Release 2.4.1

This release includes important security fixes - users are urged to upgrade asap.

One of the changes means that an API key is created by default, which means that any applications using the ZAP API will fail unless they are updated to use that key.
The API Key can be found in the API Options screen
You can also set it from the command line using an option like:

-config api.key=change-me-9203935709

For more details see https://www.zaproxy.org/faq/why-is-an-api-key-required-by-default/

The following changes were made in this release:

Enhancements:

  • Issue 321 : Support multiple databases
  • Issue 1459 : Add an HTTP sender listener script
  • Issue 1500 : Update Bouncy Castle libs
  • Issue 1566 : Improve active scan’s reported progress
  • Issue 1573 : Add option to inject plugin ID in header for all ascan requests
  • Issue 1607 : Unable to save the test session via API
  • Issue 1621 : AScan API - Allow to scan as a user
  • Issue 1625 : Support multiple structural params and ones on top level nodes
  • Issue 1653 : Support context menu key for trees
  • Issue 1655 : Copy Session Token from Http Sessions tab to clipboard
  • Issue 1662 : Add default Rails anti-CSRF token parameter
  • Issue 1664 : Clients tab autoscroll
  • Issue 1684 : Unable to set technology via API
  • Issue 1688 : Updating owasp/zap2docker image with Python Client API
  • Issue 1690 : Bump key pair size to 2048 for all certs in the (proxy’s) chain of trust
  • Issue 1695 : Change SSL cert signature algorithm to “SHA-256 with RSA Encryption”
  • Issue 1699 : Allow ApiImplementor’s to add custom headers
  • Issue 1715 : Unable to pass arguments when launching ZAP from the command line on Mac OS X
  • Issue 1728 : Update JRE to 1.7u79 (CPU) for MacOS

Bug fixes:

  • Issue 444 : Guaranteed NPE on AliasCertificate.getName() if getCN()==null
  • Issue 1442 : Up/Down arrow keys in results stop working if “reflected”
  • Issue 1473 : Spider does not handle URLs extracted from meta tags correctly
  • Issue 1497 : The spider is extracting and reporting links from comments - event when instructed not to do so
  • Issue 1598 : startup script lacks support for FreeBSD
  • Issue 1615 : Search “All” option not working
  • Issue 1617 : ZAP 2.4.0 throws HeadlessExceptions when running in daemon mode on headless machine
  • Issue 1618 : Target Technology Not Honored
  • Issue 1619 : Search regex might not be validated
  • Issue 1624 : Error while loading ZAP 2.4.0
  • Issue 1626 : Structural parameters not saved when context exported and not available via the API
  • Issue 1636 : Users (for auth) & Forced User not loaded from session
  • Issue 1647 : Wrong reference in Zest Result
  • Issue 1674 : Ajax spider not considering get parameters
  • Issue 1677 : Fuzzers can’t be expanded on OS X
  • Issue 1694 : “Error: setting file is missing. Program will exit.” even if file exists
  • Issue 1698 : Escape API exceptions
  • Issue 1700 : Forced Browse Lists Missing from Drop-Down in 2.4.0
  • Issue 1706 : Add API security options
  • Issue 1708 : Context’s technology tree can get out of sync
  • Issue 1709 : Applications are not (immediately) shown after start
  • Issue 1714 : PNH should not reflect API key unless user supplies it
  • Issue 1716 : Restrict use of CORS header in pnh
  • Issue 1720 : Add more security options for JSONP API
  • Issue 1724 : Ensure API component names are escaped in the HTML output
  • Issue 1735 : Context’s technologies not used in active scan unless overridden

See also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible