ZAP 2.14.0 has just been released, and adds support for Host Header Manipulation, ZAPit, API File Transfers, Graal JS Add-on Access, Postman collections, SBOMs, and more…
This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
As part of that move the official ZAP Docker images are being published to the Software Security Project Docker Hub Organisation. The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
Note that you can also pull the ZAP Docker images from GitHub Container Registry.
Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
The Break, Manual Request and Requester dialogs all have a new “Update Host Header” button. This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
This release adds a new
-zapit command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
For more details see the ZAPit help page
You can now upload and download files to and from ZAP via the API. Note that this feature is disabled by default as a security measure.
For more details, including how to enable it, see the API help page.
ZAP can now import Postman collections thanks to the new Postman add-on.
ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX for both the ZAP core and all of the add-ons maintained by the ZAP team.
For more details see the Software Bill of Materials help page.
Note that a summary of and links to the add-on SBOMs are also available on this website - click on the icon for the relevant add-on on the Marketplace.
An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients. This definition is planned to be kept up to date for the latest core and add-on releases.
Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
These are included in the new Client Side Integration add-on which supports:
- Browser Recording
- Streaming client side events to ZAP
This is not (yet) included in the main ZAP releases so you will need to download it from the Marketplace.
Keep an eye out for new blog posts and videos about this functionality.
As usual the release includes dependency updates, see the release notes for details.
The following add-ons are included by default in this release for the first time:
- Postman - allow you to import Postman collections through the UI.
There are of course a large number of other enhancements and fixes which are detailed in the release notes.
Thank you to everyone who contributed to this release.