Changelog
All notable changes to this add-on will be documented in this file.
The format is based on Keep a Changelog.
31 - 2026-06-12
Changed
- Update dependency.
Fixed
- Fix SOAP requests generated from some WSDLs being incomplete. Requests now correctly include all fields defined in the schema, and requests are no longer broken by certain characters in element or attribute names and values.
30 - 2026-04-14
Changed
- The scan rules now have new tags for the OWASP Top 10 2025, and API Top 10 2023.
- Depends on an updated version of the Common Library add-on.
29 - 2025-12-15
Changed
- Update minimum ZAP version to 2.17.0.
- Update dependencies.
28 - 2025-09-18
Added
- QA CICD policy tag to active scan rules.
27 - 2025-09-10
Fixed
- When parsing WSDL files ensure the dateTime values are generated in UTC.
26 - 2025-09-02
Added
- The SOAP Action Spoofing, SOAP XML Injection, and WSDL File Detection scan rules now all have CWE references.
25 - 2025-06-20
Added
- The WSDL passive scan rule has been tagged of interest to Penetration Testers and QA.
- The included active scan rules have been tagged of interest to Penetration Testers.
Changed
- Depends on an updated version of the Common Library add-on.
24 - 2025-01-10
Changed
- Update minimum ZAP version to 2.16.0.
- Depend on newer version of Common Library add-on (Issue 8016).
- Fields with default or missing values are omitted for the
soapjob in saved Automation Framework plans.
Added
- Standardized Scan Policy related alert tags on scan rules.
23 - 2024-05-07
Changed
- Update minimum ZAP version to 2.15.0.
22 - 2024-03-25
Added
- Video link in help for Automation Framework job.
Changed
- Maintenance changes.
- Link website alert pages and help (Issue 8189).
- Updated Alerts’ reference links (Issue 8262).
21 - 2023-12-19
Fixed
- Use empty values as defined by the Value Generator configuration (Issue 8202).
- Correct generation of values for
dateanddateTime, it would fail with warnings in previous versions.
20 - 2023-10-12
Changed
- Update minimum ZAP version to 2.14.0.
19 - 2023-09-07
Changed
- The “Import a WSDL file from local file system” and “Import a WSDL file from a URL” menu items were merged into one,
“Import a WSDL File”. The merged dialog uses the shortcut
Ctrl+J(Cmd+Jon macOS). - The Import dialog shows the values used in the previous import when reopened.
- Maintenance changes.
- Depend on newer versions of Automation Framework and Common Library add-ons (Related to Issue 7961).
- Use Common Library add-on to obtain the Value Generator (Issue 8016).
- The SOAP Support Script has been superseded by a variant (Issue 6500).
18 - 2023-07-11
Changed
- Update minimum ZAP version to 2.13.0.
- Dependency updates.
17 - 2023-02-09
Added
- Support for relative file paths and ones including vars in the Automation Framework job.
Changed
- Maintenance changes.
16 - 2022-11-17
Changed
- The
SOAP Support.jsinput vector script is removed when the add-on is uninstalled. - Dependency updates.
15 - 2022-10-27
Changed
- Update minimum ZAP version to 2.12.0.
- Remove parser used for core spider (Related to Issue 3113).
14 - 2022-09-23
Changed
- Dependency updates.
- Maintenance changes.
- Use Spider add-on (Issue 3113).
- Use Form Handler add-on directly.
- Promoted to Beta status.
13 - 2022-02-01
Changed
- Update minimum ZAP version to 2.11.1.
- Dependency updates.
- When the automation Job is edited via UI Dialog then the status will be set to Not started
Fixed
- Do not report “Unrecognised parameter” for valid parameters.
12 - 2021-11-29
Changed
- Maintenance changes.
- WSDL File scan rule now includes identification of URLs in the form “example.com/service?wsdl”, and specifically excludes 404s and 500s (including support for Custom Pages).
Import a WSDL file from a URLnow logs a more specific message for some exception conditions, or when failing to convert the input ‘URL’ string into an actual URL to make the WSDL request.- The
Import a WSDL file from a URLdialog now accepts pressing the enter key to activate the import process (instead of having to click the Import button), and the escape key to close/cancel the dialog.
11 - 2021-10-29
Changed
- Dependency updates.
Fixed
- NPE when detecting parameters.
10 - 2021-10-06
Added
- OWASP Top Ten 2021/2017 alert tags.
Changed
- Update minimum ZAP version to 2.11.0.
9 - 2021-09-16
Changed
- Maintenance changes.
Fixed
- Fixed var support in URLs (Issue #6726)
Changed
- Maintenance changes.
8 - 2021-08-05
Added
- Automation Framework GUI
Changed
- Maintenance changes.
7 - 2021-06-23
Changed
- Now using 2.10 logging infrastructure (Log4j 2.x).
- Import WSDL documents synchronously when not using the UI.
- Maintenance changes.
Fixed
- Warnings generated by add-on dependencies.
6 - 2021-03-30
Changed
- Accept only encoded URLs.
- Add support for the Automation Framework.
- Add support for statistics for the number of added URLs (or SOAP Actions).
- Maintenance changes.
Fixed
- Fix detection of WSDL files (Issue 6440).
- Cope with missing Nashorn engine (Issue 6500).
5 - 2021-01-04
Changed
- Add support for ValueGenerator (Issue 3345).
4 - 2020-12-16
Changed
- Internationalise file filter description.
- Dynamically unload the add-on.
- Change default accelerator for “Import a WSDL file from local file system”.
- Update minimum ZAP version to 2.10.0.
- Add import menus to (new) top level Import menu instead of Tools menu.
- Add support for SOAP version 1.2 to the Action Spoofing Scan Rule.
- Distinguish alerts by adding the SOAP version to the “Other Info” section.
- Maintenance changes.
Fixed
- Various fixes (related to Issue 4832 and other testing).
- Fix exception with Java 9+ (Issue 4037).
- SOAP operations are no longer overwritten in sites tree (Issue 1867).
- Persist the add-on configuration required by the scan rules in the ZAP database (Issue 4866).
3 - 2017-03-31
- Added API, help and other minor code changes.
2 - 2015-09-07
- Fixes a problem where operations under the same location were overwritten. Other minor fixes.
1 - 2015-04-13
- First version