Release 2.7.0

This is a bug fix and enhancement release, which requires a minimum of Java 8.

Some of the more significant enhancements include:

  • Browser launch included by default - this allows you to launch browsers from ZAP that are preconfigured to proxy through ZAP and ignore the certificate warnings due to the ZAP root certificate.
  • Allow ZAP to listen on multiple addresses/ports
  • Support Server Name Indication
  • Updated NTLM engine implementation - this fixes the cases where the domain is being validated and improves interoperability with other (server) NTLM implementations
  • Lots of new API endpoints - see below for details

Note that if you do have any problems with this release then there is also a new ‘Help/Support Info…’ menu item that provides essential information about your ZAP installation which you should include with any issues you raise.

Enhancements:

  • Issue 1015 : Support Server Name Indication
  • Issue 1313 : Spider - Allow to configure the size limit of parseable responses
  • Issue 1604 : Import policy file via API
  • Issue 1620 : Add endpoint to get number of alerts grouped by risk level
  • Issue 1681 : Change ‘Active Scan’ to show the last n requests instead of the first ones
  • Issue 2411 : Warn if dynamic SSL root CA certificate is expired
  • Issue 2615 : Filtering ZAP Reports to Show High Risk Items
  • Issue 3040 : Export param tab contents
  • Issue 3101 : Allow add-ons to use Semantic Versioning
  • Issue 3156 : Use G1 as default garbage collector
  • Issue 3253 : Export URLs Per Context
  • Issue 3365 : Enhancement: Additional Global Exclude default patterns
  • Issue 3367 : Expose ZAP’s home dir path through the ZAP API
  • Issue 3374 : Adjust to more user favorable column widths
  • Issue 3381 : i18n Core Extension Names
  • Issue 3387 : Allow esc to close AbstractFormDialog
  • Issue 3392 : Show all messages sent by the Spider
  • Issue 3395 : Add option to spider anonymously with a session
  • Issue 3398 : Increase limit of global script variables’ value
  • Issue 3404 : Add new Default CSRF Token for OWASP CSRF Guard
  • Issue 3408 : Improve error handling when resetting the options
  • Issue 3443 : Expose Alerts options through the ZAP API
  • Issue 3446 : Enhancement: Add ability to export a Site Map via Context Menu
  • Issue 3457 : Allow to filter core view “urls” by base URL
  • Issue 3460 : Enhancement: Provide help finding the Log directory in the UI
  • Issue 3461 : Enhancement: Browse API Doesn’t work when browser isn’t using ZAP as proxy
  • Issue 3476 : Allow passive rules to choose the type of msgs
  • Issue 3481 : Export Tables via UI
  • Issue 3498 : Minor Enhancement: Support Same Columns in Search Results as History Tab
  • Issue 3500 : Allow to manage messages’ tags in multiple tabs
  • Issue 3508 : Use newer ECMAScript engine if available
  • Issue 3514 : Allow to obtain multiple messages by ID
  • Issue 3521 : Enhancement Request: Add Filter To Passive Scan Rules Options Panel
  • Issue 3527 : Update baseline script to support python 3
  • Issue 3529 : Allow to add tags with Passive Rules
  • Issue 3533 : Additional Table Export Buttons
  • Issue 3539 : Enhancement: Collect messages to scan before active scanning
  • Issue 3552 : Expose message’s tags through the ZAP API
  • Issue 3559 : ZAP API option to output report in JSON format
  • Issue 3574 : Show the add-on name in Extensions panel
  • Issue 3587 : Allow to use system’s locale for formatting
  • Issue 3595 : Print args and error msg when failed to parse args
  • Issue 3599 : Always attack Data Driven Nodes
  • Issue 3619 : Show plugin as OFF, in policy panels, if disabled
  • Issue 3626 : Allow to delete messages with keyboard shortcut
  • Issue 3676 : Enhancement: Delete single Alert using the api
  • Issue 3681 : Use number spinner for connection timeout
  • Issue 3686 : Allow to select alert’s CWE/WASC IDs and Source
  • Issue 3688 : Show scanner’s ID/name in Alert tab
  • Issue 3691 : Modernized and refined HTML reports
  • Issue 3700 : Ensure panel with validation errors is visible
  • Issue 3714 : Spider - report # of new endpoints discovered
  • Issue 3727 : Sites Tree Alpha Sort should ignore HTTP Method
  • Issue 3733 : Ascan API - Return alert count for each scanner
  • Issue 3739 : Allow to skip pending scanners
  • Issue 3765 : Show alert count in Scan Progress dialogue
  • Issue 3769 : Add Check for Updates toolbar button
  • Issue 3770 : Clear dockerfiles
  • Issue 3782 : Add msg and alert count to active scans API view
  • Issue 3787 : Added passive scan timeout
  • Issue 3793 : Allow to filter Keyboard options panel
  • Issue 3808 : added bare docker image file
  • Issue 3810 : Add JSON output support to zap-full-scan.py
  • Issue 3818 : Change right-click “Resend…” to “Send to Manual Request Editor”
  • Issue 3836 : Allow IPv6 loopback address to access the API by default
  • Issue 3837 : Add anoncsrf as anticsrf token name
  • Issue 3851 : Spider New Scan UI Consistency
  • Issue 3871 : Default to checking for updates on start
  • Issue 3878 : Support persistent connections in the API
  • Issue 3910 : Allow to skip scanners through the API
  • Issue 3918 : improved docker file
  • Issue 3922 : Refactor target access in docker scripts
  • Issue 3931 : Minor Enhancement to Very large response body message
  • Issue 3977 : Include spider messages when comparing sessions
  • Issue 3983 : Allow ZAP to listen on multiple addresses/ports
  • Issue 3992 : Allow to enable code folding in body text views
  • Issue 3993 : Added checkbox secure to callback option dialog.
  • Issue 4001 : Allow to delete a Context with keyboard shortcut
  • Issue 4049 : Allow to delete alerts with keyboard shortcut
  • Issue 4053 : AlertViewPanel line wrapping
  • Issue 4055 : New splash screen
  • Issue 4061 : Update NTLM engine implementation
  • Issue 4063 : Validate that -cmd and -daemon are not both set
  • Issue 4066 : Improve error message in script API

Bug fixes:

  • Issue 765 : Ctrl-F key doesnt work on Resend / Manual Request Editor dialogs
  • Issue 1222 : False positive: XSS scanning
  • Issue 1984 : Alerts API should always return ’evidence’ (and all other keys)
  • Issue 2375 : Unable to change Mode without main tool bar
  • Issue 2496 : ZAP only report the first alert in array
  • Issue 2744 : Unable to enable/disable Forced User mode without main tool bar
  • Issue 2756 : Class loading deadlock when loading httpsender script from API call and spidering
  • Issue 2989 : Redirect history not recorded when resend request
  • Issue 3154 : Execution Order for Plugins Displayed in Scan Progress Details, Progress Tab
  • Issue 3207 : History tab cleared when session persisted
  • Issue 3284 : Accept underscores in hostnames
  • Issue 3289 : Proxy excluded URLs still processed by ZAP
  • Issue 3350 : wrong comparison of HTTP Messages in queryEquals() method of HttpMessage class
  • Issue 3351 : the url disappear when i click it
  • Issue 3353 : ZAP API View:contextList method returns a string instead of JSON list
  • Issue 3359 : Missing Help details Options Connection screen
  • Issue 3363 : Spider Messages View Includes Underused Tags Column
  • Issue 3377 : ZAP can no longer load non UTF8 scripts
  • Issue 3382 : Fix “internal error” in ScriptAPI
  • Issue 3394 : Enable Session Tracking (Cookie) option not persisted
  • Issue 3397 : Do not uninstall a file if it no longer exists
  • Issue 3411 : Clear cached certs when setting Root CA cert
  • Issue 3440 : Log Exception when the provided config file could not be parsed
  • Issue 3456 : Bug: Paused Scans Wiped Out when Persisting a Session
  • Issue 3459 : Prescan Output is Confusing. Please Clarify.
  • Issue 3490 : Poor font rendering on linux
  • Issue 3531 : Docker scripts might get stuck on “Records to passive scan” seemingly indefinitely
  • Issue 3555 : Changing Session Name, doesn’t Update the Window Name
  • Issue 3571 : Require extension’s dependencies during extension loading
  • Issue 3590 : Set installation status to marketplace add-ons
  • Issue 3591 : Correctly check for add-on updates on dep calc
  • Issue 3620 : Return correct error on missing auth parameters
  • Issue 3621 : Sync HistoryReference cache in ExtensionHistory
  • Issue 3632 : Do not close session when changing its properties
  • Issue 3633 : “Generate Anti-CSRF Test Form” not working
  • Issue 3648 : Correct state of adv option in Spider dialogue
  • Issue 3667 : Markdown report heading format issue
  • Issue 3673 : API: sendHarRequest results in error if redirects are true
  • Issue 3675 : Sites tree option Show only URLs in Scope not working
  • Issue 3692 : zap-api-scan.py correct path handling
  • Issue 3696 : Correct API response for outgoing proxy changes
  • Issue 3703 : org.parosproxy.paros.db.DatabaseException: java.sql.SQLException: Can not issue executeUpdate() or executeLargeUpdate() for SELECTs
  • Issue 3711 : Session snapshots might “break” running scans
  • Issue 3723 : Properly reset Database options panel
  • Issue 3748 : Automatically skip dependent scanners
  • Issue 3759 : Update version check in zap.sh script for Java 9
  • Issue 3771 : Add-on files not updated when running newer ZAP/core version
  • Issue 3779 : Can’t open the Resend window because of missing font
  • Issue 3799 : Declare ExtensionDynSSL as supporting low mem
  • Issue 3825 : Show error if failed to active the certificate
  • Issue 3827 : mysql NULL value in where in CLAUSE
  • Issue 3832 : Errors in Input Vector Templates
  • Issue 3849 : Pscanrule Content Type Missing not working with Spider messages
  • Issue 3854 : Error whilst using Api - ERROR ExtensionUserManagement - Unable to persist Users
  • Issue 3889 : Initialise the source of the Alert always
  • Issue 3895 : JSON Input Vector fails if string has quoted chars
  • Issue 3907 : Normalise form-based login URL validation/usage
  • Issue 3912 : VariantDirectWebRemotingQuery might hang in infinite loop
  • Issue 3914 : Use ZapVersions.xml file in Docker images
  • Issue 3927 : zap-full-scan on docker tries to reach out to external network
  • Issue 3955 : Database too small to handle large login request bodies
  • Issue 3965 : Empty Cookie header causes errors
  • Issue 3969 : Logged in/out indicators not persisted when cleared
  • Issue 4004 : zap.bat should use %USERPROFILE% instead of %HOMEDRIVE%%HOMEPATH%
  • Issue 4013 : Sending to the Callback Endpoint while proxying through ZAP logs an error
  • Issue 4014 : Issue when attempting to ignore all rules for a URL
  • Issue 4028 : Warn when check for updates fails
  • Issue 4056 : Use realm as domain for NTLM authentication
  • Issue 4065 : Deleting a parent URL in History tab should not delete all child URLs
  • Issue 4079 : Cookie with unknown path is falsely rejected by ZAP

ZAP API Breaking Changes:

ACTION authentication / setAuthenticationMethod

The authentication type “formBasedAuthentication” will now require the login URL always in encoded form. The change ensures the login URL is used/sent as it was specified. Previously it would accept partially encoded URLs but they would be re-encoded when used, potentially leading to a different URL being used/sent.

VIEW context / contextList

This change will break the consumers that were manually parsing/extracting the names from the string. The structure of the data returned was changed to properly separate each name:

{"contextList":["Context 1","Context 2"]}

and:

<contextList type="list">
    <contextName>Context 1</contextName>
    <contextName>Context 2</contextName>
</contextList>

instead of:

{"contextList":"[Context 1, Context 2]"}

and:

<contextList>[Context 1, Context 2]</contextList>

VIEW core / setOptionUseProxyChain

Changed to return FAIL if the outgoing proxy was not enabled (because the required address/hostname was not previously set), before it would return always OK.

ZAP API Changed Endpoints:

VIEW core / alerts

Added optional riskId parameter to facilitate filtering the risk. Where riskId is in the range 0 for Informational and 3 for High.

VIEW core / numberOfAlerts

Added optional riskId parameter to facilitate filtering the risk. Where riskId is in the range 0 for Informational and 3 for High.

VIEW core / urls

Added optional baseurl parameter, to filter the URLs that are returned.

VIEW ascan / scans

Changed to also return the total number of alerts raised and messages sent during each scan.

VIEW ascan / scanProgress

Changed to also return the number of alerts raised by each scanner.

ZAP API New Endpoints:

VIEW core / alertsSummary

A new summary view for Alerts which displays counts of Alerts per Risk level. Optionally, filtered by a baseurl value.

{"High":0,"Low":132,"Medium":39,"Informational":153}

VIEW core / messagesById

Gets the HTTP messages with the given IDs.

VIEW core / messagesHarById

Gets the HTTP messages with the given IDs, in HAR format.

VIEW core / optionAlertOverridesFilePath

Gets the path to the file with alert overrides.

VIEW core / optionMaximumAlertInstances

Gets the maximum number of alert instances to include in a report.

VIEW core / optionMergeRelatedAlerts

Gets whether or not related alerts will be merged in any reports generated.

VIEW core / zapHomePath

Gets the path to ZAP’s home directory.

VIEW localProxies / additionalProxies

Gets all of the additional proxies that have been configured.

VIEW spider / optionAcceptCookies

Gets whether or not a spider process should accept cookies while spidering.

ACTION core / deleteAlert

Deletes the alert with the given ID.

ACTION core / setOptionAlertOverridesFilePath

Sets (or clears, if empty) the path to the file with alert overrides.

ACTION core / setOptionMaximumAlertInstances

Sets the maximum number of alert instances to include in a report. A value of zero is treated as unlimited.

ACTION core / setOptionMergeRelatedAlerts

Sets whether or not related alerts will be merged in any reports generated.

ACTION ascan / importScanPolicy

Imports a Scan Policy using the given file system path.

ACTION ascan / skipScanner

Skips the scanner using the IDs of the scan and the scanner.

VIEW localProxies / addAdditionalProxy

Adds a new proxy using the details supplied.

VIEW localProxies / removeAdditionalProxy

Removes the additional proxy with the specified address and port.

ACTION spider / setOptionAcceptCookies

Sets whether or not a spider process should accept cookies while spidering.

Vulnerability Details

The following vulnerability has been reported in a previous version of ZAP.
Many thanks to all of the researchers who have ethically reported issues to us via our bug bounty program.
If you need more details about this vulnerability then please contact us.

Windows Uninstaller Vulnerable to DLL Hijacking

The ZAP Windows Uninstaller for 2.6.0 is vulnerable to DLL Hijacking on Windows. This was a vulnerability in the 3rd party installer Install4j which has now been fixed.
Note that this can only occur if a malicious DLL is already on the path.

Credit: Sajeeb Lohani (sml555) of Bulletproof ZDS

See also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible