Release 1.4.0

The following changes were made in this release:

Significant changes:

Issue 133: Add Syntax highlighting to Response Panel

The HTML panels now support switchable syntax highlighting.

Issue 153: fuzzdb integration

The fuzzer includes fuzzdb (https://github.com/fuzzdb-project/fuzzdb) fuzzing files.
Note that some fuzzdb files have been left out as they cause common anti virus scanners to flag them as containing viruses.
You can replace them (and upgrade fuzzdb) by downloading the latest version of fuzzdb and expanding it in the ‘fuzzers’ library.

Issue 212: Parameter analysis

A new Params tab shows a summary of all of the parameters a site has used.

Issue 228: Enhanced XSS scanner

The Cross Site Scripting active scanner has been rewritten from scratch to find more potential XSS issues and report fewer false positives.

Issue 244: Port the Watcher passive checks

The following checks have been ported from Watcher (thanks to Chris Weber for oking this):

Check.Pasv.CrossDomain.ScriptReference.cs checks for cross-domain javascript files inclusion.
Check.Pasv.Header.CacheControl.cs checks HTTP cache-control header on SSL pages.
Check.Pasv.Header.ContentTypeMissing.cs checks that the Content-Type HTTP header is not missing.
Check.Pasv.Header.FrameOptions.cs checks that the X-FRAME-OPTIONS is not missing or insecurely set.
Check.Pasv.Header.IeXssProtection.cs checks that the X-XSS-Protection has not been set to disable IE’s XSS protection.
Check.Pasv.Header.MimeSniff.cs checks that the X-CONTENT-TYPE-OPTIONS has been set.
Check.Pasv.InformationDisclosure.DatabaseErrors.cs checks for database error messages.
Check.Pasv.InformationDisclosure.DebugErrors.cs checks for debugging error messages.
Check.Pasv.InformationDisclosure.InUrl.cs checks for information disclosure in URL parameters.
Check.Pasv.InformationDisclosure.ReferrerLeak.cs checks HTTP Referer header for information disclosure.

Issue 253: Plugable extensions

Full extensions can now be plugged into ZAP dynamically with full access to all of ZAPs features.

Minor changes:

Issue 54: Clean shutdown

Issue 90: Add GUI support for unsecure SSL/TLS renegotiation

Issue 102: Save raw response and request, and save body of response and request

Issue 126: Allow working directory and config file to be set via cmd line

Issue 154: Include param id in reports

Issue 164: Toolbar config button

Issue 168: Reveal hidden fields in web pages

Issue 192: Enable/Disable breakpoints

Issue 193: Detect directory traversal vulnerabilities

Issue 194: Enhancement: Show request ID on Search pane

Issue 200: Detect CSRF vulnerabilities

Issue 236: Option to toggle URLencoding

Issue 242: Export node / req/resp via right click

Issue 248: Delete alerts / retest feature request

Issue 251: Restructure alerts code

Issue 253: Allow extensions to define dependencies

Issue 270: Icon changes

Issue 277: Rationalize right click menu items

Issue 279: Core extensions

Issue 282: Add author, description and URL to extensions

Bug fixes:

Issue 42: Arbitrary Redirection

Issue 94: PKCS#11 driver

Issue 107: The last intercepted request/response remains in the Break window

Issue 135: Broken URLs in Sites Panel

Issue 148: New HTTP Panel broke the Undo/Redo Manager

Issue 180: Tabular view for GET request

Issue 187: Encoding issues

Issue 197: Decoder cannot process base64 input without line breaks

Issue 198: The report is not generated when a “Parameter tampering” alert with “NULL” character exists

Issue 210: Exception thrown when using the “Path Traversal” option in the active scan

Issue 223: Exception in “Sites” tab when choosing a popup option, “Delete (from view)” or “Purge (from DB)”, when no node tree is selected

Issue 224: takes too much time to recover from an proxy port number outside valid range

Issue 225: ZAP exits on startup if an option value contains extended characters like å,ä,ö

Issue 226: proxy port number edit box should not allow millions of characters

Issue 227: Tools, Options should go to the same tab as last time

Issue 237: Bug: Problems with HTTP Panels

Issue 238: Exception when using a custom fuzz file

Issue 241: zap.sh Xmx value for stable performance

Issue 243: When the DynamicLoader loads from local jar, doesn’t take into account the package name

Issue 246: Pragma Header requires Cache-Control Header for HTTP/1.1 requests

Issue 255: Exception in API when due to illegal character in XML context

Issue 256: Calling HttpMessage.setGetParams looses the port

Issue 260: Exception when deleting (“Purge (from DB)”) “History” tab entries

Issue 261: Partial language match not working

Issue 262: “Weak authentication” alerts not showing with spider

Issue 264: Exception in “Manual Request Editor”/“Resend” dialogues

Issue 268: Change ZAP Report XML

Issue 269: Spider depth parameter

Issue 274: Tidy up delete / purge options

Issue 280: Escape URLs in sites tree

Issue 283: RFE: Font anti-aliasing not enabled by default in request/response

Issue 284: Request/response etc header panels too small

Issue 286: Search string not highlighted for fuzz results

Issue 287: Passive scanner doesnt pick up new anticsrf tokens

Issue 289: fuzzdb files cause virus alerts

Issue 291: Path Traversal has ‘param’ empty but put the param name in ‘attack’

See also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible