ZAP 2.12.0 - the Ten Thousand Star Release

ZAP 2.12.0 is available now, and as the main zaproxy/zaproxy repo has just reached 10k stars we’re calling this the Ten Thousand Star Release!

This release fixes an HTML Injection vulnerability in the ZAP Desktop which was rated a P3 / Medium level vulnerability. While we do not think that it can be exploited in any meaningful way, desktop users are still recommended to update from older ZAP versions a.s.a.p.

Note that this release now requires a minimum of Java 11.

Some of the more significant enhancements include:

Network Add-On

The core networking code has been replaced by a new add-on which means changes are no longer bound to core/stable releases. This add-on uses a modern network stack which will make it much easier to support modern protocols such as HTTP/2.

In addition the following features have been added:

• HTTPS pass-through
• Certificate validity period configuration

Spider Add-On

To facilitate more frequent functional enhancements and bug fixes the core/traditional Spider has been moved to an add-on which means such changes are no longer bound to core/stable releases. Other add-ons which use Spider functionality have also been re-worked to support the Spider add-on, including: Quick Start, Form Handler, GraphQL, OpenAPI, SOAP, and the Automation Framework. More details are given in the release notes.

Multi-threaded Passive Scanner

The passive scanner has been updated to use a configurable number of threads, by default 4. This has been shown to significantly reduce the time spent processing the passive scan queue.

Bit.ly Telemetry Removal

From this release ZAP will no longer use bit.ly for any telemetry. Instead it uses our own services on the zaproxy.org domain. For full details see the FAQ: What ‘calls home’ does ZAP make?

Scan Rule Promotions

A significant number of scan rules have been promoted in this release.

The following Active scan rules have been promoted to Release status:

• .env Information Leak
• Cloud Metadata Attack
• Cross Site Scripting (DOM Based)
• GET for POST
• Heartbleed OpenSSL Vulnerability
• Hidden File Finder
• Padding Oracle
• Remote Code Execution - CVE-2012-1823
• Source Code Disclosure - CVE-2012-1823
• SQL Injection - Hypersonic (Time Based)
• SQL Injection - MsSQL (Time Based)
• SQL Injection - MySQL (Time Based)
• SQL Injection - Oracle (Time Based)
• SQL Injection - PostgreSQL (Time Based)
• SQL Injection - SQLite
• Trace.axd Information Leak
• User Agent Fuzzer
• XSLT Injection
• XXE

The following Passive scan rules have been promoted to Release status:

• Big Redirects Detected
• Directory Browsing
• Hash Disclosure
• Heartbleed OpenSSL Vulnerability (Indicative)
• HTTP to HTTPS Insecure Transition in Form Post
• HTTPS to HTTP Insecure Transition in Form Post
• Reverse Tabnabbing
• Modern App Detection
• PII Disclosure
• Retrieved From Cache
• Server Header Info Leak
• Strict Transport Security
• User Controlled Charset
• User Controlled Cookie
• User Controlled HTML Attributes
• User Controlled Javascript Event
• User Controlled Open Redirect
• X-Backend-Server Information Leak
• X-ChromeLogger-Data Info Leak

The following Active scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

• CORS
• Exponential Entity Expansion
• Forbidden Bypass
• Log4Shell
• Out-of-Band XSS
• Spring4Shell
• Spring Actuator
• Server Side Template Injection (Blind)
• Server Side Template Injection

The following Passive scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

• Content Cacheable
• In Page Banner Info Leak
• Dangerous JS Functions
• Java Serialization Object
• Permissions Policy Header Not Set
• Sub-Resource Integrity Attribute Missing

Dependency Updates

As usual the release includes dependency updates. Of particular note is the updated Log4j library. The previous stable release contained a Log4j library that was flagged as being vulnerable, although we believe it was not exploitable.

See the release notes for details of the other updates.

New Add-Ons

The following add-ons are included by default in this release for the first time:

• Database - provides database engines and related infrastructure.
• Import/Export - import and export functionality.
• Requester - request numbered panel.
• Spider - provides traditional spider functionality.

Desktop HTML Injection Fix

This release includes a fix to prevent HTML Injection in the ZAP Desktop GUI. Thank you to “issuefinder” for reporting this to us via our bug bounty program. The vulnerability was rated as a P3 / Medium and desktop users are recommended to update from older ZAP versions a.s.a.p.

There are of course a large number of other enhancements and fixes which are detailed in the release notes.

Thank you to everyone who contributed to this release.