Release 2.2.0

The following changes were made in this release:

Major changes:

Issue 717 : Scripts: support multiple scripts and embedding within ZAP components

Support for Mozilla Zest: https://developer.mozilla.org/en-US/docs/Zest

Support for Mozilla Plug-n-Hack: https://developer.mozilla.org/en-US/docs/Plug-n-Hack

Support for scanning headers as well as JSON and XML formats

Minor changes:

Issue 711 : Support scanning of XML requests

Issue 713 : Add CWE and WASC numbers to issues

Issue 719 : Custom http breakpoints with more options

Issue 738 : Options to hide tabs / windows

Issue 750 : Upgrade script console to support non textbased scripting languages

Issue 752 : Create a new root CA when first run

Issue 775 : Allow host to be set via the command line

Bug Fixes:

Issue 555 : Http panels default to hex view

Issue 599 : The save session api does not allow to overwrite session already has same name

Issue 630 : URLCanonicalizer.getCanonicalURL produces URIs “half” decoded

Issue 631 : URLCanonicalizer.buildCleanedParametersURIRepresentation returns URIs in percent-encoded form and decoded

Issue 652 : Shutdown after a big scan takes too long (deleting ascan records)

Issue 655 : API encoding issues

Issue 665 : NullPointerException while proxying with a URI with an empty path component

Issue 666 : JSONException while calling an API action without the required parameter(s)

Issue 669 : Certificate algorithm constraints in Java 1.7

Issue 674 : Add HttpSessionAPI to ApiGeneratorUtils

Issue 685 : Add dummy file to “fuzzers” directory

Issue 686 : Log HttpException (as error) in the ProxyThread

Issue 687 : Change HTTP response header parser to be less strict

Issue 690 : Context Authentication URLs don’t fail manual overwriting.

Issue 691 : Handle old plugins

Issue 692 : Report the version of java found by zap.sh

Issue 693 : Command line should show all options

Issue 694 : API UI fails on IE

Issue 695 : Sites tree doesnt clear on new session created by API

Issue 696 : Change “Ajax Spider” add-on options to use ZapNumberSpinner

Issue 697 : API action “proxy.pac” might return wrong domain/port

Issue 698 : Passive Scanner API view “recordsToScan” returns -1 after finish scanning the messages

Issue 699 : Fix HTML errors in the help pages

Issue 702 : Do not load newer add-on versions if they are not targeted for the running ZAP version

Issue 703 : Add-on ZAP version constraints “not-before-version” and “not-from-version” are not respected for already “installed” add-ons

Issue 706 : ZAP API doesn’t parse correctly query parameters with “&” characters

Issue 710 : URLCanonicalizer.getCanonicalURL fails to correctly parse query parameters with “&” and “=” characters

Issue 712 : HttpSessions API action “setSessionTokenValue” should add the session token name to the site’s session tokens

Issue 720 : Cannot send non standard http methods

Issue 721 : Non POST and PUT requests receive a 504 when server expects a request body

Issue 724 : Do not clone the alert’s message that will be shown in message panels

Issue 725 : Clear alert’s panel fields

Issue 726 : Catch active scanner variants’ exceptions

Issue 727 : Name of automatically created HTTP sessions is always in English

Issue 728 : Allow to create a session with a given name through the HttpSessions API

Issue 729 : Update NTLM authentication code

Issue 730 : MissingResourceException while selecting a disabled extension (from an add-on) in the “Extensions” options panel

Issue 731 : MissingResourceException with ExtensionFuzz enabled and ExtensionBruteForce disabled

Issue 736 : Change add-on class loading strategy to parent-last

Issue 737 : Restore “Ajax spider” add-on dependencies

Issue 756 : Allow Context Panels intercommunication

Issue 763 : XML report empty when used in daemon mode

Issue 764 : HTTP fuzz results dont support right click menus

Issue 766 : Searching fuzz results doesnt include the header

Issue 767 : HTTP Session API could be less strict

Issue 772 : Restructuring of Saving/Loading Context Data

Issue 774 : Build doesnt include scripts directory

Issue 776 : Allow add-ons to warn user if they’re closing ZAP with unsaved resources open

Issue 777 : Unable to cancel changes when using Include in/Exclude from Context

Issue 782 : NoSuchMethodError when excluding a WebSocket channel URL from context

Issue 785 : Change zap.sh to cope with Java 1.8

Issue 786 : Snapshot session menu item not working

See also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible