-
Documentation
-
The ZAP Desktop User Guide
-
Releases
-
Release 1.4.0
Release 1.4.0
The following changes were made in this release:
Significant changes:
Issue 133: Add Syntax highlighting to Response Panel
The HTML panels now support switchable syntax highlighting.
Issue 153: fuzzdb integration
The fuzzer includes fuzzdb (https://github.com/fuzzdb-project/fuzzdb) fuzzing files.
Note that some fuzzdb files have been left out as they cause common anti virus scanners to flag them as containing viruses.
You can replace them (and upgrade fuzzdb) by downloading the latest version of fuzzdb and expanding it in the ‘fuzzers’ library.
Issue 212: Parameter analysis
A new Params tab shows a summary of all of the parameters a site has used.
Issue 228: Enhanced XSS scanner
The Cross Site Scripting active scanner has been rewritten from scratch to find more potential XSS issues and report fewer false positives.
Issue 244: Port the Watcher passive checks
The following checks have been ported from Watcher (thanks to Chris Weber for oking this):
|
|
|
|
Check.Pasv.CrossDomain.ScriptReference.cs |
checks for cross-domain javascript files inclusion. |
|
Check.Pasv.Header.CacheControl.cs |
checks HTTP cache-control header on SSL pages. |
|
Check.Pasv.Header.ContentTypeMissing.cs |
checks that the Content-Type HTTP header is not missing. |
|
Check.Pasv.Header.FrameOptions.cs |
checks that the X-FRAME-OPTIONS is not missing or insecurely set. |
|
Check.Pasv.Header.IeXssProtection.cs |
checks that the X-XSS-Protection has not been set to disable IE’s XSS protection. |
|
Check.Pasv.Header.MimeSniff.cs |
checks that the X-CONTENT-TYPE-OPTIONS has been set. |
|
Check.Pasv.InformationDisclosure.DatabaseErrors.cs |
checks for database error messages. |
|
Check.Pasv.InformationDisclosure.DebugErrors.cs |
checks for debugging error messages. |
|
Check.Pasv.InformationDisclosure.InUrl.cs |
checks for information disclosure in URL parameters. |
|
Check.Pasv.InformationDisclosure.ReferrerLeak.cs |
checks HTTP Referer header for information disclosure. |
Issue 253: Plugable extensions
Full extensions can now be plugged into ZAP dynamically with full access to all of ZAPs features.
Minor changes:
Issue 54: Clean shutdown
Issue 90: Add GUI support for unsecure SSL/TLS renegotiation
Issue 102: Save raw response and request, and save body of response and request
Issue 126: Allow working directory and config file to be set via cmd line
Issue 154: Include param id in reports
Issue 168: Reveal hidden fields in web pages
Issue 192: Enable/Disable breakpoints
Issue 193: Detect directory traversal vulnerabilities
Issue 194: Enhancement: Show request ID on Search pane
Issue 200: Detect CSRF vulnerabilities
Issue 230: Enhance zap.sh to cope with symbolic links
Issue 236: Option to toggle URLencoding
Issue 242: Export node / req/resp via right click
Issue 248: Delete alerts / retest feature request
Issue 251: Restructure alerts code
Issue 253: Allow extensions to define dependencies
Issue 270: Icon changes
Issue 279: Core extensions
Issue 282: Add author, description and URL to extensions
Bug fixes:
Issue 42: Arbitrary Redirection
Issue 94: PKCS#11 driver
Issue 107: The last intercepted request/response remains in the Break window
Issue 135: Broken URLs in Sites Panel
Issue 148: New HTTP Panel broke the Undo/Redo Manager
Issue 180: Tabular view for GET request
Issue 187: Encoding issues
Issue 198: The report is not generated when a “Parameter tampering” alert with “NULL” character exists
Issue 210: Exception thrown when using the “Path Traversal” option in the active scan
Issue 224: takes too much time to recover from an proxy port number outside valid range
Issue 225: ZAP exits on startup if an option value contains extended characters like å,ä,ö
Issue 226: proxy port number edit box should not allow millions of characters
Issue 237: Bug: Problems with HTTP Panels
Issue 238: Exception when using a custom fuzz file
Issue 243: When the DynamicLoader loads from local jar, doesn’t take into account the package name
Issue 255: Exception in API when due to illegal character in XML context
Issue 256: Calling HttpMessage.setGetParams looses the port
Issue 260: Exception when deleting (“Purge (from DB)”) “History” tab entries
Issue 261: Partial language match not working
Issue 262: “Weak authentication” alerts not showing with spider
Issue 263: “Cookie without secure flag” alerts not showing with spider
Issue 264: Exception in “Manual Request Editor”/“Resend” dialogues
Issue 268: Change ZAP Report XML
Issue 269: Spider depth parameter
Issue 274: Tidy up delete / purge options
Issue 280: Escape URLs in sites tree
Issue 283: RFE: Font anti-aliasing not enabled by default in request/response
Issue 286: Search string not highlighted for fuzz results
Issue 287: Passive scanner doesnt pick up new anticsrf tokens
Issue 289: fuzzdb files cause virus alerts
Issue 291: Path Traversal has ‘param’ empty but put the param name in ‘attack’
See also
|
|
|
|
Introduction |
the introduction to ZAP |
|
Releases |
the full set of releases |
|
Credits |
the people and groups who have made this release possible |