-
Add-ons
- Access Control Testing
-
Active Scan Rules
-
Active Scan Rules - Alpha
-
Active Scan Rules - Beta
-
Advanced SQLInjection Add-on
- AJAX Spider
- Alert Filters
- All In One Notes
-
AMF Support
- Authentication Helper
-
Authentication Statistics
-
Automation Framework
- Automation Framework - About
- Automation Framework - authentication
- Automation Framework - Environment
- Automation Framework - GUI
- Automation Framework - addOns Job
- Automation Framework - activeScan Job
- Automation Framework - delay Job
- Automation Framework - passiveScan-config Job
- Automation Framework - passiveScan-wait Job
- Automation Framework - requestor Job
- Automation Framework - spider Job
- Automation Framework - Options
- Automation Framework - Alert Job Test
- Automation Framework - Monitor Job Test
- Automation Framework - Statistics Job Test
- Automation Framework - URL Presence Job Tests
- Automation Framework - Job Tests
-
Bean Shell Console
-
BIRT Reports
-
Browser View
-
Bug Tracker
-
Call Graph
-
Call Home
- Client Side Integration
-
Code Dx
-
Collection: Pentester Pack
-
Collection: Scan Rules Pack
-
Common Library
-
Community Scripts
- Custom Payloads
-
Custom Report
-
Database Add-on
-
Dev Add-On
-
Diff
-
Directory List v1.0
-
Directory List v2.3
-
Directory List v2.3 LC
- DOM XSS Active Scan Rule
- Encode / Decode / Hash dialog
-
Eval Villain
-
Export Report
- Forced Browse
-
Form Handler
-
FuzzDB Files
-
FuzzDB Offensive
-
FuzzDB Web Backdoors
- Fuzzing
-
Getting Started Guide
-
GraalVM JavaScript
- GraphQL Support
- Groovy Support
-
Highlighter
-
HTTPS Info
- The HUD
- Import/Export
-
Import URLs
- Invoke Applications
-
JSON View
-
Kotlin Support
-
Linux WebDrivers
-
Log File Importer
-
MacOS WebDrivers
-
Neonmarker
- Network Add-on
- Out-of-band Application Security Testing Support
-
Online Menu
- OpenAPI Support
- Parameter Digger
-
Passive Scan Rules
-
Passive Scan Rules - Alpha
-
Passive Scan Rules - Beta
- Plug-n-Hack
- Port Scan
- Postman Support
- Python Scripting
- Quick Start
-
Regular Expression Tester
- Replacer
-
Report Alert Generator
-
Report Generation
- Report Generation - About
- Report Generation API
- Report Generation Automation Framework Support
- Creating Reports
- High Level Report Sample
- Modern HTML Report with themes and options
- Risk and Confidence HTML
- SARIF JSON Report
- Traditional HTML with Requests and Responses
- Traditional HTML
- Traditional JSON Report with Requests and Responses
- Traditional JSON Report
- Traditional Markdown Report
- Traditional PDF
- Traditional XML Report with Requests and Responses
- Traditional XML Report
- Report Templates
- Requester Add-on
- Retest
-
Retire.js
-
Reveal
-
Revisit
-
Ruby Scripting
-
SAML Support
-
Save Raw Message
-
Save XML Message
- Script Console
- Selenium
-
Sequence Scanner
- Server-Sent Events
- SOAP Support
- Spider
-
SVN Digger Files
- Technology Detection
-
Tips and Tricks
-
TLS Debug
- Token Generation and Analysis
-
TreeTools
-
Value Generator
-
ViewState
- WebSockets
-
Windows WebDrivers
-
Zest
-
Releases
- Release 1.0.0
- Release 1.1.0
- Release 1.2.0
- Release 1.3.0
- Release 1.3.1
- Release 1.3.2
- Release 1.3.3
- Release 1.3.4
- Release 1.4.0
- Release 1.4.1
- Release 2.0.0
- Release 2.1.0
- Release 2.10.0
- Release 2.11.0
- Release 2.11.1
- Release 2.12.0
- Release 2.13.0
- Release 2.14.0
- Release 2.2.0
- Release 2.2.1
- Release 2.2.2
- Release 2.3.0
- Release 2.3.1
- Release 2.4.0
- Release 2.4.1
- Release 2.4.2
- Release 2.4.3
- Release 2.5.0
- Release 2.6.0
- Release 2.7.0
- Release 2.8.0
- Release 2.9.0
-
Getting Started
- Scanner Rules
-
Features
- Add-ons
- Alerts
- Anti CSRF Handling
- API
- Active Scan
- Authentication
- Authentication Methods
- Authentication Verification Strategies
- Breakpoints
- Callbacks
- Contexts
- Custom Page
- Data Driven Content
- Globally Excluded URLs
- HTTP Sessions
- Manipulator-in-the-middle Proxy
- Marketplace
- Modes
- Notes
- Passive Scan
- Software Bill of Materials
- Scan Policy
- Scope
- Scripts
- Session Management
- Sites Tree
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- A Basic Penetration Test
- Configuring Proxies
-
Desktop UI Overview
-
Dialogs
- Add Alert dialog
- Add/Edit Breakpoint dialog
- Add Note dialog
- Active Scan dialog
- Encode / Decode / Hash dialog
- Find dialog
- History Filter dialog
- Manual Request Editor dialog
- Manage Add-ons
- Manage History Tags dialog
-
Options dialog
- Options Alerts screen
- Options Anti CRSF screen
- Options API screen
- Options Active Scan screen
- Options Active Scan Input Vectors screen
- Options Breakpoints screen
- Options Callback Address screen
- Options Client Certificate screen
- Options Check for Updates screen
- Options Connection screen
- Options Database screen
- Dynamic SSL Certificates
- Options Extensions screen
- Options Global Exclude URL screen
- Options HTTP Sessions screen
- Options JVM screen
- Options Keyboard screen
- Options language screen
- Options Local Proxies screen
- Options Passive Scan Tags screen
- Options Passive Scanner Screen
- Options Passive Scan Rules Screen
- Options Rule Configuration screen
- Options Scripts screen
- Options Search screen
- Options Spider screen
- Options Statistics screen
- Options Display screen
- Persist Session dialog
- Scan Policy Dialog
- Scan Policy Manager dialog
- Scan Progress Dialog
- Session Properties dialog
- Spider dialog
- Footer
- The Tabs
- Top Level Menu
- Top Level Toolbar
- Views
-
Dialogs
Release 2.14.0
This is a bug fix and enhancement release.
These release notes do not include all of the changes included in add-ons updated since 2.13.0.
This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
Some of the more significant enhancements include:
Rebranding and Docker Hub Move
ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
As part of that move the official ZAP Docker images are being published to the Software Security Project Docker Hub Organisation. The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
Note that you can also pull the ZAP Docker images from GitHub Container Registry.
Host Header Manipulation
Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time! The Break, Manual Request and Requester dialogs all have a new “Update Host Header” button. This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
ZAPit
This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified. For more details see the ZAPit help page
API File Transfers
You can now upload and download files to and from ZAP via the API. Note that this feature is disabled by default as a security measure. For more details, including how to enable it, see the API help page.
Graal JS Add-on Access
Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support. Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP. Note that existing Nashorn scripts may need changes to work with Graal JS.
Postman Support
ZAP can now import Postman collections thanks to the new Postman add-on.
SBOMs
ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX for both the ZAP core and all of the add-ons maintained by the ZAP team. For more details see the Software Bill of Materials help page.
ZAP API OpenAPI Definition
An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients. This definition is planned to be kept up to date for the latest core and add-on releases.
Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
ZAP Browser Extensions
The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension These are included in the new Client Side Integration add-on which supports: * Browser Recording * Streaming client side events to ZAP This is not (yet) included in the main ZAP releases so you will need to download it from the Marketplace.
Dependency Updates
As usual the release includes dependency updates.
The following libraries were updated:
- Commons Lang, 3.12.0 → 3.13.0
- Flatlaf 3.1.1 → 3.2.1
- RSyntaxTextArea, 3.3.3 → 3.3.4
The following library was added:
- Log4j JUL Adapter 2.20.0
Add-Ons
New Add-Ons
The following add-ons are included by default in this release for the first time:
- Postman Support - allows to import Postman Collections.
Updated Add-Ons
All of the add-ons included by default have been updated since the last full release.
Enhancements
- Issue 1926 : Remove Alerts for defined Context through ZAP API
- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
- Issue 7607 : Allow to download/upload files through the ZAP API
- Issue 7951 : Validate API parameter names
- Issue 7984 : Allow to display script without focusing
- Issue 7988 : Use short name for home dir in Windows
- Issue 8012 : Move vulnerability data to Common Library add-on
- Issue 8033 : Add/use Log4j JUL adapter
- Issue 8040 : Add prompt text to search input fields
- Issue 8042 : Find: use focus owner
- Issue 8043 : Update Download Icon
- Issue 8050 : Allow to select a script node without focusing
- Issue 8067 : Allow to disable modification of multiple options
- Issue 8070 : Prevent concurrent usage of ZAP home
- Issue 8089 : Break: Allow host header manipulation
- Issue 8101 : Extend ScanEventPublisher to support params
- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
- Issue 8118 : Record config stats
Bug fixes
- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
- Issue 7960 : Graal.js engine might fail to load/access add-on classes
- Issue 8013 : Use add-on class loader for interface from script
- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
- Issue 8055 : Include country name for duplicated languages
- Issue 8068 : Use the current database body size values
- Issue 8111 : Raw HTML displayed in options panels for search matches
See Also
| Introduction | the introduction to ZAP | |
| Releases | the full set of releases | |
| Credits | the people and groups who have made this release possible |