Release 2.3.0

The following changes were made in this release:

Significant changes:

ZAP ‘lite’ version

For this release we are providing a ‘lite’ version of ZAP in addition to the ‘full’ version. This contains exactly the same core code, but it just includes fewer default add-ons. Of course, you can download all of the ‘missing’ add-ons from the ZAP marketplace to ‘upgrade’ the lite version to a full one.
The ‘lite’ version is aimed at people new to security who need less initial functionality which will hopefully be easier to get started with. It will also be suitable for people looking for a smaller download or those wishing to customize exactly which add-ons they install.

Support for client-side (browser) events

You can now view, intercept, manipulate, resend and fuzz client-side events . This includes postMessages, so you can now detect DOM based XSS vulnerabilities in postMessages. This is the first phase in a series of planned changes to support the testing of AJAX and HTML5 applications even more effectively.

Enhanced authentication support

ZAP’s support for authentication has been completely revamped to easily handle complex types of authentication methods and scenarios . Support has also been added for user-defined scripts which allow you to handle custom authentication schemes. In addition, now ZAP understands and allows you to configure web applications’ Users so various actions throughout ZAP can be performed from the point of view of defined users. To get started, check out the new Authentication and Users panels in the Session Properties for each of the defined Contexts.

Support for non standard apps

This release includes support for ‘single page’ applications and non standard key-value separators . You can now control these settings via the new Structure panel in the Session Properties.

New Input Vectors including user-defined scripts

ZAP supports new options for defining the input vectors i.e. the elements of a request that ZAP will attack. The new options are available in the Active Scan Input Vectors panel of the Options. Support has also been added for defining custom scripts that define new input vectors.

Scan policy - fine grained control

The scan policy now has a fine grained control , allowing you to tweak individual scanner rules. You can also define, load and save scan policies, allowing you to maintain a set of policies that work well in different circumstances.
In addition, by default ZAP will not now scan well-known service parameters (e.g. __VIEWSTATE) speeding up the overall scanning process. This is completely user configurable, allowing you to specify exactly which parameters ZAP should ignore.

Advanced Active Scan dialog

A new ‘Advanced Active Scan’ dialog allows you to specify exactly how you want the active scanner to function. It allows you to specify ‘custom vectors’ that explicitly define which strings you want to attack. It also supports the option to scan as any of the Users you have defined for the application under test. Start an Advanced Active Scan via the Tools menu or via the Attack section of the right click popup menu.

Extended command line options

You can now run ZAP ‘inline’ i.e. without starting the ZAP UI or a daemon . In this mode you can run simple attacks or run scripts which can access all of the ZAP functionality. You can also now override any of the options defined in the configuration file via command line parameters.

More API support

The API has been extended to support even more of the ZAP functionality.

Internationalized help file

The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:

  • Bosnian
  • French
  • Japanese
  • Spanish

Keyboard shortcuts

All menu items can now be invoked via keyboard shortcuts. Defaults are defined for virtually all cases, but you can configure your own preferences in the Keyboard panel of the Options.

New UI options

There is a new option to change the display so that the selected tab takes up the full screen . This is useful when using ZAP on small screens. There is also an option to toggle the visibility of the tab names on an off to further conserve space.

Most of the UI lists have also been converted to tables, which allow you to change column widths and define exactly which columns are displayed, and how the tables are sorted.

More functionality moved to add-ons

More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.

New and improved active and passive scanning rules

Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.

Other miscellaneous changes and additions

  • A new option to stop individual scan rules without stopping the whole scan
  • A new toolbar button that allows you to quickly and easily record Zest scripts.
  • A new group for sharing ZAP scripts (https://groups.google.com/group/zaproxy-scripts) has been created.
  • The ability to spider applications based on source control metadata (SVN and Git) exposed via a web server
  • The ability to force breaks from within Proxy scripts

Full list of changes:

  • Issue 122 : ProxyThread logging timeout readings with incorrect message (URL)
  • Issue 207 : Enhancement: Hotkeys
  • Issue 362 : Allow Alerts lists to be filtered by selection in Sites pane
  • Issue 399 : zap.sh directory handling
  • Issue 412 : Enable unsafe SSL/TLS renegotiation option not saved
  • Issue 416 : Normalise how multiple related options are managed throughout ZAP and enhance the usability of some options Usability
  • Issue 485 : Make language packs into add-ons
  • Issue 503 : Change the footer tabs to display the data with tables instead of lists Usability
  • Issue 572 : Change the generate_root_ca property to a function in the Python API
  • Issue 575 : Return the list of alerts in the Python API instead of a dictionary with one entry
  • Issue 585 : Proxy - “502 Bad Gateway” errors responded as “504 Gateway Timeout”
  • Issue 589 : Move Reveal extension to ZAP extensions project
  • Issue 590 : Forced Browse uses wrong scheme when “attacking” a site accessed over a secure connection (HTTPS) on a non-default port
  • Issue 591 : Available sites/hosts (in the footer panels) disappear when mode changed to “Safe”
  • Issue 595 : Spider fails to start (footer panel) with a site accessed over a secure connection (HTTPS) on a non-default port
  • Issue 606 : Disable the “Start” scan button when the “–Select Site–” option is selected
  • Issue 607 : Manual requested sites shown as scanned in the footer panels when selected in the “Sites” tab
  • Issue 609 : Provide a common interface to query the state and access the data (HttpMessage and HistoryReference) displayed in the tabs
  • Issue 613 : Move Save Raw HttpMessage extension to ZAP extensions project
  • Issue 619 : Move Forced Browse extension to ZAP extensions project
  • Issue 620 : Move Forced Browse files to ZAP extensions project
  • Issue 783 : shutdown should be a method in the python zap.core api
  • Issue 788 : Update Java for Mac release
  • Issue 793 : Authentication / SessionManagement Methods dynamic loading in APIs not reliable
  • Issue 799 : Add HttpAuthentication as an Authentication Method
  • Issue 803 : Patch for /trunk/src/help/zaphelp/zaphelp/credits.html
  • Issue 804 : Add Support for various types of Authentication for a Context
  • Issue 805 : Add Support for various types of Session Management for a Context
  • Issue 806 : Add Support for webapp Users
  • Issue 807 : Error while loading ZAP when Quick Start Tab is closed
  • Issue 816 : Add right-click Copy/Paste & Find options in the Encode/Decode/Hash dialog
  • Issue 817 : Python API doesn’t handle “other” operations correctly
  • Issue 822 : Java API: ApiResponseSet.getAttributes() not working
  • Issue 825 : Old version of Rhino included in lib directory
  • Issue 827 : Default session tokens are not lower cased when added through options dialogue
  • Issue 828 : NullPointerException while accessing HttpSessions API view “sessionTokens” when a site doesn’t exist or doesn’t have tokens
  • Issue 829 : JSONException while calling an API view without the required parameter(s)
  • Issue 830 : Java Client API doesn’t encode query parameters when sending requests to ZAP API
  • Issue 832 : Http Sessions tab should be cleared when a new session is created
  • Issue 837 : Update, always, the HTTP request sent/forward by ZAP’s proxy
  • Issue 838 : Search API - Add search views that return HTTP messages
  • Issue 839 : Search API - Add search views that return messages in HTTP Archive format
  • Issue 840 : Core API - Allow to get the messages in HTTP Archive format
  • Issue 841 : NullPointerException after sending a manual HTTP request with ExtensionHistory disabled
  • Issue 842 : NullPointerException while active scanning with ExtensionAntiCSRF disabled
  • Issue 843 : NullPointerException after sending/proxying a HTTP request with ExtensionAntiCSRF disabled
  • Issue 844 : NullPointerException while invoking the “Scan policy” dialogue with ExtensionPassiveScan disabled
  • Issue 845 : AbstractPanel added twice to TabbedPanel2 in ExtensionLoader#addTabPanel
  • Issue 846 : NullPointerException while active scanning with ExtensionScript disabled
  • Issue 849 : NullPointerException while authenticating with ExtensionHistory disabled
  • Issue 852 : Search API - URL views return the same URL several times
  • Issue 853 : Core API - Allow to get the number of alerts
  • Issue 854 : Core API - Allow to get the number of messages
  • Issue 855 : Core API - Allow to get a message by ID
  • Issue 856 : Core API - Allow to get an alert by ID
  • Issue 857 : Core API - “alerts” view might return unexpected alerts when pagination is used
  • Issue 858 : Core API - “messages” view might return unexpected messages when pagination is used
  • Issue 859 : PScan API - Allow to enable/disable the passive scan
  • Issue 860 : PScan API - Allow to list/get the passive scanners
  • Issue 861 : PScan API - Allow to enable/disable all the passive scanners
  • Issue 862 : PScan API - Allow to enable/disable a given passive scanner
  • Issue 863 : AScan API - Allow to list/get the active scanners
  • Issue 864 : AScan API - Allow to enable/disable all the active scanners
  • Issue 865 : AScan API - Allow to enable/disable a given active scanner
  • Issue 866 : Alert keeps HttpMessage longer than needed when HistoryReference is set/available
  • Issue 867 : HttpMessage#getFormParams should return an empty TreeSet if the request body is not “x-www-form-urlencoded”
  • Issue 868 : Core API - “messages” view shouldn’t return internal/temporary messages
  • Issue 869 : Differentiate proxied requests from (ZAP) user requests
  • Issue 870 : Change the MainToolbarPanel’s expand buttons to use ButtonGroup and Action
  • Issue 871 : Title not updated when session name is changed through the main tool bar button “Session Properties…”
  • Issue 872 : Core API - Allow to send a manual request
  • Issue 873 : Core API - Allow to send a manual request in HAR format
  • Issue 874 : Change BreakPanelToolbarFactory to use Actions
  • Issue 875 : Remove i18n directory
  • Issue 876 : Deprecate FuzzerPanel#PANEL_NAME
  • Issue 877 : ExtensionPopupMenuItem#isEnableForComponent called twice on some pop up menus each time is shown using the MainPopupMenu
  • Issue 878 : ExtensionPopupMenuItem#getMenuIndex() as no effect in MainPopupMenu
  • Issue 879 : Pop up menu “Spider Context…” is enabled even if ExtensionSpider is disabled
  • Issue 880 : Remember last selected directory when adding custom fuzz files
  • Issue 881 : Fail immediately if zapdb.script file is not found
  • Issue 882 : Remove “Copy” pop up menu item shown in the “Forced Browse” tab
  • Issue 884 : Plug-n-Hack phase 2
  • Issue 885 : API - Actions’ response not shown when using HTML format
  • Issue 886 : Main pop up menu invoked twice on some components
  • Issue 887 : Scanners’ pause button with inconsistent selection/enabled state
  • Issue 888 : Search API - URL views might return unexpected URLs when pagination is used
  • Issue 889 : JSONException while calling an API “other” without the required parameter(s)
  • Issue 890 : Allow to clear “Output” tab
  • Issue 891 : Target build “generate-javadocs” should apply SVN mime-type property to all generated files
  • Issue 892 : Cache of response body length in HistoryReference might not be correct
  • Issue 896 : PnH: Flag any fuzz attacks that hit the DOM XSS oracle
  • Issue 897 : Add a JToggleButton that allows to set a tool tip text based on button’s state
  • Issue 898 : Replace all toggle buttons that set a tool tip text based on button’s state with ZapToggleButton
  • Issue 899 : Remove “manual” update of toggle buttons’ icon based on button’s state
  • Issue 900 : IllegalArgumentException when invoking the main pop up menu with menus or super menus with high menu index
  • Issue 901 : Pop up menu “succeed” separator is not added when using sub-menu in MainPopupMenu
  • Issue 902 : Change all ExtensionAdaptor#hook(ExtensionHook) overriding methods to call the base implementation
  • Issue 903 : Change options’ thread sliders to use the same component
  • Issue 904 : Add a button group that allows to deselect the selected button
  • Issue 905 : Incorrect link in “Break tab” help pages
  • Issue 910 : Forced User cannot be changed
  • Issue 911 : AScan API - Change the “scanners” view to include the state of the active scanner
  • Issue 912 : PScan API - Change the “scanners” view to include the state of the passive scanner
  • Issue 913 : AScan API - Allow to list/get the active scanner policies
  • Issue 914 : AScan API - Allow to set the active scanner policies enabled
  • Issue 915 : Dynamically filter history based on selection in the sites window
  • Issue 919 : Allow vulnerabilities.xml to be localized IdealFirstBug
  • Issue 920 : Add include/exclude url patterns to history filter
  • Issue 921 : PnH2: open as monitored url
  • Issue 923 : Allow individual rule thresholds and strengths to be set via GUI
  • Issue 925 : HTML report issues
  • Issue 929 : AScan API - Allow to set the attack strength and alert threshold of active scanner policies and active scanners
  • Issue 930 : AScan API - Allow to list/get the active scanners by policy ID
  • Issue 931 : Allow extensions to pick up command line args in GUI mode
  • Issue 932 : Allow scripts to be specified on the command line
  • Issue 933 : Automatically determine install dir
  • Issue 934 : Handle files on the command line via extension
  • Issue 935 : Improve the identification of Java version
  • Issue 939 : ZAP should accept SSL connections on non-standard ports automatically
  • Issue 947 : Spider fails on URLs with illegal characters
  • Issue 950 : Cope with add-ons containing files copied directly into the plugins directory
  • Issue 951 : TLS’ versions 1.1 and 1.2 not enabled by default
  • Issue 954 : Changes to certain fields in the GUI are not saved after clicking OK/Proceed
  • Issue 955 : keyboard focus lost when large body found
  • Issue 956 : Copy URLs doesn’t copy multiple
  • Issue 957 : Reference for alert “X-Content-Type-Options header missing”
  • Issue 963 : Add-on added to blocklist if it cant be deleted on update
  • Issue 965 : Support ‘single page’ apps and ’non standard’ parameter separators
  • Issue 966 : Quickstart command line option
  • Issue 967 : InvalidParameterException while updating the “Script Console” add-on
  • Issue 968 : Allow to choose the enabled SSL/TLS protocols
  • Issue 969 : Proxy - Do not include the response body when answering unsuccessful HEAD requests
  • Issue 970 : Body of DELETE requests should be sent/forward
  • Issue 974 : Scan URL path elements
  • Issue 975 : Inverse Search Fuzz Results Buggy
  • Issue 976 : Spider Context Attack causes spidering outside of context
  • Issue 979 : Sites and Alerts trees can get corrupted
  • Issue 981 : Internationalize help file
  • Issue 982 : API key
  • Issue 986 : New ScanProgress dialog implementation and plugin skipping functionality
  • Issue 987 : Allow arbitrary config file values to be set via the command line
  • Issue 988 : ZAP Help crashes before starting
  • Issue 989 : Add a right click option “Add user” on an HTTP session
  • Issue 991 : Add-on/Scan rule review request - Persistent XSS
  • Issue 996 : Ensure all dialogs close when the escape key is pressed
  • Issue 997 : Session.open complains about improper use of addPath
  • Issue 998 : Silly regexp search kills ZAP
  • Issue 999 : History loaded in wrong order
  • Issue 1002 : Add support for Authentication via Scripts
  • Issue 1003 : XXE Vulnerability Testing Plugin
  • Issue 1004 : Source Code disclosure using Git meta-data
  • Issue 1005 : Source Code disclosure using Subversion meta-data
  • Issue 1006 : Spidering of web applications using using Git meta-data
  • Issue 1007 : Spidering of web applications using using Subversion (SVN) meta-data
  • Issue 1010 : Allow to sort fuzz results
  • Issue 1012 : Encode / Decode dialog - support HTML and JavaScript encoding IdealFirstBug
  • Issue 1016 : HTML encoding display issue in credits.html
  • Issue 1017 : Proxy set to 0.0.0.0 causes incorrect PAC file to be generated
  • Issue 1018 : Give AbstractAppParamPlugin implementations access to the parameter type
  • Issue 1019 : ZAP startup with bad JAVA_HOME shows confusing error message
  • Issue 1020 : Duplicate “Body: Table” plug-able view on Request/Break tabs
  • Issue 1021 : OutOutOfMemoryError while running the active scanner
  • Issue 1022 : Proxy - Allow to override a proxied message
  • Issue 1023 : Script Console - Run/Stop buttons with inconsistent state
  • Issue 1024 : Large Response view is shown even if a response body is not present
  • Issue 1025 : NullPointerException while pressing a key with “Script Console” text areas selected
  • Issue 1030 : Load and save scan policies
  • Issue 1031 : Adding Parameter Exclusion capabilities to the Active Scanner
  • Issue 1032 : Add API support for Script Based Authentication
  • Issue 1033 : org.zaproxy.clientapi.core.Alert does not override equals() method
  • Issue 1037 : JSON RPC parameters are not set correctly
  • Issue 1039 : Improve External Redirect plugin Accuracy
  • Issue 1041 : Active Scan plugins don’t start if the site is local to 127.0.0.1
  • Issue 1042 : Having significant issues opening a previous session
  • Issue 1043 : Custom active scan dialog
  • Issue 1044 : Forced User Mode is not persisted across Session saves/loads
  • Issue 1046 : The getHttpCookies() method in the HttpResponseHeader does not properly set the domain
  • Issue 1047 : Backup Files not detected by Zap
  • Issue 1049 : Fast multiple pattern search component
  • Issue 1050 : Scripting based Input Vectors
  • Issue 1051 : Zap can bound services to all network interfaces
  • Issue 1052 : Callback API for active scan plugins
  • Issue 1053 : String similarity and LCS algorithm component
  • Issue 1055 : Load extensions before plugins
  • Issue 1057 : Add a Extension.postInstall() method for post install actions
  • Issue 1059 : Add Jython support for Script-Based Authentication
  • Issue 1060 : Add JRuby support for Script-Based Authentication
  • Issue 1061 : Select proper Script Type, Engine and Template when creating new script
  • Issue 1063 : Option to decode add gzipped content (was handle compression for scripts)
  • Issue 1065 : Rename ExtensionScripts to ExtensionScriptsConsole Maintainability
  • Issue 1066 : Add support for quickly setting Script Based Authentication from scripts UI
  • Issue 1068 : Zap does not detect source code in responses
  • Issue 1069 : Support .-: in Zest variable names
  • Issue 1071 : Using Zest-Script “Replace in response-body” delivers wrong Content-Length header.
  • Issue 1072 : SQLDataException: data exception: string data, right truncation
  • Issue 1074 : Add option to only display output from the displayed script
  • Issue 1075 : Change TableHistory to delete records in batches Performance
  • Issue 1076 : Change active scanner to not delete the temporary messages generated Performance
  • Issue 1077 : Change (HTTP) fuzzer to not delete the temporary messages generated Performance
  • Issue 1078 : Change ExtensionBreak to fallback to base message type breakpoint manager implementation
  • Issue 1079 : Remove misplaced main pop up menu separators
  • Issue 1080 : User Guide HTML pages incorrectly relying on the platform default encoding
  • Issue 1081 : ExtensionPopupMenu should “notify” child ExtensionPopupMenu (and ExtensionPopupMenuItem) when the pop up is invoked
  • Issue 1082 : Search URL matches highlighted in incorrect position
  • Issue 1083 : Deprecate the method ExtensionPopupMenuItem#isSuperMenu()
  • Issue 1084 : NullPointerException while selecting a node in the “Sites” tab
  • Issue 1085 : Do not add/remove pop up menu items through the method View#getPopupMenu()
  • Issue 1086 : Allow to dynamically add/remove passive scanners
  • Issue 1087 : Change extensions to dynamically add passive scanners
  • Issue 1088 : Deprecate the method ExtensionPopupMenu#prepareShow
  • Issue 1089 : Change ExtensionPopupMenu to honour the extension pop up methods
  • Issue 1090 : Do not add pop up menus if target extension is not enabled
  • Issue 1091 : CoreAPI - Do not get the IDs of temporary history records
  • Issue 1092 : SearchThread - Do not get the IDs of discarded messages
  • Issue 1093 : Add an HTTP request body view that warns of large body
  • Issue 1094 : Change ExtensionManualRequestEditor to only add view components if in GUI mode
  • Issue 1095 : Replace main pop up sub menus with ExtensionPopupMenu when appropriate
  • Issue 1096 : AddOnLoader calls incorrect notify method after uninstalling add-on files
  • Issue 1097 : Move “Run applications” (invoke) extension to zap-extensions project
  • Issue 1098 : Move AJAX Spider help pages to “Ajax Spider” add-on (and update them)
  • Issue 1099 : Allow to annotate option methods as ignored for ZAP API
  • Issue 1100 : Annotate option methods that shouldn’t be exposed in the ZAP API
  • Issue 1101 : Change passive scanners to expose its IDs
  • Issue 1102 : Ajax Spider - Replace ajax spider proxy with core proxy
  • Issue 1103 : Script Console - Allow to clear output even if “clear on run” is enabled
  • Issue 1104 : Replace all toggle buttons that set a tool tip text based on button’s state with ZapToggleButton (add-ons)
  • Issue 1105 : Remove “manual” update of toggle buttons’ icon based on button’s state (add-ons)
  • Issue 1106 : HistoryList’s mapping of history ID to list indexes not updated when history entry is deleted
  • Issue 1110 : Spider API - Unable to set how parameters are handled using API
  • Issue 1111 : Check for Updates on startup gets (automatically) disabled when accessing the “Options” dialogue
  • Issue 1112 : Change ZAP (core) to support new add-on dir structure
  • Issue 1113 : Change add-on dir structure (help and resources)
  • Issue 1118 : Alerts Tab can get out of sync
  • Issue 1119 : Spider doesn’t detect multiple forms on the same URL
  • Issue 1120 : Uninstall add-on fails if rules use message bundle in uninstall
  • Issue 1121 : Scan progress dialog can cause UI freezes
  • Issue 1122 : Add-on additional info
  • Issue 1125 : Can’t re-import jython script as a proxy script
  • Issue 1126 : Bugs in breakpoint filters
  • Issue 1127 : Feature request: Allow scripts to generate breaks
  • Issue 1131 : Support Zest Intercept actions in add-on
  • Issue 1132 : HttpSender ignores the “Send single cookie request header” option
  • Issue 1134 : Passive Scan Rule regexes not validated
  • Issue 1135 : Marketplace tab cant be updated if cfu runs on start
  • Issue 1137 : ZAP locks up when deleting nodes
  • Issue 1138 : Passive Scan Rule changes not saved
  • Issue 1145 : Cookie parsing error if a comma is used

See also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible