ZAP 2.13.0

ZAP 2.13.0 has just been released, and adds support for HTTP/2, improved authentication handling, and Mac Silicon.

Some of the more significant enhancements include:

HTTP/2 Support

HTTP/2 is now supported, with no configuration changes required.

If you proxy HTTP/2 traffic through ZAP then ZAP will make the same HTTP/2 requests to the target. Any tools that work on proxied requests will also automatically use HTTP/2.

Improved Authentication Handling

ZAP authentication handling has been significantly overhauled, and ZAP can now auto-authenticate to many web apps by just supplying the URL of the login page along with the credentials.

For more details see:

• Authentication Tester Dialog
• Authentication Auto-Detection

Look for more blog posts, hopefully in the near future.

Mac Silicon Support

Mac Silicon is now supported via a new installer and in the Docker images.

GitHub Container Registry

As explained in this blog post the ZAP Docker images are now also available in the GitHub Container Registry.

This may well be a better alternative for many users as, unlike Docker Hub, there is currently no rate limiting on pulls.

Default Threads

All of the “attack” tools which use threading, including both spiders and active scanner, have been changed to use 2x the number of processors as the default number of threads. Using more threads has been shown to significantly reduce the time the scanners take to run.

Network Rate Limiting

The Network add-on now supports a rate limiting feature which allows you to limit the request rate of HTTP/HTTPS (not web sockets) traffic to hosts or domains to prevent overloading the target or being blocked. For more details see the Rate Limit help page.

Note that the Active Scan Delay When Scanning feature has been deprecated and will be removed in a future release.

Network Global Exclusions

The Global Exclusions functionality has been moved to the Network add-on. This will allow us to update it more easily to keep up with browser changes.

Scan Rule Promotions

The following Active scan rules have been promoted to Release status:

• Log4Shell
• Spring Actuator Information Leak
• Spring4Shell
• Server Side Template Injection
• Server Side Template Injection (Blind)
• XPath Injection

The following Active scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

• Server Side Request Forgery
• Text4shell (CVE-2022-42889)

The following Passive scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

• Insufficient Site Isolation Against Spectre Vulnerability
• Source Code Disclosure

Dependency Updates

Selenium v4

The Selenium add-on has been updated to use the Selenium v4 library. One benefit this brings is that the output from browsers will no longer be shown in the ZAP output - this has been confusing to many people and has not provided any real benefit.

If you have any custom code that directly accesses Selenium classes then you may need to update it.

Other Updates

As usual the release includes dependency updates, see the release notes for details.

New Add-Ons

The following add-ons are included by default in this release for the first time:

• Authhelper - helps identify and set up authentication handling in ZAP.

There are of course a large number of other enhancements and fixes which are detailed in the release notes.

Thank you to everyone who contributed to this release.