The OWASP ZAP Desktop User Guide
This is a 10 year anniversary bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.
These release notes do not include all of the changes included in add-ons updated since 2.9.0.
Some of the more significant enhancements include:
Custom Pages can be defined on a per context basis - these allow ZAP to identify various non-standard error handling conditions such as custom error pages and handle them more effectively.
The concept of Authentication Verification Strategies has been introduced which allows ZAP to handle a wider range of authentication mechanisms including the option to poll a specified page for the authentication status of a user.
Site Tree Control
Scripts and add-ons now have full access to how nodes are represented in the Sites Tree. Both Input Vector Scripts and add-ons which include implementations of the Variant class can change both the tree structure and names used for new nodes.
For more details see the Site Tree Modifiers Blog post.
Dynamic Look and Feel including Dark Mode
The Desktop UI includes a new set of open source Look and Feel's c/o FlatLaf including 2 Dark Mode options.
You can also dynamically switch the Look and Feel via a button on the Top Level Toolbar.
For more details of the dark mode see the Dark Mode in the Weekly Release Blog post.
A new set of environmental variables are available which allow you to easily add an authentication header to all of the requests that are proxied through ZAP or initiated by the ZAP tools, including the spiders and active scanner. These are documented on the Authentication page.
SOCKS Proxy Configuration
It is now possible to dynamically configure the outgoing SOCKS proxy in the Options’ Connection screen. By default the SOCKS proxy configuration applies to all connections made by ZAP.
The following script types are now cached between invocations reducing the time it takes to reuse them:
- Active Rules
- HTTP Sender
- Input Vectors, when used for the Sites tree
- Passive Rules
The following add-ons are included by default in this release for the first time:
- Advanced Encode / Decode / Hash dialog - this replaces the old core encode/decode/hash dialog
- DOM XSS Scan Rule - an Active Scan rule for detecting DOM XSS vulnerabilities
- Form Handler - allows for the custom configuration of values used in forms based on field names
- GraphQL Support - allows you to import and active scan GraphQL definitions
- SOAP Support - allows you to import and active scan WSDL files containing SOAP endpoints
The following add-ons have been updated since the last full release:
The following changes are included in the latest Stable Docker image:
- Update Webswing to latest version (20.2.1) to work with newer Java versions.
- Update Java in stable image to version 11.
- Add support for authenticated scans.
- Add zap_tune function (disable all tags and limit pscan alerts to 10), zap_tuned hook and disable recovery log.
- Update zap-api-scan.py to add support for GraphQL.
- Fail immediately if the spider scans were not started to provide better error message.
- Packaged scans will use the provided context when spidering and active scanning.
- Add `IS_CONTAINERIZED` environment variable to the container image, used in the python script to check for containerized environments (e.g. containerd) without relying on container runtime specific files.
- Make podman compatible
- Make docker stable use ubuntu 20.04
- Make `python` command use Python 3.
- Removed python 2, only python 3 will be supported going forward.
- Changed zap-full-scan.py and zap-api-scan.py to include the -I option to ignore only warning used by zap-baseline-scan.py
For full list of changes made to the docker images see the docker CHANGELOG.md.
Changes in Bundled Libraries
The following libraries were updated:
- Bouncy Castle, 1.61 → 1.67
- Commons Codec, 1.13 → 1.15
- Commons CSV, 1.7 → 1.8
- Commons IO, 2.6 → 2.8.0
- Commons Lang3, 3.9 → 3.11
- Commons Text, 1.8 → 1.9
- HSQLDB, 2.5.0 → 2.5.1
- JFreeChart, 1.0.13 → 1.5.1
- RSyntaxTextArea, 3.0.4 → 3.1.1
- SQLite JDBC, 3.28.0 → 18.104.22.168
The logging library, Log4j, was updated to the new major version (2.x). The previous version is still included for compatibility with existing code, add-on and script authors are encouraged to migrate to the new API.
