Release 2.5.0

The following changes were made in this release:

ZAP API Changes:

VIEW authorization / getAuthorizationDetectionMethod

Now returns data wrapped in an object called authorizationDetectionMethod For example:

{"authorizationDetectionMethod":{"statusCode":"-1"..."headerRegex":""}}

instead of:

{"statusCode":"-1"..."headerRegex":""}

VIEW context / context + technologyList

Both now return data wrapped in an object called “context” For example:

{"context":{"id":"1", ..., "inScope":"true","loggedOutPattern":""}}

instead of:

{"id":"1", ..., "inScope":"true","loggedOutPattern":""}

ACTION spider / scan + scanAsUser

Both now support a new optional ‘subtreeOnly’ parameter which limits the spider to the specified subtree. The ‘url’ parameter is also now optional, as long as a valid ‘context’ parameter is supplied

New ‘stats’ component

The new ‘stats’ API component provides access to the stats now maintained by ZAP.

Note that some existing components will also have new operations, see the API Web UI for more details.

Enhancements:

  • Issue 266 : Add auto tagging for setting cookies, json
  • Issue 646 : Password outgoing proxy in plain text on screen
  • Issue 1171 : Sites tree to raise ’new site / new node’ events
  • Issue 1229 : Update Extensions/Plugins to Take Advantage of New Confidence Scale
  • Issue 1341 : Update alert XML schema to remove element-level name collision
  • Issue 1590 : Mode to apply when running as a daemon
  • Issue 1713 : Source Code Disclosure SVN Throws False Positive
  • Issue 1864 : Copy scan progress as text to clipboard
  • Issue 1958 : Allow to disable database (HSQLDB) log
  • Issue 1959 : Allow to active scan headers of all requests
  • Issue 1980 : Add ZAP CLI to Docker images
  • Issue 2068 : LoggedIn and LoggedOut indicators inside authentication scripts
  • Issue 2070 : It should be possible for the authentication scripts to configure how the messages are sent
  • Issue 2121 : Disable Req/Resp tabs position options when in “Expand Full” layout
  • Issue 2127 : Warn if the report generation failed
  • Issue 2162 : add-marketplace-sorting
  • Issue 2171 : Add-ons managed via api, cli
  • Issue 2174 : ExpressionLanguageInjectionPlugin - Needs logging fix
  • Issue 2177 : SourceCodeDisclosureSVN - Can’t write to temp DB
  • Issue 2183 : API: Include status in the ascan/progress response
  • Issue 2237 : Allow java max mem to be overridden on the cmdline
  • Issue 2238 : spider: fallback to parse HTML comments as plain text if no URL found
  • Issue 2272 : SQLInjectionHypersonic (Beta) - Exceptions
  • Issue 2273 : Support site level stats
  • Issue 2274 : Allow to spider just a site’s subtree
  • Issue 2275 : spider: do not require a URL, through the API, if the context has seeds
  • Issue 2277 : spider: preserve query parameters with same name when canonicalising URL
  • Issue 2289 : Record site based response time stats
  • Issue 2324 : Include scanners’ status in API scanners views
  • Issue 2330 : Add authentication stats
  • Issue 2335 : Add Outbound Proxy Password Peak
  • Issue 2342 : Ability to manage Sites in ZAP via API
  • Issue 2347 : Allow to remove context factories from View/Model
  • Issue 2361 : Rename tool bar option Expand Full to Full Layout
  • Issue 2362 : Allow to select all Spider results
  • Issue 2367 : Change break buttons location without restarting ZAP
  • Issue 2368 : Do not require a restart to show/hide the main tool bar
  • Issue 2381 : Do not allow to save/write to read-only files
  • Issue 2400 : Show a more informative message on read timeouts through the proxy
  • Issue 2410 : Show HTTP messages in the Spider tab
  • Issue 2413 : Disable “Show in History Tab” if message not valid
  • Issue 2418 : Spider: support maximum duration in mins option
  • Issue 2420 : Allow active scanners to notify that a message was sent
  • Issue 2422 : Support Statsd and moved stats to new ext
  • Issue 2465 : Allow to wait for ZAP to start with ClientApi
  • Issue 2466 : Allow to access a URL through the ZAP API
  • Issue 2479 : Show User Guide even if a search view has errors
  • Issue 2481 : Set correct application name in Linux
  • Issue 2482 : Normalise Session dialogue tables “Exclude from”
  • Issue 2484 : Circular Redirects
  • Issue 2486 : Clear ScriptVars on session change
  • Issue 2494 : ZAP Proxy is not showing the HTTP CONNECT Request in history tab.
  • Issue 2504 : Explicitly add manual HTTP requests to Sites tree
  • Issue 2506 : Do not discard the session for file based database
  • Issue 2512 : Update HSQLDB library to version 2.3.4
  • Issue 2519 : Enable menu/button when help add-on is installed

Bug fixes:

  • Issue 1529 : TestExternalRedirect Missing Use Case plus Performance and FP Improvements
  • Issue 1597 : Java 8 - Mac OS/X package
  • Issue 1639 : XSS False Negative on script injections into the Referer HTTP header
  • Issue 1786 : Activescan Scripts Silent Failure
  • Issue 1801 : URL StandardParameterParser not working correctly with QueryString
  • Issue 1848 : VariantURLQuery throwing exceptions on active scan
  • Issue 1874 : Two Cookie line in the header when adding a cookie with an httpsender script and doing an active scan
  • Issue 1875 : Scanner temp history not cleaned on close
  • Issue 2090 : Context: Rename User, can’t select in Forced User Panel
  • Issue 2110 : SQL Injection gets skipped
  • Issue 2112 : Wrong policy on active Scan
  • Issue 2115 : Python API context.context(“MyContext”) is broken
  • Issue 2119 : Context’s description not imported
  • Issue 2122 : Change SpiderAPI to ignore empty context names when handling scan action
  • Issue 2125 : Log the exception when opening session file and internationalise message
  • Issue 2126 : Fix NullPointerException on missing context’s authentication script
  • Issue 2132 : Zap Report Counting Bug
  • Issue 2142 : Fuzzer throwing exceptions
  • Issue 2144 : Java.lang.NullPointerException in “AWT-EventQueue-0”
  • Issue 2151 : AJAX Spider does not click all elements set in the options
  • Issue 2153 : 2.4.3 failed parse the POST Data containts bracket([])
  • Issue 2193 : Initialise Technology tab with selected context in Active Scan dialogue
  • Issue 2197 : Install new versions of the add-ons after downloading with -addonupdate
  • Issue 2199 : Disallow Spider scans when ZAP is in Safe (or Protected) mode
  • Issue 2203 : Fix findbugs warnings
  • Issue 2208 : Prevent the active scanner from reporting progress higher than 100%
  • Issue 2226 : ZAP should handle HttpSessionsSite’s cookie errors more gracefully
  • Issue 2246 : Error in sessions view with tokens
  • Issue 2259 : Fix NullPointerException in VariantCookie implementation
  • Issue 2281 : Filter params for a specific site
  • Issue 2282 : Spider a whole context at once
  • Issue 2292 : Enhance alertFingerPrint
  • Issue 2297 : AWT blocker activation interrupted - java.lang.InterruptedException
  • Issue 2307 : Add missing optional parameter “scanPolicyName” to ascan API actions
  • Issue 2312 : Give focus to “Edit Keyboard Shortcut” dialogue
  • Issue 2313 : Properly convert (old) excluded proxy domains
  • Issue 2314 : Cannot add several payloads to fuzzer (NullPointerException)
  • Issue 2323 : Fix (secure) ZAP API request loop
  • Issue 2328 : Fix issue during uninstallation of named extension
  • Issue 2329 : Filter seeds immediately before running the spider
  • Issue 2331 : Custom Context Panels not show in existing contexts after installation of add-on
  • Issue 2336 : BadLocationException thrown when using Fuzzer
  • Issue 2357 : Inconsistencies while changing between panel layouts
  • Issue 2363 : Keep break buttons in sync when changing mode
  • Issue 2366 : Inconsistencies in break buttons shown
  • Issue 2373 : Show Tab not working correctly in Full Layout for non-information tabs
  • Issue 2374 : Unable to change response tab position without main tool bar
  • Issue 2390 : HeadlessException should be handled more gracefully & README needs Headless details
  • Issue 2394 : Change API authorization view to wrap its object
  • Issue 2399 : Timeout requests not shown in ZAP
  • Issue 2421 : Active scanner request count mismatch
  • Issue 2428 : Memory leak on session creation/loading
  • Issue 2429 : InterruptedExceptions while stopping the spider with user authentication
  • Issue 2435 : Clean up spider task resources, when not consumed
  • Issue 2436 : Unable to dynamically uninstall WebSockets add-on
  • Issue 2440 : Exception while opening the Active Scan dialogue
  • Issue 2451 : Only a single Data Driven Node can be saved in a context
  • Issue 2463 : Websocket not proxied when outgoing proxy is set
  • Issue 2469 : Always return 100% when spider stopped
  • Issue 2472 : Use file name case when loading policies from file
  • Issue 2474 : Add multiple context URL in/exclusions at once
  • Issue 2475 : Correct help page for Passive Scan Rules options
  • Issue 2487 : Wrong charset used in HTTP body
  • Issue 2516 : Add auth and spider task types to temporary types

See also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible