Release 2.11.0

This is the OWASP 20th anniversary bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.10.0.

Some of the more significant enhancements include:

Alert Tags

Alerts can now be tagged with arbitrary keys or key=value pairs.
The active and passive scan rules have been updated to include tags for the OWASP Top 10 2021 and 2017 - these are also now shown on the website Alert Details pages.

Automation Framework

The Automation Framework is a new way to automate ZAP and is expected to become the default option for most use cases. For more details see the Automation Framework page on the website.

Report Generation

The new Report Generation add-on allows you to generate much more flexible reports with access to much more data. The previous reporting add-ons have been removed from the marketplace as they provide less functionality and are no longer maintained.
New report templates include:

  • Risk and Confidence HTML - the new default report
  • Modern HTML Report with themes and options
  • High Level Report Sample
  • Traditional HTML Report with requests and responses

“Traditional” templates have been added which match the old reports for anyone who relies on their formats.

OAST Support

The new OAST Support add-on allows you to find and exploit out-of-band vulnerabilities. This add-on is alpha at the time of the 2.11.0 release but is expected to be updated soon, so check the help pages for the latest features.


The new Retest add-on allows you to retest for presence/absence of previously generated alerts. This add-on is alpha at the time of the 2.11.0 release but is expected to be updated soon, so check the help pages for the latest features.


The Docker stable and bare images will now be updated monthly, typically around the start of the month.
The updates will include any updated add-ons and any changes to the packaged scans. No core changes will be included in these updates.
The images will be tagged by date in case you wish to stay on a specific version.
The packaged scans are being migrated to use the Automation Framework - this migration will continue over the life of 2.11.0.


A significant number of statistics have been added to the core, and are being added to add-ons. In part this is driven by the Automation Framework which can make direct use of statistics for sanity checks.
New core statistics include:

  •<format>.<component>.<request-type>.<name> : The number of times the given API endpoint has been called
  • stats.api.error.<format>.<component>.<request-type>.<name> : The number of times the given API endpoint has returned an error
  • stats.ascan.<rule-id>.alerts : The number of alerts the given active scan rule has raised
  • stats.ascan.<rule-id>.skipped : The number of alerts the given active scan rule has been skipped
  • stats.ascan.<rule-id>.started : The number of alerts the given active scan rule has been started
  • stats.ascan.<rule-id>.time : The cumulative number of milliseconds that the given active scan rule has run for
  • stats.ascan.<rule-id>.urls : The number of URLs that the given active scan rule has requested
  • stats.ascan.started : The number of times the active scanner has been started
  • stats.ascan.stopped : The number of times the active scanner has been stopped (as opposed to finishing)
  • stats.ascan.time : The cumulative number of milliseconds that active scanner has run for
  • stats.ascan.urls : The number of URLs the active scanner has requested
  • stats.break.drop : The number of times a request or response has been dropped via a break point
  • stats.break.hit : The number of times a break point has been hit
  • stats.break.step : The number of times a break point has been stepped through
  • stats.pscan.<rule-id>.alerts : The number of alerts raised by the given scan rule
  • stats.pscan.<rule-id>.time : The cumulative number of milliseconds taken to run the given scan rule
  •<engine-name>.<type> : The number of times the given type of script has been called
  • stats.script.error.<engine-name>.<type> : The number of times the given type of script has been returned an error
  • stats.spider.started : The number of times the spider has been started
  • stats.spider.stopped : The number of times the spider has been stopped (as opposed to completing)
  • stats.spider.time : The total number of milliseconds the spider has run for across all scans
  • stats.spider.url.error : The number of URLs the spider has found but failed to access
  • stats.spider.url.found : The number of URLs the spider has found and accessed

For details of the latest statistics including all of the ones also maintained by add-ons and links to the code see the website ZAP Internal Statistics pages.


New Add-Ons

The following add-ons are included by default in this release for the first time:

Updated Add-Ons

All of the add-ons included by default have been updated since the last full release.

Docker Updates

The following changes are included in the latest Stable Docker image:

  • Updated to use Webswing 21.1.5
  • Added /zap/container file to make it easier to detect if we are running in a container like docker.
  • Changed to enable integration tests, inc enabling the AF for the baseline -c option if the --auto flag is used before it.
  • Changed to use user’s home directory for the Automation Framework files so it will work for any user
  • Updated the baseline to use the Automation Framework by default for common options including the config file/URL.
  • Alert_on_Unexpected_Content_Types.js > Added Content-Type text/yaml to the list of expected types.
  • Check if messages being analyzed by API scan scripts are globally excluded or not.
  • Allow more flexibility to specify ZAP command line options when using Webswing
  • Python 3.5 is no longer supported.
  • Update Webswing to download prod version if valid key supplied.

For full list of changes made to the docker images see the docker

Changes in Bundled Libraries

The following libraries were updated:

  • Bouncy Castle, 1.67 → 1.68
  • Commons IO, 2.8.0 → 2.11.0
  • Commons Lang3, 3.11 → 3.12
  • HarLib, 1.1.2 → 1.1.3
  • HSQLDB, 2.5.1 → 2.5.2
  • JFreeChart, 1.5.1 → 1.5.3
  • Log4j 2, 2.14.0 → 2.14.1
  • RSyntaxTextArea, 3.1.1 → 3.1.3
  • SQLite JDBC, →
  • XOM, 1.2.10 → 1.3.7


  • Issue 6023 : Quick add site in Context from History panel
  • Issue 6098 : Allow custom request headers to be set by spider parser
  • Issue 6413 : Allow to export regular expressions
  • Issue 6428 : Root Cert Download from Main API Page
  • Issue 6448 : Manual Request Editor: Send Hotkey
  • Issue 6469 : Cannot detect injection vulnerabilities on null value JSON objects
  • Issue 6598 : Do not require scan rules to implement setParent
  • Issue 6614 : Add AWP Identity manager PKCS11 cards (IDEMIA)
  • Issue 6625 : Deprecate core/view/homeDirectory API endpoint
  • Issue 6628 : Added `_token` to possible CSRF input names
  • Issue 6658 : Redirect core API reports to report add-on
  • Issue 6661 : Add “_csrf_token” accepted CSRF token names list
  • Issue 6678 : Make EventBus publishers easier to discover
  • Issue 6705 : Remove Paros Reports
  • Issue 6712 : Allow to regenerate expired certificate from warning dialogue
  • Issue 6769 : Support manual auth users with no session
  • Issue 6801 : Allow code to set the ZAP exit status
  • Issue 6803 : Enable anti csrf token handling in ascan by default
  • Issue 6807 : Add spider stats
  • Issue 6808 : Add container detection for Docker and Flatpak
  • Issue 6811 : Add option for allowing app integration in containers
  • Issue 6824 : Deprecate extension callback
  • Issue 6827 : Add support for controlling panel switching
  • Issue 6829 : Support Alert Tags
  • Issue 6834 : Adding Spring as a JAVA Technology
  • Issue 6835 : Active Scan stats
  • Issue 6836 : Passive Scan stats
  • Issue 6837 : API stats
  • Issue 6838 : Scripts stats
  • Issue 6840 : Break stats
  • Issue 6844 : Detect if running in WebSwing
  • Issue 6854 : Update user agents

Bug fixes

  • Issue 3988 : Selected checkbox tree nodes not correctly highlighted in macOS
  • Issue 4671 : Tag changes in Search tab not reflected in History tab
  • Issue 5165 : Not found response tab on options (keyboard shortcut setting)
  • Issue 6370 : Fix exception when checking for breakpoints
  • Issue 6381 : Proxy script return value misinterpreted in 2.10.0
  • Issue 6421 : Alerts related API enpoints might return malformed JSON
  • Issue 6427 : Manual Request Editor CONNECT Http Method Broken
  • Issue 6437 : Unable to set only breaks on message in scope
  • Issue 6508 : Detect WebSocket upgrade messages having multiple Connection directives
  • Issue 6512 : Buttons of Manage Tags dialog are too small
  • Issue 6520 : Can not scroll past ‘contexts’ in ‘sites’ tab with FlatLaf L&F
  • Issue 6536 : Extensions not stopped nor destroyed when add-on is uninstalled
  • Issue 6537 : CONNECT requests not shown in History tab
  • Issue 6557 : fix: HTTP Panels Font setting for dark LaFs (Theme)
  • Issue 6562 : Fixed regex generation for host site URLs included in context
  • Issue 6652 : Install missing libraries beforehand
  • Issue 6689 : X-ZAP-Scan-ID HTTP header is missing from some of the active scan requests
  • Issue 6691 : Do not add zero Content-Length by default in GET requests
  • Issue 6720 : Encode parameters when replacing in form auth data
  • Issue 6753 : Update Host header in place
  • Issue 6755 : Extension’s errors during shutdown prevent ZAP to exit
  • Issue 6828 : Fix concurrency issue when downloading add-ons
  • Issue 6843 : Do not init extension’s view if there’s none

ZAP API New Endpoints:

ACTION ascan / setOptionScanNullJsonValues

Sets whether or not the active scanner should scan null JSON values.

VIEW ascan / optionScanNullJsonValues

Tells whether or not the active scanner should scan null JSON values.

ZAP API Deprecated Endpoints:

The following endpoints have been superseded by the Report Generation add-on:

  • OTHER core / htmlreport
  • OTHER core / jsonreport
  • OTHER core / mdreport
  • OTHER core / xmlreport

The following endpoint has been deprecated without replacement, it is an internal GUI property:

  • VIEW core / homeDirectory

See Also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible