The OWASP ZAP Desktop User Guide
This is the OWASP 20th anniversary bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.
These release notes do not include all of the changes included in add-ons updated since 2.10.0.
Some of the more significant enhancements include:
Alerts can now be tagged with arbitrary keys or key=value pairs.
The active and passive scan rules have been updated to include tags for the OWASP Top 10 2021 and 2017 - these are also now shown on the website Alert Details pages.
The Automation Framework is a new way to automate ZAP and is expected to become the default option for most use cases. For more details see the Automation Framework page on the website.
The new Report Generation add-on allows you to generate much more flexible reports with access to much more data. The previous reporting add-ons have been removed from the marketplace as they provide less functionality and are no longer maintained.
New report templates include:
- Risk and Confidence HTML - the new default report
- Modern HTML Report with themes and options
- High Level Report Sample
- Traditional HTML Report with requests and responses
“Traditional” templates have been added which match the old reports for anyone who relies on their formats.
The new OAST Support add-on allows you to find and exploit out-of-band vulnerabilities. This add-on is alpha at the time of the 2.11.0 release but is expected to be updated soon, so check the help pages for the latest features.
The new Retest add-on allows you to retest for presence/absence of previously generated alerts. This add-on is alpha at the time of the 2.11.0 release but is expected to be updated soon, so check the help pages for the latest features.
The Docker stable and bare images will now be updated monthly, typically around the start of the month.
The updates will include any updated add-ons and any changes to the packaged scans. No core changes will be included in these updates.
The images will be tagged by date in case you wish to stay on a specific version.
The packaged scans are being migrated to use the Automation Framework - this migration will continue over the life of 2.11.0.
A significant number of statistics have been added to the core, and are being added to add-ons. In part this is driven by the Automation Framework which can make direct use of statistics for sanity checks.
New core statistics include:
- stats.api.call.<format>.<component>.<request-type>.<name> : The number of times the given API endpoint has been called
- stats.api.error.<format>.<component>.<request-type>.<name> : The number of times the given API endpoint has returned an error
- stats.ascan.<rule-id>.alerts : The number of alerts the given active scan rule has raised
- stats.ascan.<rule-id>.skipped : The number of alerts the given active scan rule has been skipped
- stats.ascan.<rule-id>.started : The number of alerts the given active scan rule has been started
- stats.ascan.<rule-id>.time : The cumulative number of milliseconds that the given active scan rule has run for
- stats.ascan.<rule-id>.urls : The number of URLs that the given active scan rule has requested
- stats.ascan.started : The number of times the active scanner has been started
- stats.ascan.stopped : The number of times the active scanner has been stopped (as opposed to finishing)
- stats.ascan.time : The cumulative number of milliseconds that active scanner has run for
- stats.ascan.urls : The number of URLs the active scanner has requested
- stats.break.drop : The number of times a request or response has been dropped via a break point
- stats.break.hit : The number of times a break point has been hit
- stats.break.step : The number of times a break point has been stepped through
- stats.pscan.<rule-id>.alerts : The number of alerts raised by the given scan rule
- stats.pscan.<rule-id>.time : The cumulative number of milliseconds taken to run the given scan rule
- stats.script.call.<engine-name>.<type> : The number of times the given type of script has been called
- stats.script.error.<engine-name>.<type> : The number of times the given type of script has been returned an error
- stats.spider.started : The number of times the spider has been started
- stats.spider.stopped : The number of times the spider has been stopped (as opposed to completing)
- stats.spider.time : The total number of milliseconds the spider has run for across all scans
- stats.spider.url.error : The number of URLs the spider has found but failed to access
- stats.spider.url.found : The number of URLs the spider has found and accessed
For details of the latest statistics including all of the ones also maintained by add-ons and links to the code see the website ZAP Internal Statistics pages.
The following add-ons are included by default in this release for the first time:
All of the add-ons included by default have been updated since the last full release.
The following changes are included in the latest Stable Docker image:
- Updated to use Webswing 21.1.5
- Added /zap/container file to make it easier to detect if we are running in a container like docker.
- Changed to enable integration tests, inc enabling the AF for the baseline
-c option if the
--auto flag is used before it.
- Changed to use user’s home directory for the Automation Framework files so it will work for any user
- Updated the baseline to use the Automation Framework by default for common options including the config file/URL.
- Alert_on_Unexpected_Content_Types.js > Added Content-Type text/yaml to the list of expected types.
- Check if messages being analyzed by API scan scripts are globally excluded or not.
- Allow more flexibility to specify ZAP command line options when using Webswing
- Python 3.5 is no longer supported.
- Update Webswing to download prod version if valid key supplied.
For full list of changes made to the docker images see the docker CHANGELOG.md.
Changes in Bundled Libraries
The following libraries were updated:
- Bouncy Castle, 1.67 → 1.68
- Commons IO, 2.8.0 → 2.11.0
- Commons Lang3, 3.11 → 3.12
- HarLib, 1.1.2 → 1.1.3
- HSQLDB, 2.5.1 → 2.5.2
- JFreeChart, 1.5.1 → 1.5.3
- Log4j 2, 2.14.0 → 2.14.1
- RSyntaxTextArea, 3.1.1 → 3.1.3
- SQLite JDBC, 220.127.116.11 → 18.104.22.168
- XOM, 1.2.10 → 1.3.7
- Issue 3988 : Selected checkbox tree nodes not correctly highlighted in macOS
- Issue 4671 : Tag changes in Search tab not reflected in History tab
- Issue 5165 : Not found response tab on options (keyboard shortcut setting)
- Issue 6370 : Fix exception when checking for breakpoints
- Issue 6381 : Proxy script return value misinterpreted in 2.10.0
- Issue 6421 : Alerts related API enpoints might return malformed JSON
- Issue 6427 : Manual Request Editor CONNECT Http Method Broken
- Issue 6437 : Unable to set only breaks on message in scope
- Issue 6508 : Detect WebSocket upgrade messages having multiple Connection directives
- Issue 6512 : Buttons of Manage Tags dialog are too small
- Issue 6520 : Can not scroll past ‘contexts’ in ‘sites’ tab with FlatLaf L&F
- Issue 6536 : Extensions not stopped nor destroyed when add-on is uninstalled
- Issue 6537 : CONNECT requests not shown in History tab
- Issue 6557 : fix: HTTP Panels Font setting for dark LaFs (Theme)
- Issue 6562 : Fixed regex generation for host site URLs included in context
- Issue 6652 : Install missing libraries beforehand
- Issue 6689 : X-ZAP-Scan-ID HTTP header is missing from some of the active scan requests
- Issue 6691 : Do not add zero Content-Length by default in GET requests
- Issue 6720 : Encode parameters when replacing in form auth data
- Issue 6753 : Update Host header in place
- Issue 6755 : Extension’s errors during shutdown prevent ZAP to exit
- Issue 6828 : Fix concurrency issue when downloading add-ons
- Issue 6843 : Do not init extension’s view if there’s none
ZAP API New Endpoints:
ACTION ascan / setOptionScanNullJsonValues
Sets whether or not the active scanner should scan null JSON values.
VIEW ascan / optionScanNullJsonValues
Tells whether or not the active scanner should scan null JSON values.
ZAP API Deprecated Endpoints:
The following endpoints have been superseded by the Report Generation add-on:
- OTHER core / htmlreport
- OTHER core / jsonreport
- OTHER core / mdreport
- OTHER core / xmlreport
The following endpoint has been deprecated without replacement, it is an internal GUI property:
- VIEW core / homeDirectory
||the introduction to ZAP
||the full set of releases
||the people and groups who have made this release possible