ZAP 2.14.0 has just been released, and adds support for Host Header Manipulation, ZAPit, API File Transfers, Graal JS Add-on Access, Postman collections, SBOMs, and more…
This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
Rebranding and Docker Hub Move
ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
As part of that move the official ZAP Docker images are being published to the Software Security Project Docker Hub Organisation. The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
Note that you can also pull the ZAP Docker images from GitHub Container Registry.
Host Header Manipulation
Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
The Break, Manual Request and Requester dialogs all have a new “Update Host Header” button. This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
ZAPit
This release adds a new -zapit command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
For more details see the ZAPit help page
API File Transfers
You can now upload and download files to and from ZAP via the API. Note that this feature is disabled by default as a security measure.
For more details, including how to enable it, see the API help page.
Graal JS Add-on Access
Since Oracle removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support. Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP. Note that existing Nashorn scripts may need changes to work with Graal JS.
Postman Support
ZAP can now import Postman collections thanks to the new Postman add-on.
SBOMs
ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX for both the ZAP core and all of the add-ons maintained by the ZAP team.
For more details see the Software Bill of Materials help page.
Note that a summary of and links to the add-on SBOMs are also available on this website - click on the 
icon for the relevant add-on on the Marketplace.
ZAP API OpenAPI Definition
An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients. This definition is planned to be kept up to date for the latest core and add-on releases.
Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
ZAP Browser Extensions
The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
These are included in the new Client Side Integration add-on which supports:
- Browser Recording
- Streaming client side events to ZAP
This is not (yet) included in the main ZAP releases so you will need to download it from the Marketplace.
Keep an eye out for new blog posts and videos about this functionality.
Dependency Updates
As usual the release includes dependency updates, see the release notes for details.
New Add-Ons
The following add-ons are included by default in this release for the first time:
- Postman - allow you to import Postman collections through the UI.
There are of course a large number of other enhancements and fixes which are detailed in the release notes.
Thank you to everyone who contributed to this release.