-
Add-ons
- Access Control Testing
-
Active Scan Rules
-
Active Scan Rules - Alpha
-
Active Scan Rules - Beta
-
Advanced SQLInjection Add-on
- AJAX Spider
- Alert Filters
- All In One Notes
-
AMF Support
- Authentication Helper
-
Authentication Statistics
-
Automation Framework
- Automation Framework - About
- Automation Framework - authentication
- Automation Framework - Environment
- Automation Framework - GUI
- Automation Framework - addOns Job
- Automation Framework - activeScan Job
- Automation Framework - delay Job
- Automation Framework - passiveScan-config Job
- Automation Framework - passiveScan-wait Job
- Automation Framework - requestor Job
- Automation Framework - spider Job
- Automation Framework - Options
- Automation Framework - Alert Job Test
- Automation Framework - Monitor Job Test
- Automation Framework - Statistics Job Test
- Automation Framework - URL Presence Job Tests
- Automation Framework - Job Tests
-
Bean Shell Console
-
BIRT Reports
-
Browser View
-
Bug Tracker
-
Call Graph
-
Call Home
- Client Side Integration
-
Code Dx
-
Collection: Pentester Pack
-
Collection: Scan Rules Pack
-
Common Library
-
Community Scripts
- Custom Payloads
-
Custom Report
-
Database Add-on
-
Dev Add-On
-
Diff
-
Directory List v1.0
-
Directory List v2.3
-
Directory List v2.3 LC
- DOM XSS Active Scan Rule
- Encode / Decode / Hash dialog
-
Eval Villain
-
Export Report
- Forced Browse
-
Form Handler
-
FuzzDB Files
-
FuzzDB Offensive
-
FuzzDB Web Backdoors
- Fuzzing
-
Getting Started Guide
-
GraalVM JavaScript
- GraphQL Support
- Groovy Support
-
Highlighter
-
HTTPS Info
- The HUD
- Import/Export
-
Import URLs
- Invoke Applications
-
JSON View
-
Kotlin Support
-
Linux WebDrivers
-
Log File Importer
-
MacOS WebDrivers
-
Neonmarker
- Network Add-on
- Out-of-band Application Security Testing Support
-
Online Menu
- OpenAPI Support
- Parameter Digger
-
Passive Scan Rules
-
Passive Scan Rules - Alpha
-
Passive Scan Rules - Beta
- Plug-n-Hack
- Port Scan
- Postman Support
- Python Scripting
- Quick Start
-
Regular Expression Tester
- Replacer
-
Report Alert Generator
-
Report Generation
- Report Generation - About
- Report Generation API
- Report Generation Automation Framework Support
- Creating Reports
- High Level Report Sample
- Modern HTML Report with themes and options
- Risk and Confidence HTML
- SARIF JSON Report
- Traditional HTML with Requests and Responses
- Traditional HTML
- Traditional JSON Report with Requests and Responses
- Traditional JSON Report
- Traditional Markdown Report
- Traditional PDF
- Traditional XML Report with Requests and Responses
- Traditional XML Report
- Report Templates
- Requester Add-on
- Retest
-
Retire.js
-
Reveal
-
Revisit
-
Ruby Scripting
-
SAML Support
-
Save Raw Message
-
Save XML Message
- Script Console
- Selenium
-
Sequence Scanner
- Server-Sent Events
- SOAP Support
- Spider
-
SVN Digger Files
- Technology Detection
-
Tips and Tricks
-
TLS Debug
- Token Generation and Analysis
-
TreeTools
-
Value Generator
-
ViewState
- WebSockets
-
Windows WebDrivers
-
Zest
-
Releases
- Release 1.0.0
- Release 1.1.0
- Release 1.2.0
- Release 1.3.0
- Release 1.3.1
- Release 1.3.2
- Release 1.3.3
- Release 1.3.4
- Release 1.4.0
- Release 1.4.1
- Release 2.0.0
- Release 2.1.0
- Release 2.10.0
- Release 2.11.0
- Release 2.11.1
- Release 2.12.0
- Release 2.13.0
- Release 2.14.0
- Release 2.2.0
- Release 2.2.1
- Release 2.2.2
- Release 2.3.0
- Release 2.3.1
- Release 2.4.0
- Release 2.4.1
- Release 2.4.2
- Release 2.4.3
- Release 2.5.0
- Release 2.6.0
- Release 2.7.0
- Release 2.8.0
- Release 2.9.0
-
Getting Started
- Scanner Rules
-
Features
- Add-ons
- Alerts
- Anti CSRF Handling
- API
- Active Scan
- Authentication
- Authentication Methods
- Authentication Verification Strategies
- Breakpoints
- Callbacks
- Contexts
- Custom Page
- Data Driven Content
- Globally Excluded URLs
- HTTP Sessions
- Manipulator-in-the-middle Proxy
- Marketplace
- Modes
- Notes
- Passive Scan
- Software Bill of Materials
- Scan Policy
- Scope
- Scripts
- Session Management
- Sites Tree
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- A Basic Penetration Test
- Configuring Proxies
-
Desktop UI Overview
-
Dialogs
- Add Alert dialog
- Add/Edit Breakpoint dialog
- Add Note dialog
- Active Scan dialog
- Encode / Decode / Hash dialog
- Find dialog
- History Filter dialog
- Manual Request Editor dialog
- Manage Add-ons
- Manage History Tags dialog
-
Options dialog
- Options Alerts screen
- Options Anti CRSF screen
- Options API screen
- Options Active Scan screen
- Options Active Scan Input Vectors screen
- Options Breakpoints screen
- Options Callback Address screen
- Options Client Certificate screen
- Options Check for Updates screen
- Options Connection screen
- Options Database screen
- Dynamic SSL Certificates
- Options Extensions screen
- Options Global Exclude URL screen
- Options HTTP Sessions screen
- Options JVM screen
- Options Keyboard screen
- Options language screen
- Options Local Proxies screen
- Options Passive Scan Tags screen
- Options Passive Scanner Screen
- Options Passive Scan Rules Screen
- Options Rule Configuration screen
- Options Scripts screen
- Options Search screen
- Options Spider screen
- Options Statistics screen
- Options Display screen
- Persist Session dialog
- Scan Policy Dialog
- Scan Policy Manager dialog
- Scan Progress Dialog
- Session Properties dialog
- Spider dialog
- Footer
- The Tabs
- Top Level Menu
- Top Level Toolbar
- Views
-
Dialogs
Release 2.4.3
The following changes were made in this release:
Enhancements:
- Issue 1576 : Define URL path elements as ’non structural'
- Issue 1711 : Feature request: Option to specify number of token to be generated.
- Issue 1768 : Update to use a more recent user-agent
- Issue 1894 : ZAP only scans “User-Agent”, “Referer”, and “Host” request headers
- Issue 1911 : Search AJAX spider requests
- Issue 1913 : Pass all params across to zap.sh - debian package
- Issue 1914 : Multiple add-on directories
- Issue 1920 : Report the host:port ZAP is listening on in daemon mode, or exit if it cant
- Issue 1927 : Enhancement: Break only for in-scope URLs.
- Issue 1944 : Chart responses per second in ascan progress
- Issue 1953 : Allow to spider a context through the ZAP API
- Issue 1962 : Install and update add-ons from the command line
- Issue 1975 : RC4-SHA SSL cipher suite not supported
- Issue 1980 : Add ZAP CLI to Docker images
- Issue 1985 : Bring up the Modify dialog if the user doubles on a row in a AbstractMultipleOptionsBaseTablePanel
- Issue 2009 : Add Online links to the FAQ and Newsletter pages
- Issue 2084 : Warn users if they are probably using out of date versions
- Issue 2086 : Report request counts per plugin
- Issue 2088 : Support an ‘update all’ button for installing all updated add-ons
- Issue 2094 : Support a ‘-addoninstallall’ command line option
- Issue 2102 : Allow ajax spider options to be set via the API
Bug fixes:
- Issue 1070 : Breaking on custom URL with query parameters does not work.
- Issue 1555 : SAXParseException while generating the report
- Issue 1617 : ZAP 2.4.0 throws HeadlessExceptions when running in daemon mode on headless machine
- Issue 1877 : fix path to .ZAP_JVM.properties in zap.sh
- Issue 1893 : Regression: Can’t disable and enable specific scanners through the API
- Issue 1910 : API does not return content in the expected encoding, on errors
- Issue 1917 : Request and Response tabs dont scale the text
- Issue 1939 : Scripts - Save Button Enablement Issue
- Issue 1949 : Script with missing type prevents scripts and templates from being loaded
- Issue 1950 : Connection closed without response, with an Authentication script with errors
- Issue 1951 : Exception when trying to add users before loading an authentication script
- Issue 1960 : Active Scan dialogue might use outdated scan policy
- Issue 1969 : Issues with installation of scanners
- Issue 1970 : Installed add-on dependencies might not be taken into account when installing add-ons
- Issue 1973 : Returned HAR/list does not contain correct redirection messages
- Issue 1981 : Spider might not report the correct number of URIs found
- Issue 2005 : Active scanning incorrectly performed on sibling nodes
- Issue 2044 : Issues in Hirschberg’s algorithm implementation
- Issue 2045 : Dont copy old configs if -dir option used
- Issue 2052 : Authentication changes done through the API not saved to session
See also
| Introduction | the introduction to ZAP | |
| Releases | the full set of releases | |
| Credits | the people and groups who have made this release possible |