The following changes were made in this release:
Strings in a response can now be fuzzed to try to find vulnerabilities.
Anti CRSF tokens can be detected and automatically regenerated when fuzzing.
This functionality is based on code from the OWASP JBroFuzz project.
The support for SSL connections was improved and simplified.
User’s can now create their own root certificate and distribute this into their HTTP clients.
See Option: Dynamic SSL Certificates for more details.
Starting ZAP with the “-daemon” command line option will cause it to run in the background in ‘headless’ mode, meaning that no UI is displayed.
An initial API has been implemented in XML, JSON and HTML.
If ZAP is running as a daemon then the API is automatically enabled, otherwise the API must be enabled via the Options API screen.
The API can be navigated by opening http://zap/ in your browser when proxying via ZAP.
The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts.
These scripts are a simplified form of Java that use many elements from Java syntax, but in a simpler scripting format.
All Java code is also valid BeanShell code.
BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set.
This can be a very powerful feature for analyzing web applications.
All display string are now fully internationalised.
Out of the box support for the following languages:
The Search tab now displays all instances of a string found rather than just the first instance in each request or response.
URLs can be explicitly excluded from the active scanner, spider and from the proxy.
Most of the panels now provide a ‘right click’ ‘Copy’ menu option, including the Port Scan and Brute Force panels.
All of the input fields now support Undo/Redo actions using the operating systems default Undo/Redo accelerators:
The Port Scanner can now use the outgoing proxy (if configured) and the timeout in milliseconds can also now be set.
There are now 2 ‘Set Break’ buttons to allow breaks to be set on all requests and all responses independently.
There are now 2 buttons which allow you to switch between having the Sites and Information tabs expanded.
While the Break tab is not in use its icon is a grey cross: .
When a breakpoint is hit the tab icon is changed to a red cross: .
The Option: Connection screen allows you to set the timeout in seconds to make it easier to test slow applications.
Most of the libraries used by ZAP have been updated to the latest versions.
Thanks to Simon Egli and all others for submitting cool icon suggestions.
Currently Dynamic SSL is not working when using Google Chrome. This is because of an unresolved known issue with Google Chrome and Mac OS X Keychain. When importing OWASP ZAP’s Root CA into the keychain and requesting a SSL website, an “Invalid certificate” error message is shown.
|Introduction||the introduction to ZAP|
|Releases||the full set of releases|
|Credits||the people and groups who have made this release possible|