For example, the logger can now be obtained with:
Logger logger = LogManager.getLogger(MyClass.class);
- Issue 9 : No Way to Specify Custom 404
- Issue 29 : SOCKS (outgoing) proxy support
- Issue 78 : Show message type in History tab
- Issue 111 : Provide a button on the resend screen to inject a CSRF token
- Issue 408 : Add support to encoding transformations
- Issue 560 : Content-Length header always updated on Send - cannot Resend some requests
- Issue 1351 : Decode gzip'ed content in Request tab
- Issue 1701 : Lack of Encoding Breaks Syntax Highlighting
- Issue 3452 : Add “Remove from site tree” in search
- Issue 5542 : Improve dark mode
- Issue 5732 : HTML Reports should offer a table based on alert names
- Issue 5738 : Improve version message in Manage Add-ons dialogue
- Issue 5844 : Add context menu item to mark false positives
- Issue 5845 : Alert API Additions
- Issue 5864 : Add buttons to select the file types ignored on Break
- Issue 5873 : Add FlatLaf L&F, for dark mode
- Issue 5874 : Revise Site Certificates to Max 398d
- Issue 5898 : Allow to import from file into regular expression panels (e.g. Include in Context)
- Issue 5923 : Expose enable related state in scripts API
- Issue 5934 : Allow language to be specified on commandline
- Issue 5963 : Add host and path columns to the history table
- Issue 5973 : added known csrf token for pfsense
- Issue 6010 : Do not recompile unchanged scripts
- Issue 6038 : Allow Parsing of Some Non-text Messages by the Spider
- Issue 6068 : On CSRF variable detection search for partial match instead of full
- Issue 6075 : Allow to override ApiImplementor i18n key prefix
- Issue 6079 : Allow to differentiate requests by body content in Sites tree
- Issue 6084 : Add generation date to the HTML and MD reports
- Issue 6126 : Add more control over the site tree
- Issue 6163 : Support authentication polling
- Issue 6196 : Upgrade the version of log4j
- Issue 6201 : Support dynamic Look and Feel switching
- Issue 6226 : Allow to define the maximum body size to passive scan
- Issue 6277 : Add OneTouchExapandable control to Sites Tree/Request&Response panels
- Issue 6278 : Add Alert reference field
- Issue 6295 : Added support for dynamic technologies
- Issue 6296 : Add auth header define in envvars
- Issue 6299 : Tweak browser page for browser launch
- Issue 6313 : Manual Request response send
- Issue 6333 : Refactor SessionStructure and Session
- Issue 6353 : Update default and common user agents
- Issue 6354 : Update email used in certs
- Issue 1584 : GZip de-compression causes loss of newlines
- Issue 4235 : Warn when unable to save (malformed) HTTP message in Request/Response panels
- Issue 5701 : Fuzzer runs progressively slower
- Issue 5899 : Allows Regex duplication in the same Context through the UI
- Issue 5902 : Active scan script - JSON number values - Weird replaces
- Issue 5952 : Stats includes Content-Type byteranges limits
- Issue 5991 : Hook HttpSenderListener when installing add-ons
- Issue 6008 : Initialization of scripts via ZAP API
- Issue 6037 : Changing look and feel messes with macOS integrations
- Issue 6043 : Active scanner tests the same request twice
- Issue 6102 : Error starting Active Scan in “Everything in Scope” mode.
- Issue 6121 : html encode in Generate anti-CSRF Test FORM
- Issue 6138 : Persistent growing high CPU usage with proxy
- Issue 6206 : Unable to import context without optional fields
- Issue 6223 : Exception while authenticating with form-based and anti-csrf tokens
- Issue 6267 : HTML / Markdown Report Generation Fails When Path Contains ‘#’
- Issue 6297 : Site tree doesnt correctly represent URLs ending in a /
ZAP API New Endpoints:
VIEW ascrf / optionPartialMatchingEnabled
Define if ZAP should detect CSRF tokens by searching for partial matches
ACTION ascrf / setOptionPartialMatchingEnabled
Define if ZAP should detect CSRF tokens by searching for partial matches.
ACTION alert / updateAlertsConfidence
Update the confidence of the alerts.
ACTION alert / updateAlertsRisk
Update the risk of the alerts.
ACTION context / setContextCheckingStrategy
Set the checking strategy for a context - this defines how ZAP checks that a request is authenticated.
VIEW core / optionUseSocksProxy
Gets whether or not the SOCKS proxy should be used.
ACTION core / setOptionUseSocksProxy
Sets whether or not the SOCKS proxy should be used.
VIEW users / getAuthenticationState
Gets the authentication state information for the user identified by the Context and User Ids.
VIEW users / getAuthenticationSession
Gets the authentication session information for the user identified by the Context and User Ids, e.g. cookies and realm credentials.
Action users / authenticateAsUser
Tries to authenticate as the identified user, returning the authentication request and whether it appears to have succeeded.
Action users / pollAsUser
Tries to poll as the identified user, returning the authentication request and whether it appears to have succeeded. This will only work if the polling verification strategy has been configured.
Action users / setAuthenticationState
Sets fields in the authentication state for the user identified by the Context and User Ids.
Action users / setCookie
Sets the specified cookie for the user identified by the Context and User Ids.
||the introduction to ZAP
||the full set of releases
||the people and groups who have made this release possible