets whether or not related alerts will be merged in any reports generated.
VIEW core / zapHomePath:
Gets the path to ZAP's home directory.
VIEW localProxies / additionalProxies:
Gets all of the additional proxies that have been configured.
VIEW spider / optionAcceptCookies:
Gets whether or not a spider process should accept cookies while spidering.
ACTION core / deleteAlert:
Deletes the alert with the given ID.
ACTION core / setOptionAlertOverridesFilePath:
Sets (or clears, if empty) the path to the file with alert overrides.
ACTION core / setOptionMaximumAlertInstances:
Sets the maximum number of alert instances to include in a report. A value of zero is treated as unlimited.
ACTION core / setOptionMergeRelatedAlerts:
Sets whether or not related alerts will be merged in any reports generated.
ACTION ascan / importScanPolicy:
Imports a Scan Policy using the given file system path.
ACTION ascan / skipScanner:
Skips the scanner using the IDs of the scan and the scanner.
VIEW localProxies / addAdditionalProxy:
Adds an new proxy using the details supplied. See the Options Local Proxies screen for details of the parameters.
VIEW localProxies / removeAdditionalProxy:
Removes the additional proxy with the specified address and port.
ACTION spider / setOptionAcceptCookies:
Sets whether or not a spider process should accept cookies while spidering.
Vulnerability Details:
The following vulnerability has been reported in a previous version of ZAP. Many thanks to all of the researchers who have ethically reported issues to us via our bug bounty program. If you need more details about this vulnerability then please contact us.
Windows Uninstaller Vulnerable to DLL Hijacking:
The ZAP Windows Uninstaller for 2.6.0 is vulnerable to DLL Hijacking on Windows. This was a vulnerability in the 3rd party installer Install4j which has now been fixed. Note that this can only occur if a malicious DLL is already on the path.

New in OWASP ZAP 2.6.0 (Mar 30, 2017)

API Security Changes:
We have changed the API security in response to issues reported to us via our bug bounty program. Details of the vulnerabilities are given below. The security changes are by necessity not backwards compatible, although we have include options for disabling them if you use ZAP in a safe environment.
By default all API calls now require either the API key or a nonce. These can be supplied via URL parameters, POST parameters or headers. The supported ZAP API clients (including Java and Python) have been updated to supply the API key via a header. Nonces are generated by ZAP and are intended to be used by ZAP add-ons that need to access the ZAP API. For full details see the Options API screen.
There are a set of new API options related to security:
UI Enabled - If enabled then the API Web UI is available to all machines that are able to use ZAP as a proxy. This is enabled by default.
IP addresses permitted to use the API - By default only the machine ZAP is running on is able to access the ZAP API. You can allow other machines access to the API by adding suitable regex patterns. You should only add IP addresses that you trust.
Do not require an API key for safe operations - If enabled then the API key is not required for Views or Other operations that are considered 'safe', in other words operations that do not make any changes to ZAP. Such operations do however give access to ZAP data such as alert, messages, and file system paths. They can also be used by web applications to detect the presence of ZAP.
Report permission errors via API - If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP. This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.
All ZAP options can be specified via the command line when you start ZAP - see the API Key FAQ for full details. We have also added even more security headers to the API including a strong Content Security Policy.
ENHANCEMENTS:
Issue 368 : API - report URLS just found by spider
Issue 689 : Improve Scope management
Issue 958 : Java version identification when an environment variable for Java is exported
Issue 1853 : Allow to active scan a Context through ZAP API
Issue 1952 : Do not allow Contexts with same name
Issue 2117 : set / update default threshold and strength for a scan policy
Issue 2334 : Enable searching in ZAP Addons Pop-up
Issue 2415 : Show the reason why an active scanner was skipped
Issue 2559 : Do not clean up unsaved (file based) sessions
Issue 2570 : Change proxy option to remove unsupported encoding
Issue 2592 : Differentiate the source of alerts
Issue 2611 : Change HTTP breakpoint dialogues to modal
Issue 2633 : Enhance Client Cert File Chooser
Issue 2647 : Support a/pscan rule configuration
Issue 2655 : Provide skip reason for Script Active Scan Rules
Issue 2682 : Sort (main) help add-on TOC entries
Issue 2690 : Support ignoring specified forms when checking for CSRF vulnerabilities
Issue 2699 : Enhancement Request: Improve SSL Negotiation Failure Error Handling
Issue 2701 : Enhancement Request: Factory Reset
Issue 2723 : Support POST requests for API actions
Issue 2728 : Allow to remove spider parsers and filters
Issue 2750 : Add a reasonably strong CSP to the API
Issue 2773 : Use UTF-8 to read/write ZAP scripts
Issue 2782 : Support the -configfile cmdline parameter
Issue 2825 : Additional Commentary for JS templates
Issue 2853 : Override Alert details
Issue 2855 : Support break functionality in the API
Issue 2865 : Normalise Include/Exclude context panels
Issue 2886 : Option to generate reports in Markdown format
Issue 2891 : Show the cause why a script was not loaded
Issue 2936 : Always set Java mem to 1/4 available (over 512Mb)
Issue 2937 : Change ZAP API to read/use the request body
Issue 2939 : Use non absolute URI base HTML element in spider
Issue 2951 : Support active scan rule and scan max duration
Issue 2954 : Allow to export a Context through the context menu
Issue 2966 : Use L&F specified through JVM args
Issue 2970 : Allow to configure, by script type, the enabled state of new/loaded scripts
Issue 2982 : Allow to disable default standard output logging
Issue 2994 : show column 'Size Resp. Body' of history in bytes
Issue 3004 : Allow to passive scan just HTTP messages in scope
Issue 3028 : Value Generator (previously Form Handling)
Issue 3038 : Return request's type through the ZAP API
Issue 3042 : Allow to select multiple parameters in Params tab
Issue 3050 : Return requests' timestamp/RTT through the ZAP API
Issue 3058 : Allow to configure the domains always in spider scope (Spider API)
Issue 3061 : Allow to deprecate API endpoints
Issue 3069 : Context structural parameter only accepts alphanumeric charts
Issue 3079 : Added cookie ignore list rule and inc sleep default to 20 to reduce FPs
Issue 3081 : Change default time to 15 and make publicly accessible
Issue 3090 : Be more lenient on add-on's file name format
Issue 3098 : Log to file even if ZAP is run 'inline'
Issue 3118 : include subjectAlternativeName extension in generated certificates
Issue 3123 : Added security annotations for forms that dont need anti CSRF tokens
Issue 3130 : Added autoupdate API calls
Issue 3149 : Baseline: Support context file and in-progress issues
Issue 3159 : Allow esc to Close Marketplace Dialog
Issue 3163 : Autoselect Imported Certificate
Issue 3176 : Allow to show more request data in History tab
Issue 3195 : Add workaround to local proxy for Android emulator
Issue 3226 : Option to supply API key or nonces via header
Issue 3227 : Limit API access to whitelisted IP addresses
Issue 3229 : Use Referrer-Policy in ZAP API
Issue 3232 : Active Scan API - Allow to start the scans with non-leaf nodes
Issue 3238 : Add driver entries for CSPid Virtual Smartcards
Issue 3261 : Client Cert PKCS#11 - UI/Exception Handling
Issue 3285 : Edit Alert Enhancements
Issue 3290 : Show requests with I/O errors in Spider tab
Issue 3296 : Create script directories when initialising the home dir
Issue 3297 : Start local proxy after processing command line arguments when in daemon mode
BUG FIXES:
Issue 1107 : Additional Commentary needed for Script Templates/Examples
Issue 1152 : Passive CSRF Sensor Reports Missing CSRF Tokens for all Forms, not just POST Requests Missing Anti-CSRF Tokens
Issue 1212 : False positives in SQLi tests
Issue 2176 : NPEs during zapbot WAVSEP scans
Issue 2218 : Persisted Sessions don't save unconfigured Default Context
Issue 2546 : ZAP access URLs which are out of scope
Issue 2550 : GUI freezes while opening Scan Progress dialogue
Issue 2561 : Use UTF-8 to write the HTML Report
Issue 2578 : Minor Usability Issue: Must click on text in Options column to select row
Issue 2585 : Remove temp Sequence requests on session clean up
Issue 2586 : Use option All Requests from Active Scan dialogue
Issue 2605 : Prevent GUI hang when adding messages to History
Issue 2608 : Removing a DDN from a Context Does Not Appear to Trigger an Update to the Sites Tab
Issue 2637 : Prevent API UI from being loaded in a frame
Issue 2642 : Slow mouse wheel scrolling in site tree
Issue 2657 : Correct persistence of disabled extensions
Issue 2674 : Automated authentication requests shown in HTTP Sessions tab
Issue 2681 : Fix exception while adding script through the API
Issue 2694 : Ability to set Excluded Parameters from the API
Issue 2696 : Enable Copy URLs pop up menu item for all messages
Issue 2707 : Manual add-on installation needs more meaningful dialog messages
Issue 2735 : Wiki: ModesAndScope doesn't cover ATTACK mode
Issue 2736 : Bug: Can't generate reports from saved Session data
Issue 2737 : Correct API error message on missing script params
Issue 2745 : Spider Exception when sitemap.xml not found
Issue 2748 : ZAP Spidering HTML Forms with multiple submit buttons
Issue 2757 : Alerts with different request method are considered the same
Issue 2774 : Wrong value shown in fuzz location for body text when selected through combined view
Issue 2792 : Able to overlap fuzz (HTTP) locations
Issue 2793 : Wrong highlight in combined view with last part of request header
Issue 2810 : Active scanners' alerts persisted twice when with GUI
Issue 2836 : ZAP hsqldb OutOfMemoryError when deleting records on cleanup
Issue 2862 : XSS in url on page with no parameters not found
Issue 2874 : Correct offset calculation in text header views
Issue 2898 : Tweak spider parser to ignore/strip matched parenthesis around URLs
Issue 2935 : Wrong charset used in response body if no charset set
Issue 2977 : HTTP500 from JSON/httpSessions/view/sessions/?site=FOO
Issue 3002 : Correctly render all nodes in checkbox tree
Issue 3041 : Fix concurrency issues when publishing ZAP events
Issue 3052 : Correct the loading of extensions' enabled state
Issue 3054 : Clear old contexts, always, when loading a session
Issue 3073 : Skip process automated msgs for HTTP Sessions tab
Issue 3100 : Context's in scope change might not be applied
Issue 3142 : Properly show excluded parameters through ZAP API
Issue 3157 : Session Comparison Exception
Issue 3175 : Cancel/save StandardFieldsDialog on escape key
Issue 3192 : URLs included in context are disregarded by the spider
Issue 3211 : Can't find .ZAP_JVM.properties with %HOMEPATH% when using zap.bat in windows
Issue 3215 : History Filter dialog cant be scaled
Issue 3221 : Some icons not scaled correctly
Issue 3224 : HTML injection in "Alert" tab
Issue 3275 : Global Exclude URL (beta) - after close and reopen does not pick up added regex for excluding URLs
Issue 3278 : Reset proxy excluded URLs on new session
Issue 3309 : Improve node enumeration in pre-scan phase
Issue 3320 : Correct creation of Git/SVN spider seeds
Issue 3330 : Apply config arguments in the order specified
ZAP API Changed Endpoints:
ACTION ascan / scan:
The url parameter is now optional and an optional contextId parameter has been added. You must supply one of these.
ACTION ascan / scanAsUser:
The url and contextId parameters are now optional. You must supply one of these.
ACTION ascan / addScanPolicy:
Added optional alertThreshold and attackStrength parameters.
ZAP API New Endpoints:
VIEW ascan / optionMaxRuleDurationInMins:
Returns the maximum time in minutes that a scan rule can run for, zero is unlimited.
VIEW ascan / optionMaxScanDurationInMins:
Returns the maximum time in minutes that a full scan can run for, zero is unlimited.
ACTION ascan / setOptionMaxRuleDurationInMins:
Sets the maximum time in minutes that a scan rule can run for, zero is unlimited.
ACTION ascan / setOptionMaxScanDurationInMins:
Sets the maximum time in minutes that a full scan can run for, zero is unlimited.
ACTION ascan / updateScanPolicy:
Updates the specified scan policy with the specified alertThreshold or attackStrength.
VIEW break / isBreakAll:
Returns True if ZAP will break on both requests and responses.
VIEW break / isBreakRequest:
Returns True if ZAP will break on requests.
VIEW break / isBreakResponse:
Returns True if ZAP will break on responses.
VIEW break / httpMessage:
Returns the HTTP message currently intercepted (if any).
ACTION break / break:
Controls the global break functionality. The type may be one of: http-all, http-request or http-response. The state may be true (for turning break on for the specified type) or false (for turning break off). Scope is not currently used.
ACTION break / setHttpMessage:
Overwrites the currently intercepted message with the data provided.
ACTION break / continue:
Submits the currently intercepted message and unsets the global request/response break points.
ACTION break / step:
Submits the currently intercepted message, the next request or response will automatically be intercepted.
ACTION break / drop:
Drops the currently intercepted message.
VIEW core / optionDnsTtlSuccessfulQueries:
Gets the TTL (in seconds) of successful DNS queries.
ACTION core / sendRequest:
Sends the HTTP request, optionally following redirections. Returns the request sent and response received and followed redirections, if any. The Mode is enforced when sending the request (and following redirections), custom manual requests are not allowed in 'Safe' mode nor in 'Protected' mode if out of scope.
ACTION core / setOptionDnsTtlSuccessfulQueries:
Sets the TTL (in seconds) of successful DNS queries (applies after ZAP restart).
OTHER core / mdreport:
Generates a report in Markdown format.
VIEW httpSessions / sites:
Gets all of the sites that have sessions.
VIEW pscan / scanOnlyInScope:
Tells whether or not the passive scan should be performed only on messages that are in scope.
ACTION pscan / setScanOnlyInScope:
Sets whether or not the passive scan should be performed only on messages that are in scope.
VIEW spider / allUrls:
Returns a list of unique URLs from the history table based on HTTP messages added by the Spider.
VIEW spider / optionMaxChildren:
Gets the maximum number of child nodes (per node) that can be crawled, 0 means no limit.
ACTION spider / setOptionMaxChildren:
Sets the maximum number of child nodes (per node) that can be crawled, 0 means no limit.

New in OWASP ZAP 2.4.2 (Sep 8, 2015)

New in OWASP ZAP 2.4.1 (Aug 25, 2015)

New in OWASP ZAP 2.4.0 (Apr 14, 2015)

New in OWASP ZAP 2.3.0 (Apr 14, 2015)

New in OWASP ZAP 2.2.1 (Sep 13, 2013)

New in OWASP ZAP 2.2.0 (Sep 12, 2013)

Major changes:
Scripts: support multiple scripts and embedding within ZAP components
Support for Mozilla Zest
Support for Mozilla Plug-n-Hack
Minor changes:
Support scanning of XML requests
Add CWE and WASC numbers to issues
Custom http break points with more options
Options to hide tabs / windows
Upgrade script console to support non textbased scripting languages
Create a new root CA when first run
Allow host to be set via the command line
Bug Fixes:
Http panels default to hex view
The save session api does not allow to overwrite session already has same name
URLCanonicalizer.getCanonicalURL produces URIs "half" decoded
URLCanonicalizer.buildCleanedParametersURIRepresentation returns URIs in percent-encoded form and decoded
Shutdown after a big scan takes too long (deleting ascan records)
API encoding issues
NullPointerException while proxying with a URI with an empty path component
JSONException while calling an API action without the required parameter(s)
Certificate algorithm constraints in Java 1.7
Add HttpSessionAPI to ApiGeneratorUtils
Add dummy file to "fuzzers" directory
Log HttpException (as error) in the ProxyThread
Change HTTP response header parser to be less strict
Context Authentication URLs don't fail manual overwriting
Handle old plugins
Report the version of java found by zap.sh
Command line should show all options
API UI fails on IE
Sites tree doesnt clear on new session created by API
Change "Ajax Spider" add-on options to use ZapNumberSpinner
API action "proxy.pac" might return wrong domain/port
Passive Scanner API view "recordsToScan" returns -1 after finish scanning the messages
Fix HTML errors in the help pages
Do not load newer add-on versions if they are not targeted for the running ZAP version
Add-on ZAP version constraints "not-before-version" and "not-from-version" are not respected for already "installed" add-ons
ZAP API doesn't parse correctly query parameters with "&" characters
URLCanonicalizer.getCanonicalURL fails to correctly parse query parameters with "&" and "=" characters
HttpSessions API action "setSessionTokenValue" should add the session token name to the site's session tokens
Cannot send non standard http methods
Non POST and PUT requests receive a 504 when server expects a request body
Do not clone the alert's message that will be shown in message panels
Clear alert's panel fields
Catch active scanner variants' exceptions
Name of automatically created HTTP sessions is always in English
Allow to create a session with a given name through the HttpSessions API
Update NTLM authentication code
MissingResourceException while selecting a disabled extension (from an add-on) in the "Extensions" options panel
MissingResourceException with ExtensionFuzz enabled and ExtensionBruteForce disabled
Change add-on class loading strategy to parent-last
Restore "Ajax spider" add-on dependencies
Allow Context Panels intercommunication
XML report empty when used in daemon mode
HTTP fuzz results dont support right click menus
Searching fuzz results doesnt include the header
HTTP Session API could be less strict
Restructuring of Saving/Loading Context Data
Build doesnt include scripts directory
Allow add-ons to warn user if they're closing ZAP with unsaved resources open
Unable to cancel changes when using Include in/Exclude from Context
NoSuchMethodError when excluding a WebSocket channel URL from context
Change zap.sh to cope with Java 1.8
Snapshot session menu item not working

New in OWASP ZAP 2.1.0 (Apr 18, 2013)

New in OWASP ZAP 2.0.0 (Feb 19, 2013)

An integrated add-ons marketplace:
ZAP can be extended by add-ons that have full access to all of the ZAP internals. Anyone can write add-ons and upload them to the ZAP Add-on Marketplace (OK, so its a Google code project called zap-extensions, but you get the idea).
More importantly you can now browse, download and install those add-ons from within ZAP. Most add-ons can be dynamically installed (and uninstalled) so you wont even need a restart.
You can choose to be notified of updates, and even be automatically updated. And as the scan rules are now implemented as add-ons you can get the latest rules as soon as they are published.
A replacement for the 'standard' Spider:
The 'old' Spider was showing its age, so its been completely rewritten, and is much faster and more comprehensive than the old one. This is still a 'traditional' spider that analyses the HTML code for any links it can find.
A new 'Ajax' spider:
In addition to the 'traditional' spider we've added an Ajax spider which is more effective with applications that make heavy use of JavaScript. This uses the Crawljax project which drives a browser (using Selenium) and so can discover any links an application generates, even ones generated client side.
Web Socket support:
ZAP now supports WebSockets, so ZAP can now see all WebSocket messages sent to and from your browser. As with HTTP based messages, ZAP can also intercept WebSocket messages and allows you to change them on the fly.
You can also fuzz WebSockets messages as well using all of the fuzzing payloads included in ZAP from projects like JBroFuzz and fuzzdb. And of course you can easily add your own fuzzing files.
Quick Start tab:
The first main tab you will now see is a 'Quick Start' tab which allows you to just type in a URL and scan it with one click.
This is an ideal starting point for people new to application security, but experts can easily remove it if they find it distracting.
Session awareness:
ZAP is now session awareness, so that ZAP can recognise and keep track of multiple sessions. It allows you to create new sessions, switch between them, and applies to all of the other components, like the Spider and Active Scanner.
User defined Contexts:
You can now define any number of 'contexts' - related sets of URLs which make up an application. You can then target all URLs in a context, for example using the Spider or Active Scanner. You can also add the contexts to the scope, and associate other information, such as authentication details.
Session scope:
The session scope allows you to specify which contexts you are interested at any one time. You can restrict what you see in various tabs to just the URLs in scope, and prevent accidentally attacking URLs not in scope by using the Protected mode.
Different modes:
ZAP now supports 3 modes:
Safe, in which no potentially dangerous operations permitted
Protected, in which you can perform any actions on URLs in scope
Standard, in which you can do anything to any URLs
Authentication handling:
You can now associate authentication details with any context, which allows ZAP to do things like detect if and when you are logged out and automatically log you back in again. This is especially useful when used via the API in security regression tests.
More API support:
The REST API has been significantly extended, giving you much more access to the functionality ZAP provides.
Fine grained scanning controls:
The active scan rules can now be tuned to adjust their strength (the number of attacks they perform) and the threshold at which they report potential issues.
Changes:
Scope option for filtering
Active scanner failing against DVWA high false positives/true negatives rate
Better bruteforce wordlist
Root CA Certificate for Dynamic SSL invalid on some platforms due to ExtendeKeyUsage extension
Alert class JSON dependency
Feature request: Show count of found URIs during Spider
Passive scanner rule for suspicious comments like TODO and FIXME
Response time and total length in manual request
robots.txt parsing
Support for modes
Spider - add option to crawl everthing in scope
Web Sockets - add support for Modes and Scope
Add an HttpSenderListener
Authentication management
Fuzzer attack strings not shown
Generate CSRF test form
Typo in "XFO Header Not Set" Solution
Brute force subdirectories
getHostPort on HttpRequestHeader for HTTPS CONNECT requests returns the wrong port
API - save session better error handling
API - save session synchronous or provide status
Masking the passwords provided for Authentication
Support contexts
API Web UI - support parameters with views
Allow user to specify which technologies apply to a context
Spider - Add option to spider all in context
More online links from menu
Support weekly builds
Generate new CA certificate will always produce certificate with same serial number
Exception when the (new) Spider is started through the API
GUI labels are not properly displayed on Linux (when language set to Polish)
Set options via the API using reflection
Labels not properly displayed when the Persian language is chosen
Spider - Add option to control the effect of parameters on visited URLs
Charset wrapped in quotation marks
Allow proxy port to be specified on the command line
IndexOutOfBoundsException in ExtensionHttpSessions in daemon mode
Restructure jar loading code
API - support absolute session paths
Cleanly shut down any active scan threads on shutdown
Use exec in zap.sh so a new process is not forked
Active scanner and spider can deadlock if ZAP is shutdown while they are running
Exceptions in Web Sockets when session opened
Add quick start tab
Active Scan URL via API scans more than just the specified URL
API: introduce mandatory parameters and optional descriptions
Active scan alerts may be "lost" after saving the session
Locking on session save or shutdown via the API
API enhancements
View incorrectly initialised in many places when in daemon mode
"No Anti-CSRF tokens were found in a HTML submission form" listed as "None. Warning only."
KeyStore of a registered PKCS#11 provider is not retrieved if a PKCS#11 provider is already registered
Highlight attack when displaying alerts
Rename Brute Force ext to Forced Browse and add URLs to the tree
Missing help page for "Extensions" panel in the "Options" dialogue
Manual check for updates doesn't work correctly in the newest weekly releases
Dynamic loading and unloading of add-ons
Split fuzzbd out into a new addon
Spider session handling tweeks
Search Tab arrow key support
Active scanner locking
Add a scan progress dialog
Add a scan progress dialog
Review: Patch/Review: SSLSocketFactory with TLS enabled and default Cipher options
Upgrade SQL Injection rule to 'release'
Allow anti csrf token to be added and removed via the API
Move BeanSell extension to ZAP extensions project
Spider accesses UI panel in daemon mode
Allow add-ons to remove views/components added to the message panels
Promote quick start to release status
Allow to choose to send ZAP's managed cookies on a single Cookie request header and set it as the default

New in OWASP ZAP 1.4.1.0 (Sep 22, 2012)

New in OWASP ZAP 1.4.0.1 (Apr 9, 2012)

New in OWASP ZAP 1.4 Alpha1 (Mar 26, 2012)

Significant changes:
Issue 133: Add Syntax highlighting to Response Panel
The HTML panels now support switchable syntax highlighting.
Issue 153: fuzzdb integration
The fuzzer includes fuzzdb (http://code.google.com/p/fuzzdb/) fuzzing files. Note that some fuzzdb files have been left out as they cause common anti virus scanners to flag them as containing viruses. You can replace them (and upgrade fuzzdb) by downloading the latest version of fuzzdb and expanding it in the 'fuzzers' library.
Issue 212: Parameter analysis
A new Params tab shows a summary of all of the parameters a site has used.
Issue 228: Enhanced XSS scanner
The Cross Site Scripting active scanner has been rewritten from scratch to find more potential XSS issues and report fewer false positives.
Issue 244: Port the Watcher passive checks
The following checks have been ported from Watcher (thanks to Chris Weber for oking this):
Check.Pasv.CrossDomain.ScriptReference.cs checks for cross-domain javascript files inclusion.
Check.Pasv.Header.CacheControl.cs checks HTTP cache-control header on SSL pages.
Check.Pasv.Header.ContentTypeMissing.cs checks that the Content-Type HTTP header is not missing.
Check.Pasv.Header.FrameOptions.cs checks that the X-FRAME-OPTIONS is not missing or insecurely set.
Check.Pasv.Header.IeXssProtection.cs checks that the X-XSS-Protection has not been set to disable IE's XSS protection.
Check.Pasv.Header.MimeSniff.cs checks that the X-CONTENT-TYPE-OPTIONS has been set.
Check.Pasv.InformationDisclosure.DatabaseErrors.cs checks for database error messages.
Check.Pasv.InformationDisclosure.DebugErrors.cs checks for debugging error messages.
Check.Pasv.InformationDisclosure.InUrl.cs checks for information disclosure in URL parameters.
Check.Pasv.InformationDisclosure.ReferrerLeak.cs checks HTTP Referer header for information disclosure.
Issue 253: Plugable extensions
Full extensions can now be plugged into ZAP dynamically with full access to all of ZAPs features.
Minor changes:
Issue 54: Clean shutdown
Issue 126: Allow working directory and config file to be set via cmd line
Issue 154: Include param id in reports
Issue 164: Toolbar config button
Issue 168: Reveal hidden fields in web pages
Issue 192: Enable/Disable breakpoints
Issue 193: Detect directory traversal vulnerabilities
Issue 194: Enhancement: Show request ID on Search pane
Issue 200: Detect CSRF vulnerabilities
Issue 230: Enhance zap.sh to cope with symbolic links
Issue 236: Option to toggle URLencoding
Issue 248: Delete alerts / retest feature request
Issue 270: Icon changes
Issue 277: Rationalize right click menu items
Issue 279: Core extensions
Bug fixes:
Issue 42: Arbitrary Redirection
Issue 94: PKCS#11 driver
Issue 135: Broken URLs in Sites Panel
Issue 148: New HTTP Panel broke the Undo/Redo Manager
Issue 198: The report is not generated when a "Parameter tampering" alert with "NULL" character exists
Issue 223: Exception in "Sites" tab when choosing a popup option, "Delete (from view)" or "Purge (from DB)", when no node tree is selected
Issue 224: takes too much time to recover from an proxy port number outside valid range
Issue 225: ZAP exits on startup if an option value contains extended characters like å,ä,ö
Issue 226: proxy port number edit box should not allow millions of characters
Issue 227: Tools, Options should go to the same tab as last time
Issue 238: Exception when using a custom fuzz file
Issue 241: zap.sh Xmx value for stable performance
Issue 243: When the DynamicLoader loads from local jar, doesn't take into account the package name
Issue 246: Pragma Header requires Cache-Control Header for HTTP/1.1 requests
Issue 255: Exception in API when due to illegal character in XML context
Issue 256: Calling HttpMessage.setGetParams looses the port
Issue 261: Partial language match not working
Issue 262: "Weak authentication" alerts not showing with spider
Issue 263: "Cookie without secure flag" alerts not showing with spider
Issue 268: Change ZAP Report XML
Issue 269: Spider depth parameter
Issue 274: Tidy up delete / purge options
Issue 280: Escape URLs in sites tree
Issue 287: Passive scanner doesnt pick up new anticsrf tokens

OWASP ZAP Changelog

What's new in OWASP ZAP 2.7.0

New in OWASP ZAP 2.6.0 (Mar 30, 2017)

New in OWASP ZAP 2.4.2 (Sep 8, 2015)

New in OWASP ZAP 2.4.1 (Aug 25, 2015)

New in OWASP ZAP 2.4.0 (Apr 14, 2015)

New in OWASP ZAP 2.3.0 (Apr 14, 2015)

New in OWASP ZAP 2.2.1 (Sep 13, 2013)

New in OWASP ZAP 2.2.0 (Sep 12, 2013)

New in OWASP ZAP 2.1.0 (Apr 18, 2013)

New in OWASP ZAP 2.0.0 (Feb 19, 2013)

New in OWASP ZAP 1.4.1.0 (Sep 22, 2012)

New in OWASP ZAP 1.4.0.1 (Apr 9, 2012)

New in OWASP ZAP 1.4 Alpha1 (Mar 26, 2012)

New in OWASP ZAP 1.3.4 (Feb 18, 2012)