Release 2.13.0

This is a bug fix and enhancement release.
These release notes do not include all of the changes included in add-ons updated since 2.12.0.

Some of the more significant enhancements include:

HTTP/2 Support

HTTP/2 is now supported, with no configuration changes required.

If you proxy HTTP/2 traffic through ZAP then ZAP will make the same HTTP/2 requests to the target. Any tools that work on proxied requests will also automatically use HTTP/2.

Improved Authentication Handling

ZAP authentication handling has been significantly overhauled, and ZAP can now auto-authenticate to many web apps by just supplying the URL of the login page along with the credentials.

Mac Silicon Support

Mac Silicon is now supported via a new installer and in the Docker images.

GitHub Container Registry

As explained in this blog post the ZAP Docker images are now also available in the GitHub Container Registry.

This may well be a better alternative for many users as, unlike Docker Hub, there is currently no rate limiting on pulls.

Default Threads

All of the “attack” tools which use threading, including both spiders and active scanner, have been changed to use 2x the number of processors as the default number of threads. Using more threads has been shown to significantly reduce the time the scanners take to run.

Network Rate Limiting

The Network add-on now supports a rate limiting feature which allows you to limit the request rate of HTTP/HTTPS (not web sockets) traffic to hosts or domains to prevent overloading the target or being blocked. For more details see the Rate Limit help page.

Note that the Active Scan Delay When Scanning feature has been deprecated and will be removed in a future release.

Network Global Exclusions

The Global Exclusions functionality has been moved to the Network add-on. This will allow us to update it more easily to keep up with browser changes.

Scan Rule Promotions

The following Active scan rules have been promoted to Release status:

The following Active scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

The following Passive scan rules have been promoted to Beta status (and will therefore now be included in the Packaged scans):

Dependency Updates

As usual the release includes dependency updates.

The Selenium add-on has been updated to use the Selenium v4 library. One benefit this brings is that the output from browsers will no longer be shown in the ZAP output - this has been confusing to many people and has not provided any real benefit.

If you have any custom code that directly accesses Selenium classes then you may need to update it.

The following libraries were updated:

Commons Codec, 1.15 → 1.16.0
Commons CSV, 1.9.0 → 1.10.0
Commons IO, 2.11.0 → 2.13.0
Flatlaf 2.6 → 3.1.1
HSQLDB, 2.7.1 → 2.7.2
JFreeChart, 1.5.3 → 1.5.4
Log4j 2, 2.19.0 → 2.20.0
RSyntaxTextArea, 3.3.0 → 3.3.3
XOM, 1.3.8 → 1.3.9

Add-Ons

New Add-Ons

The following add-ons are included by default in this release for the first time:

Authentication Helper - helps identify and set up authentication handling in ZAP.

Updated Add-Ons

All of the add-ons included by default have been updated since the last full release.

Enhancements

Issue 7326 : Allow icons to be scaled independently of the text
Issue 7440 : Manual Request Editor - Add Content-Type when switching to POST
Issue 7574 : Add convenience methods for help and options buttons
Issue 7581 : I would like to be able to set `ZAP_SILENT` to disable call home requests
Issue 7600 : Add details to logged API exception messages
Issue 7613 : Lower case HTTP field names
Issue 7663 : Default thread to number of processors
Issue 7693 : Add Clear button to History tab
Issue 7806 : Deprecate CFU HTTP sender initiator
Issue 7843 : Deprecate `Proxy`/`ProxyServer` related methods
Issue 7847 : Add auto-detect checking strategy
Issue 7869 : Allow to limit alerts per rule during active scan
Issue 7886 : Include whole `org.zaproxy` package in log config
Issue 7887 : Show alert ref in the Alert panel
Issue 7888 : Deprecate Global Exclude URLs
Issue 7918 : Use Adoptium for Java download in the executable
Issue 7933 : Search auth messages
Issue 7937 : Deprecate Active Scan option Delay When Scanning
Issue 7938 : Allow to read enum values with `AbstractParam`

Bug fixes

Issue 3798 : java.awt.Toolkit initialised when running without view
Issue 5368 : ZAP exe might fail to find Java
Issue 6957 : Use of commas within regex for contexts renders them unloadable
Issue 7559 : Alert selection automatically focusing the Request/Response tabs in Full layout
Issue 7579 : Do not allow invalid number of active scan threads
Issue 7589 : Improve add-on update file handling
Issue 7590 : Add-ons being updated might be marked as blocked
Issue 7593 : Check first if an add-on can be uninstalled before uninstalling dependents
Issue 7598 : Misspelling in `config.xml` `scanner.antiCSFR` should be `scanner.antiCSRF`
Issue 7615 : Refresh Show Tab menu item when tabs are removed
Issue 7619 : Use correct path for proxy.pac API nonce
Issue 7620 : Fix HTML tag in message on Context Authorization screen
Issue 7635 : Repaint main toolbar on modified components
Issue 7703 : Do not remove add-ons from the install dir
Issue 7716 : Ascan Category summaries not updated
Issue 7749 : Remove extraneous chars from SQL queries
Issue 7750 : Correct - Consistently prompt when deleting history/sites items
Issue 7765 : Exceptions during update of add-ons with dependents with optional Extensions
Issue 7769 : Remove duplicate Message properties
Issue 7804 : Ensure passive scan runs even with high traffic
Issue 7814 : Prevent exception when uninstalling add-on’s help
Issue 7844 : Retain add-on’s mandatory state
Issue 7873 : Sort Sites nodes with different case consistently
Issue 7883 : Stop Active Scan’s Analyser
Issue 7936 : Update content-length in auth template scripts


	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible