Release 2.4.0

The following changes were made in this release:

Significant changes:

Attack mode

A new ‘ATTACK’ Mode has been added - new nodes that are in Scope are actively scanned as soon as they are discovered.

Advanced fuzzing

A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time.
This supports new attack payloads including the option to use scripts for generating the payloads as well as pre and post attack manipulation and analysis.

Scan dialogs with advanced options

New Active Scan, Spider and AJAX Spider dialogs have replaced the increasing number of right click ‘Attack’ options.
These provide easy access to all of the most common options and optionally a wide range of advanced options.

Scan Policies

A new Scan Policy Manager dialog allows you to create as many Scan Policies as you need.
Scan policies define exactly which rules are run as part of an Active Scan.
They also define how these rules run influencing how many requests are made and how likely potential issues are to be flagged.

Unused tabs hidden

By default only the essential tabs are now shown when ZAP starts up.
The remaining tabs are revealed when they are used (e.g. for the spider and active scanner) or when you display them via the special tab on the far right of each window with the green ‘+’ icon. This special tab disappears if there are no hidden tabs.
Tabs can be closed via a small ‘x’ icon which is shown when the tab is selected.
Tabs can also be ‘pinned’ using a small ‘pin’ icon that is also shown when the tab is selected - pinned tabs will be shown when ZAP next starts up.

Enablers for Sequence scanning add-on

A new optional ‘alpha’ status add-on adds the ability to scan ‘sequences’ of web pages, in other words pages that must be visited in a strict order in order to work correctly.

Enablers for access control testing add-on

A new optional ‘alpha’ status add-on adds the ability to automate many aspects of access control testing.

Note for API Users

Please be aware that the Plugin ID for the External Redirect scanner has changed from 30000 to 20019.

Full list of changes:

  • Issue 117 : Enhancement: Compare crawling sessions for authentication issues
  • Issue 234 : Support for fuzzing multiple parts
  • Issue 329 : Enhancement: Add sitemap.xml support
  • Issue 389 : Enable technology scope for scanners
  • Issue 414 : API: Support scripts
  • Issue 445 : SSLContextManager.isProviderAvailable() returns true as default
  • Issue 557 : SQL injection false negatives
  • Issue 642 : Output tab needs timestamps
  • Issue 653 : Handle updates better on Kali Linux
  • Issue 704 : ZAP Error: handshake alert: unrecognized_name
  • Issue 722 : ZAP UI doesnt handle multiple active scans well
  • Issue 883 : Support multiple scans in the API
  • Issue 949 : Spider (site) does not follow hyperlinks in JSON documents
  • Issue 959 : add-on updater might ignore outbound proxy changes
  • Issue 984 : Enhance ascan API to allow method to be specified
  • Issue 990 : Allow to delete alerts through the API
  • Issue 1151 : Active Scan in Scope finishes before scanning all messages in scope if multiple domains available
  • Issue 1154 : Tool tip text “Show tab names and tab icons” IdealFirstBug
  • Issue 1175 : Support a Contexts tree
  • Issue 1176 : Spider advanced scan dialog
  • Issue 1180 : Proxy corrupts URL when there are multiple question marks
  • Issue 1184 : Improve support for IBM JDK
  • Issue 1207 : AScan API - Change the “scanners” view to include the dependencies
  • Issue 1208 : Search classes/resources in add-ons declared as dependencies
  • Issue 1209 : Additional Reliability Values/Options & Rename Reliability to Confidence in UI
  • Issue 1214 : Sorting in Scan Policy Dialogs Usability
  • Issue 1215 : Alert Tree Ordering/Sorting Issue Usability
  • Issue 1216 : Typo in scripts tab
  • Issue 1217 : Table format does not display information when charset is present in Content-Type header
  • Issue 1224 : Display Status in Scan Policy Dialogs - Usability
  • Issue 1226 : Active scanner excluded parameter’s regexes not validated
  • Issue 1227 : Active scanner sends GET requests with content in request body
  • Issue 1238 : NullPointerException if an active scanner raises an alert with null attack
  • Issue 1239 : Allow extending the Spider from Extensions
  • Issue 1241 : Active scanner might not report finished state when using host scanners
  • Issue 1242 : Active scanner might use outdated policy settings
  • Issue 1243 : NullPointerException if a script type does not have core bundled script templates
  • Issue 1244 : Scripts Active Scanner should be category Misc not Injection Usability
  • Issue 1252 : Connection Exception during shutdown while running scans through the API
  • Issue 1256 : Revisit missing X-Frame-Options scanner level
  • Issue 1257 : Create a passive rule which detects big redirects
  • Issue 1261 : NPE on “Plug-n-Hack Configuration” update from market place
  • Issue 1262 : Address “Passive Rules - Risk - Reliability” [User controllable HTML element attribute (potential XSS), and Timestamp Disclosure - Unix]
  • Issue 1263 : Generate Report Clobbers Existing Files Without Prompting
  • Issue 1264 : Manual authentication - Cookie mismatch due to wrong handling of domain and path
  • Issue 1265 : Context import and export
  • Issue 1272 : ZAP API: Core.MessagesHAR() fails if a HTTP Request contains invalid Cookie header(s)
  • Issue 1274 : ZAP Error [javax.net.ssl.SSLException]: Unsupported record version SSLv2Hello
  • Issue 1275 : SpiderODataAtomParser must return true from “parseResource”
  • Issue 1278 : Safe menu items not available in protected and safe modes
  • Issue 1279 : Active scanner excluded parameters not working when “Where” is “Any”
  • Issue 1280 : API shortcuts not removed when the ApiImplementor is removed
  • Issue 1281 : QuickStart - Allow to generate the report when the view is initialised
  • Issue 1282 : Extension#stop() is never called before destroy()
  • Issue 1283 : SQLDataException: data exception: string data, right truncation while writing an alert to DB
  • Issue 1286 : Fuzzer seems to be slow
  • Issue 1290 : “Port Scan host” menu item enabled even if a port scan is already in progress
  • Issue 1291 : 407 Proxy Authentication Required while active scanning
  • Issue 1292 : NullPointerException while attempting to remove an unregistered ManualRequestEditorDialog
  • Issue 1294 : Trivial_UI_Issue: Word - ‘will be’ appears twice under ‘Session Properties’ prompt.
  • Issue 1295 : Enhancement Request - New Active Scan Rule to Check HTTP Access to HTTPS Content
  • Issue 1300 : Add-ons show incorrect language when English is selected on non English locale
  • Issue 1301 : AbstractPanel leak through TabbedPanel2
  • Issue 1302 : Context menu item action might not get executed
  • Issue 1303 : HttpPanel[SyntaxHighlight]TextArea leak through HighlighterManager
  • Issue 1304 : ZapMenuItem leak through ExtensionKeyboard
  • Issue 1305 : Outgoing proxy is disabled when updating from old versions
  • Issue 1307 : Ant OS X build of zip gets spaces in file name confused
  • Issue 1308 : ZAP icns resolution too low
  • Issue 1309 : NullPointerExceptions during a failed uninstallation of an add-on
  • Issue 1310 : Allow to set history types as temporary
  • Issue 1311 : Differentiate temporary internal messages from temporary scanner messages
  • Issue 1312 : Misleading error message when unable to bind the local proxy to specified address
  • Issue 1319 : Add API support for configuring a Context’s authorization detection
  • Issue 1322 : Remove deprecated Auth API
  • Issue 1324 : Include add-on api calls in the generated apis
  • Issue 1325 : Option to delete contexts
  • Issue 1326 : Move Ajax Spider Extension from Beta to Release status
  • Issue 1333 : ExtensionAntiCSRF ConcurrentModificationException
  • Issue 1334 : ZAP does not handle API requests on reused connections leading to UnknownHostException: www.zap.com
  • Issue 1335 : NullPointerException while selecting a node in the “Alerts” tab after excluding sites from proxy
  • Issue 1339 : Introduce a simple event bus
  • Issue 1343 : XContentTypeOptionsScanner Internationalization Usability
  • Issue 1345 : Support Attack mode
  • Issue 1346 : Breaking gziped responses fails in the browser
  • Issue 1348 : Java client api Ant tasks dont wait
  • Issue 1353 : Simpler break option
  • Issue 1355 : Html report generation through the API
  • Issue 1356 : Fix CacheControlScanner Typos
  • Issue 1357 : Hide unused tabs
  • Issue 1359 : Reinstate splash screen
  • Issue 1360 : New add-on - Tips and Tricks
  • Issue 1361 : No data appears on ‘Spider’ and ‘Active Scan’ panel while spidering or scanning by API
  • Issue 1362 : Being allowed to add duplicated Anti-CSRF tokens only by API
  • Issue 1363 : Missing API to get contextId
  • Issue 1367 : Can’t detect “Xpath Injection” on a certain environment.
  • Issue 1377 : “Source Code Disclosure - SVN” is missing regex escape
  • Issue 1378 : Revamp active scan panel
  • Issue 1379 : Not all extension’s listeners are hooked during add-on installation
  • Issue 1381 : Cleanly close breakpoint Add/Edit dialog on Cancel
  • Issue 1383 : NullPointerException if an anti CSRF token does not have a value
  • Issue 1384 : HttpSessions API does not accept URIs with path component
  • Issue 1385 : XML report is not generated through the API if ZAP is not run from default installation dir
  • Issue 1386 : PScan API - Allow to change and view alert thresholds
  • Issue 1387 : Unable to change the proxy’s port/address if the port/address was specified through the command line
  • Issue 1388 : Not all translated files are updated when “zaplang” package is imported
  • Issue 1389 : NullPointerException during startup if core help jar is not found
  • Issue 1390 : Force https on cfu call
  • Issue 1391 : Active Scan send wrong payload of multipart/form-data type
  • Issue 1394 : Import vulnerabilities.xml files when updating the translated resources
  • Issue 1395 : vulnerabilities’ data kept in memory even if not used
  • Issue 1397 : Move help files into add-ons
  • Issue 1399 : Enhance help to open ’external’ links in the users default browser
  • Issue 1404 : SpiderODataAtomParser must return true only if links are detected
  • Issue 1406 : Move online menu items to an add-on
  • Issue 1409 : Speed up ZAP startup
  • Issue 1415 : Fixed file uploads > 128k
  • Issue 1412 : Manage scan policies
  • Issue 1416 : Allow spider to be restricted by the number of children
  • Issue 1418 : Option for ZAP to stay on top when breakpoint hit
  • Issue 1419 : Include alert’s evidence in HTML report
  • Issue 1420 : Change spider’s URLCanonicalizer to skip URIs without authority
  • Issue 1427 : Standardize on [Cancel] [OK] button order
  • Issue 1433 : Spider Select target not selected automatically
  • Issue 1439 : button to show/hide only context/scoped sites in site tab
  • Issue 1445 : Session Properties shows Context ID not Context Name
  • Issue 1446 : Downloaded addons failure not handled correctly.
  • Issue 1447 : Update RSyntaxTextArea library
  • Issue 1449 : Resend / Manual Request help out of date
  • Issue 1458 : Change home/installation dir paths to be always absolute
  • Issue 1460 : Script types are not shown in “Script” tree when script type is added during installation of an add-on
  • Issue 1461 : Core API - Allow to get a message by ID in HTTP Archive format
  • Issue 1462 : Allow to remove script types
  • Issue 1463 : Allow scripts to access classes of add-ons
  • Issue 1464 : Allow to send “Referer” header in spider requests
  • Issue 1465 : Translated files are not copied to correct directory if ZAP is not run from default installation dir
  • Issue 1466 : Config option for ’large display’ size
  • Issue 1467 : AuthenticationApiExample not working
  • Issue 1468 : Script templates not available when new script types are added during an installation of an add-on
  • Issue 1469 : Automatically add a user if form based authentication specified based on a request
  • Issue 1472 : Allow extensions to specify a name for UI components
  • Issue 1475 : Alerts with different name from same scanner might not be shown in report
  • Issue 1476 : Display contexts in the Sites tree
  • Issue 1483 : MissingResourceException after uninstalling an add-on with passive scanners
  • Issue 1484 : NullPointerException during uninstallation of an add-on with active scanners
  • Issue 1485 : Do not allow to reselect an add-on if the uninstallation was unsuccessful
  • Issue 1486 : Add-on components leak
  • Issue 1489 : Version number in window title
  • Issue 1490 : Update HarLib library
  • Issue 1491 : Add versioned AbstractParam
  • Issue 1492 : Update commons-csv library
  • Issue 1493 : Remove deprecated authentication classes
  • Issue 1494 : Support script directories
  • Issue 1502 : Allow to remove script engine wrappers
  • Issue 1503 : Not all engines are shown when creating a script from type
  • Issue 1504 : Exception when a script engine is not installed/found
  • Issue 1505 : Not all “Forced Browse” components are unloaded during uninstallation
  • Issue 1507 : Not all “Script Console” components are unloaded during uninstallation
  • Issue 1508 : Alerts added in view in daemon mode
  • Issue 1510 : New Extension.postInit() method to be called once all extensions loaded
  • Issue 1511 : Add option to only allow secure connections to the API
  • Issue 1514 : Root CA cert not generated in daemon mode
  • Issue 1515 : Not all “Zest” components are unloaded during uninstallation
  • Issue 1520 : Add lock icon to https sites in the Sites tree
  • Issue 1521 : Throwable errors like StackOverflowError not caught by passive scanner
  • Issue 1524 : New Persist Session dialog
  • Issue 1525 : Introduce a database interface layer to allow for alternative implementations
  • Issue 1528 : Support user defined font size
  • Issue 1530 : Default attack strength and alert threshold, set in ‘Scan Policy’, not used by scanners
  • Issue 1534 : Change “Ajax Spider” add-on to depend on “Selenium” add-on
  • Issue 1535 : Update Crawljax library and dependencies (“Ajax Spider” add-on)
  • Issue 1536 : Change “Zest” add-on to depend on “Selenium” add-on
  • Issue 1537 : ZAP should allow importing CA certificates
  • Issue 1540 : Allow proxy scripts to fake responses
  • Issue 1541 : Enable active scan scripts to scan just a URL rather than every parameter
  • Issue 1544 : Support persistent script variables
  • Issue 1551 : ZAP does not detect Relative Path Confusion (aka “Relative Path Overwrite” / “Path Relative Stylesheet Import”)
  • Issue 1552 : ZAP does not detect Forward / Reverse Proxies
  • Issue 1553 : ZAP does not detect Storability / Cacheability of a response
  • Issue 1557 : Deadlock on making manual request

See also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible