ZAP 2.10.0 - The 10 Year Anniversary Release

Posted 618 Words

As you hopefully already know ZAP was released on September 6th 2010.

ZAP 2.10.0 has just been released and is now available to download via the Downloads page so we’re treating this as a belated 10 year anniversary release!

I’ve recorded a training video in which I go through many of the new features:

You will see that there is one demo that I was unable to run as I hit some issues. We investigated those and have now released fixes for them. Luckily we were able to fix them in add-ons rather than the core - if they had been in the latter then we would have had to release ZAP 2.10.1! So when you start using ZAP 2.10.0 make sure you check for updates and install any add-ons that have newer versions.

The Changes

Some of the more significant enhancements in this release include:

Custom Pages

Custom Pages can be defined on a per context basis - these allow ZAP to identify various non-standard error handling conditions such as custom error pages and handle them more effectively.

Authentication Polling

The concept of Authentication Verification Strategies has been introduced which allows ZAP to handle a wider range of authentication mechanisms including the option to poll a specified page for the authentication status of a user.

Site Tree Control

Scripts and add-ons now have full access to how nodes are represented in the Sites Tree. Both Input Vector Scripts and add-ons which include implementations of the Variant class can change both the tree structure and names used for new nodes.

For more details see the Site Tree Modifiers Blog post.

Dynamic Look and Feel including Dark Mode

The Desktop UI includes a new set of open source Look and Feel’s c/o FlatLaf including 2 Dark Mode options.

You can also dynamically switch the Look and Feel via a button on the Top Level Toolbar.

For more details of the dark mode see the Dark Mode in the Weekly Release Blog post.

Authentication Headers via Env Vars

A new set of environmental variables are available which allow you to easily add an authentication header to all of the requests that are proxied through ZAP or initiated by the ZAP tools, including the spiders and active scanner. These are documented on the Authentication page.

SOCKS Proxy Configuration

It is now possible to dynamically configure the outgoing SOCKS proxy in the Options’ Connection screen. By default the SOCKS proxy configuration applies to all connections made by ZAP.

Cached Scripts

The following script types are now cached between invocations reducing the time it takes to reuse them:

  • Active Rules
  • HTTP Sender
  • Input Vectors, when used for the Sites tree
  • Passive Rules
  • Proxy

New Add-Ons

The following add-ons are included by default in this release for the first time:

  • Advanced Encode / Decode / Hash dialog - this replaces the old core encode/decode/hash dialog
  • DOM XSS Scan Rule - an Active Scan rule for detecting DOM XSS vulnerabilities
  • Form Handler - allows for the custom configuration of values used in forms based on field names
  • GraalVM JavaScript - included as Java 15+ no longer includes the Oracle Nashorn JavaScript engine
  • GraphQL Support - allows you to import and active scan GraphQL definitions
  • Retire.js - a Passive Scan rule which implements checks provided by Retire.js in order to identify vulnerable or out-dated JavaScript packages
  • SOAP Support - allows you to import and active scan WSDL files containing SOAP endpoints

For the full set of changes, including changes to the Docker images, the updated add-ons, smaller enhancements and bug fixes see the Release Notes.

A big thank you to everyone who has contributed to this release or has supported the ZAP project in any way!