Download

GraphQL Support Add-on Changelog

Docs > GraphQL Support > Changelog

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

0.33.0 - 2026-04-14

Changed

  • The alerts now have new tags for the OWASP Top 10 2025, and API Top 10 2023.
    • The “OWASP_2023_API4” tag was dropped in favor of the new unified mapping entry “API_2023_API4_UNRESTRICTED_RESOURCE_CONSUMPTION”. This may be a breaking change for users that depended on the tag to define scan policies.
  • Depends on an updated version of the Common Library add-on.

0.32.0 - 2026-03-02

Added

  • Support for importing an introspection query response JSON from a URL (Issue 9249).

0.31.0 - 2026-02-11

Fixed

  • Tech Detection integration was not working due to handler reset on each run.

0.30.0 - 2026-02-03

Added

  • GraphQL Cycle detection: Imported schemas are processed for circular type references, and an alert is created for each unique circular relationship that is found. The cycle detection exhaustiveness and the maximum number of alerts raised are configurable.

0.29.0 - 2025-12-15

Added

  • Statistics for GraphQL schema imports and message additions.

Changed

  • Update minimum ZAP version to 2.17.0.
  • Dependency updates.

0.28.0 - 2025-03-26

Fixed

  • A Null Pointer Exception which occurred when installing the add-on when Tech Detection (Wappalyzer) add-on was already installed (Issue 8902).

0.27.0 - 2025-03-21

Fixed

  • A Null Pointer Exception which occurred when Fingerprinting and the Tech Detection (Wappalyzer) add-on wasn’t available (Issue 8890).

0.26.0 - 2025-01-09

Changed

  • Update minimum ZAP version to 2.16.0.
  • Depend on newer version of Common Library add-on (Issue 8016).
  • Maintenance changes.

Added

  • Fingerprinting checks for the following engines:
    • pg_graphql
    • tailcall
    • Hot Chocolate
    • Inigo
  • Support for importing an introspection query response from a file (Issue 8569).
  • If the Tech Detection (Wappalyzer) add-on is installed and a GraphQL engine is successfully fingerprinted, it is added to the Technology tab/data.

0.25.0 - 2024-09-24

Changed

  • Dependency updates.

0.24.0 - 2024-05-07

Changed

  • Update minimum ZAP version to 2.15.0.
  • Dependency updates.

0.23.0 - 2024-02-22

Added

  • Video link in help for Automation Framework job.
  • Website alert links to the help page (Issue 8189).

Changed

  • Maintenance changes.

Fixed

  • Fix graphql parameter injection in URL query.

0.22.0 - 2023-12-19

Added

  • Fingerprinting check for the GraphQL.NET engine.

0.21.0 - 2023-11-10

Changed

  • Dependency updates.
  • Maintenance changes.

Fixed

  • The query generator was not using lists and non-null fields to generate queries when the lenient maximum query depth criteria was met.

0.20.0 - 2023-10-12

Added

  • Fingerprinting check for the Absinthe GraphQL engine.

Changed

  • Update minimum ZAP version to 2.14.0.
  • Dependency updates.

0.19.0 - 2023-09-07

Added

  • The add-on now includes example alert functionality for documentation generation purposes (Issue 6119).

Changed

  • Dependency updates.
  • Maintenance changes.
  • Depend on newer versions of Automation Framework and Common Library add-ons (Related to Issue 7961).
  • Use Common Library add-on to obtain the Value Generator (Issue 8016).

0.18.0 - 2023-07-11

Changed

  • Update minimum ZAP version to 2.13.0.
  • The “Import a GraphQL Schema from a File” and “Import a GraphQL schema from a URL” menu items were merged into one, “Import a GraphQL schema”.
  • The Import dialog shows the values used in the previous import when reopened.

Fixed

  • Handle invalid values when reading the options.

0.17.0 - 2023-06-19

Added

  • It is now possible to disable the query generator completely.

Changed

  • Dependency updates.

0.16.0 - 2023-05-31

Added

  • An informational alert is raised when the GraphQL server implementation is identified using fingerprinting techniques.

Changed

  • Dependency updates.

0.15.0 - 2023-05-03

Added

  • An informational alert is raised if a GraphQL endpoint that supports introspection is discovered during spidering.

Changed

  • Dependency updates.
  • Improved detection of GraphQl endpoints while spidering.
  • It is no longer a requirement for schema URLs to end with .graphql or .graphqls when importing from the UI.

Fixed

  • Display the whole operation name in the Sites tree (could be missing a character).

0.14.0 - 2023-04-04

Fixed

  • Do not report errors parsing valid JSON arrays.

Changed

  • Dependency updates.

0.13.0 - 2023-02-09

Added

  • Support for relative file paths in the Automation Framework job.

Changed

  • Dependency updates and maintenance changes.

Fixed

  • Fixed exception in the variant when POST message has empty body and no content-type (Issue 7689).

0.12.0 - 2022-11-17

Changed

  • The GraphQL Support Script has been superseded by a variant.
  • Argument names will now be used to get values from the form handler add-on, instead of argument types.
  • Dependency updates and maintenance changes.

Fixed

  • Introspection was not working for some applications (Issue 7602).
  • Variables in JSON queries were being added incorrectly.
  • Attack payloads were being injected outside the quotes of inline string arguments.

0.11.0 - 2022-10-27

Changed

  • Update minimum ZAP version to 2.12.0.
  • Remove parser used for core spider (Related to Issue 3113).

0.10.0 - 2022-09-23

Changed

  • Maintenance changes.
  • Update dependency, which reduces add-on file size (Issue 7322).
  • Use Spider add-on (Issue 3113).

0.9.0 - 2022-04-05

Changed

  • Replace variables present in schemaFile when running the automation job.

0.8.0 - 2022-02-02

Changed

  • Update minimum ZAP version to 2.11.1.
  • Reduce printed errors messages in the script Input Vector.
  • When the automation Job is edited via UI Dialog then the status will be set to Not started

0.7.0 - 2021-11-01

Fixed

  • A message is displayed if the “data” object in an introspection response is null (Issue 6890).

Changed

  • Dependency updates.

0.6.0 - 2021-10-06

Changed

  • Update minimum ZAP version to 2.11.0.

0.5.0 - 2021-09-16

Fixed

Changed

  • Maintenance changes.

0.4.0 - 2021-08-05

Added

  • Automation Framework GUI

Changed

  • Maintenance changes.
  • Report no URL specified in automation job as info instead of failure.

0.3.0 - 2021-03-30

Changed

  • Update minimum ZAP version to 2.10.0.
  • Add two new options that allow enforcing maximum query depth leniently for fields with no leaf types.
  • Add support for the automation framework.
  • Maintenance changes.

Fixed

  • Fix invalid query generation when query depth was reached and the deepest fields had no leaf types (Issue 6316).
  • Cope with missing Nashorn engine (Issue 6501).

0.2.0 - 2020-11-18

Changed

  • Enhanced Support for Script Input Vectors.
  • Options are now exposed through the API.
  • Optional Arguments are enabled by default.

Fixed

  • Fix clashes in variable names. See PR#2550 for details.
  • Fix a bug where the “GraphQL Support.js” script was enabled when ZAP was restarted even if it had been disabled and saved before.
  • Fix a bug where sites tree entries were not showing parameters because of the script.

0.1.0 - 2020-08-28

  • First Version
  • Features
    • Import a GraphQL Schema
    • Generate Queries from an imported Schema