This is a bug fix and enhancement release, which now requires a minimum of Java 11.
As the main zaproxy/zaproxy repo has just reached 10k stars we’re calling this the ‘Ten Thousand Star’ Release!
This release fixes an HTML Injection vulnerability in the ZAP Desktop which was rated a P3 / Medium level vulnerability. While we do not think that it can be exploited in any meaningful way, desktop users are still recommended to update from older ZAP versions a.s.a.p.
These release notes do not include all of the changes included in add-ons updated since 2.11.1.
Some of the more significant enhancements include:
The core networking code has been replaced by a new add-on which means changes are no longer bound to core/stable releases. This add-on uses a modern network stack which will make it much easier to support modern protocols such as HTTP/2.
In addition the following features have been added:
To facilitate more frequent functional enhancements and bug fixes the core Spider has been moved to an add-on which means such changes are no longer bound to core/stable releases. Other add-ons which use Traditional Spider functionality have also been re-worked to support the Spider add-on, including: Quick Start, Form Handler, GraphQL, OpenAPI, SOAP, and the Automation Framework. More details are given below.
The Import/Export add-on allows to import/export data (e.g. HTTP Messages, URLs) to/from ZAP, it supersedes core functionality and the following add-ons which will no longer be available in the marketplace:
A new add-on was introduced for database related functionality in ZAP. This add-on provides the SQLite database engine for other add-ons to use. It also adds support for the ZAP permanent database.
The permanent database allows storing information that may be used across ZAP sessions. For example, it is used by the OAST add-on to persist BOAST payloads that can be polled in future ZAP sessions to list out-of-band interactions made to the service while ZAP wasn’t running.
The passive scanner has been updated to use a configurable number of threads, by default 4. This has been shown to significantly reduce the time spent processing the passive scan queue.
From this release ZAP will no longer use bit.ly for any telemetry. Instead it uses our own services on the zaproxy.org domain. For full details see the FAQ: What ‘calls home’ does ZAP make?.
A significant number of scan rules have been promoted in this release.
The following Active scan rules have been promoted to Release status:
The following Passive scan rules have been promoted to Release status:
The following Active scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):
The following Passive scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):
As usual the release includes dependency updates. Of particular note is the updated Log4j library. The previous stable release contained a Log4j library that was flagged as being vulnerable, although we believe it was not exploitable.
The following libraries were updated:
The following libraries were moved out of the core and into add-ons:
The following libraries were removed:
The following add-ons are included by default in this release for the first time:
All of the add-ons included by default have been updated since the last full release.
The following add-ons are no longer included, having been superseded by the Import/Export add-on:
This release includes a fix to prevent HTML Injection in the ZAP Desktop GUI. Thank you to “issuefinder” for reporting this to us via our bug bounty program. The vulnerability was rated as a P3 / Medium and desktop users are recommended to update from older ZAP versions a.s.a.p.
The following table illustrates the differences/improvements versus the 2.11/2.11.1 release(s).
Before | After |
---|---|
Base - Proper handling | Base - Proper handling |
A, Link, Area - ‘href’ attribute | A, Link, Area - ‘href’ attribute |
Frame, IFrame, Script, Img - ‘src’ attribute | Applet, Audio, Embed, Frame, IFrame, Input, Script, Img, Video - ‘src’ attribute |
Meta - ‘http-equiv’ for ’location’ and ‘refresh’ | Meta - ‘http-equiv’ for ’location’, ‘refresh’ and ‘Content-Security-Policy’, ’name’ for ‘msapplication-config’ |
Applet - ‘codebase’, ‘archive’ attributes | |
Img - ’longdesc’, ’lowsrc’, ‘dynsrc’, ‘srcset’ attributes | |
Isindex - ‘action’ attribute | |
Object - ‘codebase’, ‘data’ attributes | |
Svg - ‘href’ and ‘xlink:href’ attributes of ‘image’ and ‘script’ elements | |
Table - ‘background’ attribute | |
Video - ‘poster’ attribute | |
Form - proper handling of Forms with both GET and POST method. The fields values are generated validly, including HTML 5.0 input types. | Form - proper handling of Forms with both GET and POST method. The fields values are generated validly, including HTML 5.0 input types ‘form’, ‘formaction’, ‘formmethod’ attributes of buttons are also respected. |
Comments - Valid tags found in comments are also analyzed, if specified in the Options Spider screen | Comments - Valid tags found in comments are also analyzed, if specified in the Options Spider screen |
Import - ‘implementation’ attribute | |
Inline string - ‘p’, ’title’, ’li’, ‘h1’, ‘h2’, ‘h3’, ‘h4’, ‘h5’, ‘h6’, and ‘blockquote’ tags | |
SVG image files are parsed to identify HREF attributes and extract/resolve any contained links. |
The Manual Request Editor and Resend dialogues were moved to the Requester add-on. This add-on will now provide the base infrastructure for add-ons to edit and send messages, the following add-ons are now using the Requester add-on: Plug-n-Hack Configuration (Client Messages) and WebSockets.
The Requester tab was also updated to provide the same functionalities that the dialogues provide.
The returned data now includes the False Positive count. This change may break existing consumers as the number of expected alerts might no longer be the same. For example, if a Medium risk alert is marked as False Positive, the structure of returned data will be:
{"High":0,"Low":3,"Medium":0,"Informational":2,"False Positive":1}
instead of:
{"High":0,"Low":3,"Medium":1,"Informational":2}
The following endpoints used to return “OK” for all inputs. They now return suitable error messages (such as “does_not_exist” or “illegal_parameter”) when the inputs are invalid.
The following endpoints have been superseded by the Import/Export add-on:
The following endpoints have been superseded by the Network add-on:
The following classes (all of which were deprecated more than 5 years ago) have been removed:
org.parosproxy.paros.common.FileXML
org.parosproxy.paros.core.proxy.SenderThread
org.parosproxy.paros.core.proxy.SenderThreadListener
org.parosproxy.paros.core.proxy.StreamForwarder
org.parosproxy.paros.core.scanner.AbstractDefaultFilePlugin
org.parosproxy.paros.extension.history.BrowserDialog
org.parosproxy.paros.extension.history.PopupMenuResend
org.parosproxy.paros.extension.history.PopupMenuResendSites
org.parosproxy.paros.model.HistoryList
org.parosproxy.paros.model.HttpMessageList
org.parosproxy.paros.network.ByteVector
org.parosproxy.paros.network.ProxyExcludedDomainMatcher
org.zaproxy.zap.extension.brk.BreakpointMessageHandler
org.zaproxy.zap.extension.brk.ExtensionBreak$DialogType
org.zaproxy.zap.extension.history.PopupMenuShowInHistory
org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderContext
org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderContextAsUser
org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderDialog
org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderScope
org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderSite
org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderSubtree
org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderURL
org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderURLAsUser
org.zaproxy.zap.httputils.RequestUtils
org.zaproxy.zap.view.HistoryReferenceTableModel
org.zaproxy.zap.view.MessagePanelsPositionController
org.zaproxy.zap.view.PopupMenuHistoryReference
org.zaproxy.zap.view.PopupMenuHttpMessage
org.zaproxy.zap.view.PopupMenuSiteNode
The following methods (all of which were deprecated more than 5 years ago) have been removed:
org.parosproxy.paros.CommandLine#getConfigs()
org.parosproxy.paros.control.Control#createAndOpenUntitledDb()
org.parosproxy.paros.core.proxy.ProxyParam#isModifyAcceptEncodingHeader()
org.parosproxy.paros.core.proxy.ProxyParam#setModifyAcceptEncodingHeader(boolean)
org.parosproxy.paros.core.scanner.Alert#getAlert()
org.parosproxy.paros.core.scanner.Alert#getReliability()
org.parosproxy.paros.core.scanner.Alert#setAlert(java.lang.String)
org.parosproxy.paros.core.scanner.Alert#setDetail(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,org.parosproxy.paros.network.HttpMessage)
org.parosproxy.paros.core.scanner.Alert#setRiskReliability(int,int)
org.parosproxy.paros.core.scanner.HostProcess#setPluginRequestCount(int,int)
org.parosproxy.paros.core.scanner.HostProcess#setTestCurrentCount(org.parosproxy.paros.core.scanner.Plugin,int)
org.parosproxy.paros.core.scanner.PluginFactory#loadedPlugin(java.lang.String)
org.parosproxy.paros.core.scanner.PluginFactory#unloadedPlugin(java.lang.String)
org.parosproxy.paros.core.scanner.VariantAbstractQuery#setParams(int,java.util.Map)
org.parosproxy.paros.db.paros.ParosTableHistory#getHistoryList(long)
org.parosproxy.paros.db.paros.ParosTableHistory#getHistoryList(long,int)
org.parosproxy.paros.db.paros.ParosTableHistory#setHistoryTypeAsTemporary(int)
org.parosproxy.paros.db.paros.ParosTableHistory#unsetHistoryTypeAsTemporary(int)
org.parosproxy.paros.db.RecordAlert#getReliability()
org.parosproxy.paros.db.RecordAlert#setReliability(int)
org.parosproxy.paros.extension.ExtensionPopupMenuItem#isSuperMenu()
org.parosproxy.paros.extension.history.ExtensionHistory#clearLogPanelDisplayQueue()
org.parosproxy.paros.extension.history.LogPanel#clearDisplayQueue()
org.parosproxy.paros.extension.history.LogPanel#LogPanel()
org.parosproxy.paros.extension.history.LogPanel#setDisplayPanel(org.zaproxy.zap.extension.httppanel.HttpPanel,org.zaproxy.zap.extension.httppanel.HttpPanel)
org.parosproxy.paros.extension.option.OptionsParamView#getShowMainToolbar()
org.parosproxy.paros.extension.option.OptionsParamView#setShowMainToolbar(int)
org.parosproxy.paros.model.Session#addGlobalExcludeURLRegexs(java.lang.String)
org.parosproxy.paros.model.Session#setGlobalExcludeURLRegexs(java.util.List)
org.parosproxy.paros.network.ConnectionParam#getProxyChainSkipName()
org.parosproxy.paros.network.ConnectionParam#setProxyChainSkipName(java.lang.String)
org.parosproxy.paros.view.AbstractFrame#loadIconImages()
org.parosproxy.paros.view.MainFrame#changeDisplayOption(int)
org.parosproxy.paros.view.MainFrame#MainFrame(int)
org.parosproxy.paros.view.View#getDisplayOption()
org.parosproxy.paros.view.View#getMessagePanelsPositionController()
org.parosproxy.paros.view.View#setDisplayOption(int)
org.parosproxy.paros.view.WorkbenchPanel#changeDisplayOption(int)
org.parosproxy.paros.view.WorkbenchPanel#getTabbedOldSelect()
org.parosproxy.paros.view.WorkbenchPanel#getTabbedOldStatus()
org.parosproxy.paros.view.WorkbenchPanel#getTabbedOldWork()
org.parosproxy.paros.view.WorkbenchPanel#removeSplitPaneWork()
org.parosproxy.paros.view.WorkbenchPanel#setTabbedOldSelect(org.zaproxy.zap.view.TabbedPanel2)
org.parosproxy.paros.view.WorkbenchPanel#setTabbedOldStatus(org.zaproxy.zap.view.TabbedPanel2)
org.parosproxy.paros.view.WorkbenchPanel#setTabbedOldWork(org.zaproxy.zap.view.TabbedPanel2)
org.parosproxy.paros.view.WorkbenchPanel#splitPaneWorkWithTabbedPanel(org.parosproxy.paros.view.TabbedPanel,int)
org.parosproxy.paros.view.WorkbenchPanel#WorkbenchPanel(int)
org.zaproxy.zap.control.AddOn#AddOn(java.io.File)
org.zaproxy.zap.control.AddOn#AddOn(java.lang.String)
org.zaproxy.zap.control.AddOn#canLoad()
org.zaproxy.zap.control.AddOn#isAddOn(java.io.File)
org.zaproxy.zap.control.AddOn#isAddOn(java.lang.String)
org.zaproxy.zap.control.ControlOverrides#getConfigs()
org.zaproxy.zap.control.ControlOverrides#setConfigs(java.util.Hashtable)
org.zaproxy.zap.db.sql.SqlTableHistory#setHistoryTypeAsTemporary(int)
org.zaproxy.zap.db.sql.SqlTableHistory#unsetHistoryTypeAsTemporary(int)
org.zaproxy.zap.extension.api.DotNetAPIGenerator#generateCSharpFiles(java.util.List)
org.zaproxy.zap.extension.api.GoAPIGenerator#generateGoFiles(java.util.List)
org.zaproxy.zap.extension.api.JavaAPIGenerator#generateJavaFiles(java.util.List)
org.zaproxy.zap.extension.api.NodeJSAPIGenerator#generateNodeJSFiles(java.util.List)
org.zaproxy.zap.extension.api.PhpAPIGenerator#generatePhpFiles(java.util.List)
org.zaproxy.zap.extension.api.PythonAPIGenerator#generatePythonFiles(java.util.List)
org.zaproxy.zap.extension.api.WikiAPIGenerator#generateWikiFiles(java.util.List)
org.zaproxy.zap.extension.ascan.ActiveScan#updatePluginRequestCounts()
org.zaproxy.zap.extension.autoupdate.AddOnsTableModel#AddOnsTableModel(java.util.Comparator,org.zaproxy.zap.control.AddOnCollection,int)
org.zaproxy.zap.extension.brk.ExtensionBreak#canAddBreakpoint()
org.zaproxy.zap.extension.brk.ExtensionBreak#canEditBreakpoint()
org.zaproxy.zap.extension.brk.ExtensionBreak#canRemoveBreakpoint()
org.zaproxy.zap.extension.brk.ExtensionBreak#dialogClosed()
org.zaproxy.zap.extension.brk.ExtensionBreak#dialogShown(org.zaproxy.zap.extension.brk.ExtensionBreak$DialogType)
org.zaproxy.zap.extension.brk.ExtensionBreak#getBreakPanel()
org.zaproxy.zap.extension.ExtensionPopupMenu#prepareShow()
org.zaproxy.zap.extension.history.PopupMenuPurgeSites#purge(org.parosproxy.paros.model.SiteMap,org.parosproxy.paros.model.SiteNode)
org.zaproxy.zap.extension.pscan.ExtensionPassiveScan#addPassiveScanner(java.lang.String)
org.zaproxy.zap.extension.pscan.PassiveScanThread#PassiveScanThread( org.zaproxy.zap.extension.pscan.PassiveScannerList, org.parosproxy.paros.extension.history.ExtensionHistory, org.zaproxy.zap.extension.alert.ExtensionAlert)
org.zaproxy.zap.extension.search.SearchPanel#SearchPanel()
org.zaproxy.zap.extension.search.SearchPanel#setDisplayPanel(org.zaproxy.zap.extension.httppanel.HttpPanelRequest,org.zaproxy.zap.extension.httppanel.HttpPanelResponse)
org.zaproxy.zap.extension.spider.SpiderScan#SpiderScan( org.zaproxy.zap.extension.spider.ExtensionSpider, org.zaproxy.zap.spider.SpiderParam, org.zaproxy.zap.model.Target, org.apache.commons.httpclient.URI, org.zaproxy.zap.users.User, int)
org.zaproxy.zap.extension.spider.SpiderThread#SpiderThread( org.zaproxy.zap.extension.spider.ExtensionSpider, org.zaproxy.zap.spider.SpiderParam, java.lang.String, org.zaproxy.zap.model.ScanListenner)
org.zaproxy.zap.spider.Spider#Spider(org.zaproxy.zap.extension.spider.ExtensionSpider,org.zaproxy.zap.spider.SpiderParam,org.parosproxy.paros.network.ConnectionParam,org.parosproxy.paros.model.Model,org.zaproxy.zap.model.Context)
org.zaproxy.zap.spider.SpiderParam#getScope()
org.zaproxy.zap.spider.SpiderParam#getScopeText()
org.zaproxy.zap.spider.SpiderParam#setScopeString(java.lang.String)
org.zaproxy.zap.view.ContextExcludePanel#getPanelName(org.zaproxy.zap.model.Context)
org.zaproxy.zap.view.ContextIncludePanel#getPanelName(org.zaproxy.zap.model.Context)
org.zaproxy.zap.view.MainToolbarPanel#setDisplayOption(int)
org.zaproxy.zap.view.ScanPanel2#ScanPanel2(java.lang.String, javax.swing.ImageIcon, org.zaproxy.zap.model.ScanController, org.parosproxy.paros.common.AbstractParam)
org.zaproxy.zap.view.TabbedPanel2#clone(org.zaproxy.zap.view.TabbedPanel2)
The following fields (all of which were deprecated more than 5 years ago) have been removed:
org.parosproxy.paros.Constant#FILE_CONFIG_DEFAULT
org.parosproxy.paros.Constant#VULNS_BASE
org.parosproxy.paros.core.scanner.Alert#MSG_RELIABILITY
org.parosproxy.paros.core.scanner.Alert#SUSPICIOUS
org.parosproxy.paros.core.scanner.Alert#WARNING
org.parosproxy.paros.model.HistoryReference#TYPE_RESERVED_11
org.parosproxy.paros.view.View#DISPLAY_OPTION_BOTTOM_FULL
org.parosproxy.paros.view.View#DISPLAY_OPTION_LEFT_FULL
org.parosproxy.paros.view.View#DISPLAY_OPTION_TOP_FULL
org.zaproxy.zap.extension.ascan.ActiveScanPanel#PANEL_NAME
org.zaproxy.zap.extension.search.SearchPanel#PANEL_NAME
Introduction | the introduction to ZAP | |
Releases | the full set of releases | |
Credits | the people and groups who have made this release possible |