Release 2.8.0

This is a bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.7.0.

Some of the more significant enhancements include:

Heads Up Display

The ZAP Heads Up Display (HUD) brings all of the essential ZAP functionality into your browser. It is ideal for people new to web security and also allows experienced penetration testers to focus on an application’s features while providing key security information and functionality.
The HUD can be enabled when proxying a browser through ZAP via the new ‘Manual Explore’ screen and a top level toolbar button.

Quick Start Screens

The Quick Start tab has been reworked to provide 3 screens:

  • Automated Scan: allows you to launch an automated scan against an application and the choice of traditional or ajax spider
  • Manual Explore: allows you to launch browsers configured to proxy via ZAP with the option to enable the HUD
  • Learn More: provides links to local and remote resources which you can use to learn more about ZAP

The tab also provides a news panel that provides a summary of ZAP news along with a link for more details. News items can be hidden when no longer needed.

Scan Rule Promotions

The following scan rules have been promoted:

Active Scan Rules - Release

  • Promote Source Code Disclosure WEB-INF (Issue 4448).

Passive Scan Rules - Release

  • Promote Charset Mismatch Scanner to release (Issue 4460).
  • Promote ViewState Scanner to release (Issue 4453).
  • Promote Insecure JSF ViewState Scanner to release (Issue 4455).
  • Promote Insecure Authentication Scanner to release (Issue 4456).
  • Promote Information Disclosure Debug Errors Scanner to release (Issue 4457).
  • Promote CSRF Countermeasures Scanner to release (Issue 4458).
  • Promote Cookie Loosely Scoped Scanner to release (Issue 4459).

Headless Browser Support

Headless browsers are now supported by the Selenium add-on and the add-ons that use it. Both the Ajax Spider and the DOM XSS scan rule now default to headless Firefox.

Command Line Changes

-dir <dir>

To prevent add-ons (inadvertently) use/override core files ZAP will no longer start (and show an error) if the home and the installation directories are the same.

CA Certificate Handling

The following options allow the root CA certificate to be set and read:

-certload <path>      Loads the Root CA certificate from the specified file name
-certpubdump <path>   Dumps the Root CA public certificate into the specified file name, this is suitable for importing into browsers
-certfulldump <path>  Dumps the Root CA full certificate (including the private key) into the specified file name, this is suitable for importing into ZAP

These options are particularly useful when running ZAP headless in Docker, as they allow you to either specify the CA certificate to use or to access the one that ZAP creates automatically for you.

Client Certificate Handling

It is now possible to set the Client Certificate from the command line with the following switches:

-config certificate.use=true
-config certificate.pkcs12.path=/path/to/file.p12
-config certificate.pkcs12.password=WhateverThePasswordIs
-config certificate.pkcs12.index=1
-config certificate.persist=true

-config certificate.pkcs12.index is only necessary if the file contains multiple certificates and you wish to use one other than the first. Index values start at zero (0) which is the first certificate in the file.

-config certificate.persist=true is only necessary if you would like the settings persisted in ZAP’s regular configuration file (so that they apply for subsequent ZAP use).

Source Code Restructuring

The ZAP repositories have all been migrated to use Gradle from Ant. Standard source code formatting is also now enforced for consistency.

Filters Removal

Deprecated since ZAP 2.4.0 the Filters functionality, that allowed to change/access some HTTP messages sent/received through ZAP, has now been removed, the same and much more can be achieved with scripts and Replacer add-on.

Changes in Bundled Libraries

The following libraries are no longer being bundled with ZAP (core):

  • BrowserLauncher2, it was replaced with the usage of JRE class java.awt.Desktop. Add-ons should use that class or bundle the library.
  • HttpComponents Client/Core, no longer in use by core, any add-ons that require them should bundle them.
  • JavaFX runtime, now relying on JRE (for example, OracleJDK, OpenJDK+OpenJFX).

The following libraries will be removed in a future release:

  • JDOM
  • Diff Utils

no longer in use by core, add-ons should bundle the library, if needed. The following libraries were updated:

  • Bouncy Castle, 1.52 → 1.61
  • Commons BeanUtils, 1.8.3 → 1.9.3
  • Commons Codec, 1.9 → 1.12
  • Commons Configuration, 1.9 → 1.10
  • Commons CSV, 1.1 → 1.6
  • Commons IO, 2.4 → 2.6
  • Commons Lang, 3.7 → 3.9
  • Commons Text, 1.3 → 1.6
  • HSQLDB, 2.3.4 → 2.4.1
  • Java SemVer, 0.8.0 → 0.9.0
  • Jericho HTML Parser, 3.1 → 3.4
  • RSyntaxTextArea, 2.5.8 → 3.0.3
  • SQLite JDBC, 3.8.11.1 → 3.27.2.1
  • SwingX, 1.6.4 → 1.6.5-1

Active Scan Input Vectors Change

Users now have the option of whether or not to add a query parameter to GET requests that did not have them to start with. In previous versions this behavior was not user controllable and was on by default. With the new user option the default has been changed to off.

JSON Authentication Method

An authentication method has been added which allows a JSON object to be sent in the request body.

JSON Report Change

For consistency the site property will be always an array regardless of the number of sites that the report contains, previously it would be an object if only one site and an array if more than one.

Display Options - Font Controls

In the Options dialog Display panel it is now possible for the user to select a General font and size for ZAPs GUI, as well as a Work Panel font and size used for the top right section of ZAP’s main window (Ex: Request/Response, the Edit and Resend tool, etc.).

Enhancements

  • Issue 1067 : User conversion between changes of AuthenticationMethods
  • Issue 1370 : Login HTTP requests without cookies with Form-based Authentication
  • Issue 1429 : Option to add custom ZAP header
  • Issue 2023 : Allow to set client certificate (PKCS#12) through the ZAP API
  • Issue 2182 : Add support for dynamic fields in Form-based authentication method
  • Issue 2439 : Configure Authentication with Json object
  • Issue 2528 : Feature request: Passive scanning during fuzzing
  • Issue 2950 : Script change monitor
  • Issue 2964 : Allow to select the look and feel
  • Issue 2965 : Support scanning multipart filename and content parameter
  • Issue 3447 : Param Tab Truncation
  • Issue 3485 : Minor Enhancement: Indicate amount of Java memory actually used in JVM Options Panel
  • Issue 3528 : Minor Enhancement: Add Date Format Preference
  • Issue 3734 : Allow add-ons without extensions to have help pages
  • Issue 3841 : Allow add-ons without extensions to have resource messages
  • Issue 3879 : Auto Set Active Imported Certificate
  • Issue 3930 : Add a status panel for the scanner callbacks
  • Issue 3952 : Show number of new alerts in Active Scan tab
  • Issue 4100 : Skip plugins if there’s nothing to scan
  • Issue 4102 : Allow to delete site nodes with keyboard shortcut
  • Issue 4122 : Add unicode functions.
  • Issue 4123 : Passive Scan Tags interpolation
  • Issue 4135 : REST API to manage script variables
  • Issue 4153 : ZAP doesn’t ask for confirmation before overwriting an existing session
  • Issue 4201 : Alert Tab UI Tweaks
  • Issue 4236 : Expand node of first context added
  • Issue 4244 : Change variant cookie to behave like browsers do
  • Issue 4245 : Add shortcut key to Sites’ Delete pop menu item
  • Issue 4253 : Allow to remove API callbacks
  • Issue 4277 : Warn if a # is specified in a breakpoint URL
  • Issue 4283 : Update ZAP logo in HTML report
  • Issue 4307 : Allow to delete all alerts through the GUI
  • Issue 4318 : Enhancement - Allow addons to “opt-in” for passive scanning
  • Issue 4319 : Expose UI component (table) of History tab
  • Issue 4325 : Improve form submission in API Web UI
  • Issue 4331 : Allow to show Request and Response in the same tab
  • Issue 4333 : Include ID of the HTTP message in returned HAR
  • Issue 4352 : Allow to send a message body with all methods
  • Issue 4364 : Allow to obtain context’s URLs through the API
  • Issue 4365 : Allow to specify a name for session snapshot through the API
  • Issue 4391 : Enhancement: Params Tab - Multipart Form Params
  • Issue 4400 : Allow to scan from Contexts tree
  • Issue 4422 : Spider Scan does not understand HTML 5 form syntax
  • Issue 4474 : pscan - Expose getPluginPassiveScanners()
  • Issue 4477 : Enable help in Add/Edit Breakpoint dialogue
  • Issue 4484 : Added Django csrf_token
  • Issue 4498 : Added support for launching JVM enabled for remote debugging
  • Issue 4541 : Expand node of selected context
  • Issue 4542 : Ensure node selected param panel is visible
  • Issue 4548 : ATTACK Mode Enablement Suggestion
  • Issue 4557 : Tweak JVM panel to resize properly
  • Issue 4592 : Keep panel of selected context selected
  • Issue 4599 : Keep backup of malformed config.xml file
  • Issue 4604 : Do not automatically add an empty user
  • Issue 4612 : HTTP Sessions Tab Messages Matched - drill down to matched messages
  • Issue 4616 : Add option for custom font in work panels
  • Issue 4638 : Allow to reinstall (local) add-on
  • Issue 4647 : Skip plugins if no input vectors enabled
  • Issue 4668 : Make Passive Scan Tags management cleaner
  • Issue 4679 : Inform when the add-on has finished installing
  • Issue 4688 : Allow to view script types through the API
  • Issue 4694 : Provide details of why the add-on is not valid
  • Issue 4698 : TLS 1.3 UI Components
  • Issue 4707 : Allow to use add-on icons in Sites tree
  • Issue 4709 : Allow to change proxy’s hostname already bound
  • Issue 4712 : Add Passive Scan Footer Icon/Status
  • Issue 4714 : Inform if passive scanner is still running
  • Issue 4726 : Added contexts setContextRegexs API endpoint
  • Issue 4729 : Allow to add/remove an anti-CSRF token from all parameters in Params tab
  • Issue 4743 : Dynamically add/remove extensions’ help
  • Issue 4753 : Exporting response bodies of many messages at the same time from History tab
  • Issue 4762 : Added pscan stats and API call for getting current rule
  • Issue 4767 : Be more lenient when parsing techs through the API
  • Issue 4771 : Bundle required files in the zap.jar
  • Issue 4780 : Tidy up dependencies
  • Issue 4810 : Exit on exception during GUI start
  • Issue 4819 : Added childNodes view
  • Issue 4833 : Added alert api endpoints
  • Issue 4835 : Improve ‘port in use’ error message
  • Issue 4836 : Add option to prevent windows from grabbing focus from other apps
  • Issue 4892 : Allow to set client certificate (PKCS#12) from CLI
  • Issue 4933 : New/Updated Global Excludes
  • Issue 4935 : Minor ‘find’ enhancement - when searching in request/response
  • Issue 4943 : Global Excludes No Longer Beta
  • Issue 4946 : added _csrf to default ACSRF token names
  • Issue 4976 : ascan: Make addition of query param optional
  • Issue 4988 : Spider: Parse robots.txt even if no content-type
  • Issue 4997 : Allow to manage default session tokens (API)
  • Issue 5010 : Show Version in Marketplace Installed Addons Tab
  • Issue 5023 : Let fields in StandardFieldsDialog get all space
  • Issue 5029 : Discard edits of new field in StandardFieldsDialog
  • Issue 5064 : Extend TableHistory with filter for “historyid > x”
  • Issue 5065 : Listening for changes of the message in the Request/Response panels
  • Issue 5076 : Global Excludes - Consolidate Mozilla/Firefox Entries?
  • Issue 5091 : Add _csrfSecret to list of default CSRF tokens
  • Issue 5116 : Passive scan max alerts option
  • Issue 5148 : Show add-on details in a panel instead of tool tip
  • Issue 5161 : Allow to listen for script output
  • Issue 5192 : Break/wrap long URLs and base64 data in HTML report
  • Issue 5219 : Ensure The Scan Policy Sticks Between Active Scan Runs
  • Issue 5226 : schedule or queue active scan
  • Issue 5236 : Expose the local add-ons through the ZAP API
  • Issue 5239 : Provide add-on file path in API/GUI
  • Issue 5256 : Added Import top-level Menu
  • Issue 5277 : Active Scan Scripts - References Functionality
  • Issue 5300 : Ignore “javax.faces.ViewState” parameter in active scans
  • Issue 5304 : Improve error message when failed to connect to outgoing proxy
  • Issue 5324 : Enhancement: Spider handle Hyperlink Auditing Functionality
  • Issue 5335 : Add feedback on search progress
  • Issue 5343 : Show UI name of dependent extensions
  • Issue 5345 : Add cmdline options for loading and dumping root cert
  • Issue 5350 : Enable custom (script) input vectors by default.
  • Issue 5351 : Apply installer CFU options on update
  • Issue 5354 : New silent option to disable all calls home
  • Issue 5366 : Fallback to bundled Messages file

Bug fixes

  • Issue 1142 : Session Fixation False positive
  • Issue 1161 : [Enable Session Tracking (Cookie)] and [Use current tracking session] toggle button
  • Issue 1287 : PKCS11: Error, maybe your password or driver is wrong.
  • Issue 1470 : spider scan() API errors with ‘No seeds available for the Spider. Cancelling scan…’
  • Issue 1642 : Change of view type in Break tab not saved when ZAP closed/reopened.
  • Issue 2531 : Cookie is not set during script authentication when following redirect
  • Issue 2626 : Error on Debian with Java 8: “Could not generate DH keypair”
  • Issue 2998 : Zap Report Generation Bug
  • Issue 3075 : ZAP not relinquishing top window position sometimes after intercept being on
  • Issue 3399 : Do not uninstall files that are declared by other add-ons
  • Issue 3959 : Properly generate cert for ZAP API and Callback when accessed with IP address
  • Issue 4016 : Proxying https://ipaddress raise a CERT_COMMON_NAME_INVALID Error in Browser
  • Issue 4097 : python api returns the wrong content for authentication.get_authentication_method()
  • Issue 4111 : ZAP Python API: zap.context.alerts_summary() returns 0
  • Issue 4119 : Ajax Spider deadlock
  • Issue 4130 : Do not return duplicate URLs in urls core view
  • Issue 4147 : Unable to add PKCS#11 certs with Java 9+
  • Issue 4166 : Unable to import Root CA Cert from PEM file with Java 9+
  • Issue 4194 : Size of the configuration file keeps increasing each time ZAP is started with Java 9+
  • Issue 4196 : Supported core extensions not available when using experimental DB option
  • Issue 4197 : Warn and prevent snapshot to current session file
  • Issue 4202 : API Spider call not taking existing URLs as input
  • Issue 4226 : Prevent use of install dir as home dir
  • Issue 4247 : ZAP should accept/parse cookies without name
  • Issue 4252 : Dont restrict callback urls to the specified addresses
  • Issue 4265 : Unable to spider with unlimited depth
  • Issue 4279 : Python Passive Rules scan all message types by default
  • Issue 4291 : Manual Request Editor keeps using Forced User even if disabled
  • Issue 4306 : Clear Sites nodes’ alert state on alerts deletion
  • Issue 4356 : Internal Error while obtaining URLs through the API
  • Issue 4357 : Do not submit unused parameters in API Web UI
  • Issue 4368 : Exclude from Context not used by active scan
  • Issue 4379 : Remove custom vectors’ highlights when cleared
  • Issue 4387 : Internal Error while saving the session (again) through the API
  • Issue 4408 : Reinstate locale mapping
  • Issue 4428 : Zap waiting for Spider endlessly when it crashed.
  • Issue 4515 : AuthenticationScript (Python, Ruby, Groovy) does not work without logged in/out indicators
  • Issue 4538 : Local ZapVersions.xml is saved with default character encoding
  • Issue 4575 : Stop spider scans when mode changed to Safe
  • Issue 4576 : Skip Token Generator responses for HTTP Sessions
  • Issue 4581 : Skip Access Control responses for HTTP Sessions
  • Issue 4590 : ZAP API converts data to wrong format
  • Issue 4623 : Message caught in Break tab but break buttons remain disabled
  • Issue 4627 : Add proxy related listeners to alternative proxies
  • Issue 4646 : Allow to specify higher values for delay while scanning through the UI
  • Issue 4655 : Track the directories with scripts
  • Issue 4691 : Correctly JSON encode context regexs
  • Issue 4711 : sites tree no longer accessible
  • Issue 4749 : Handling of empty client certificates
  • Issue 4756 : Correct install dir detection from ZAP JAR
  • Issue 4772 : Correct generated certificates’ validity period
  • Issue 4789 : Break tab is not automatically shown in full layout when breakpoint is hit
  • Issue 4807 : Add all dangling event consumers
  • Issue 4814 : Don’t open the report if it does not exist
  • Issue 4817 : Skip dependent extensions of failed uninstallation
  • Issue 4818 : Correct API response on failed installations
  • Issue 4827 : Allow consumers to remove themselves during events
  • Issue 4846 : User-Agent changes from configured value
  • Issue 4869 : Delay initialisation of keyboard mappings
  • Issue 4911 : ConcurrentModificationException thrown in PassiveScanThread
  • Issue 4945 : Don’t use HTTP session for manual auth if not set
  • Issue 4970 : Don’t parse (plain) API parameters as JSON
  • Issue 4971 : Made active scan progress consistent with spider, show progress of 100 if scan is stopped
  • Issue 4993 : Change API view optionTokensNames to return a list
  • Issue 5003 : SSE are not supported in some cases
  • Issue 5021 : Active Scan API - Scan whole context as user incorrectly requires a URL
  • Issue 5027 : Restore info message in Input Vectors tab
  • Issue 5033 : Do not add auth context menus in daemon mode
  • Issue 5060 : Custom Vectors don’t work properly if plugin ID is injected in the message
  • Issue 5066 : Correct request rewrite when following redirection
  • Issue 5068 : Fix typo in sql script adding the tag column
  • Issue 5118 : Global Excludes Modify Description Doesn’t Work
  • Issue 5156 : Return proper errors in break API
  • Issue 5160 : Show/edit expected breakpoint with sorting
  • Issue 5162 : Inconsistent JSON report format
  • Issue 5207 : Hook OverrideMessageProxyListener also on install
  • Issue 5221 : ZAP failing Nexus scan
  • Issue 5252 : Unable to CONNECT to authority with underscore
  • Issue 5257 : Improve error handling on shutdown
  • Issue 5259 : GUI hang (and NPE exceptions) when using Context Alert Filters
  • Issue 5352 : Fix exceptions during config update

ZAP API Breaking Changes:

VIEW acsrf / optionTokensNames

This change will break the consumers that were manually parsing/extracting the names from the string. The structure of the data returned was changed to properly separate each name:

{"optionTokensNames":["anticsrf","CSRFToken"]}

and:

<optionTokensNames type="list">
    <tokenName>anticsrf</tokenName>
    <tokenName>CSRFToken</tokenName>
</optionTokensNames>

instead of:

{"TokensNames":"[anticsrf, CSRFToken]"}

and:

<optionTokensNames>[anticsrf, CSRFToken]</optionTokensNames>

VIEW authentication / getAuthenticationMethod

This change will break the consumers that were manually parsing/extracting the JSON response (and XML response, for manual authentication method). The structure of the data was changed to have an object wrap the authentication method data, to be consistent with all other views. The returned data would be, for example:

{
  "method": {
    "port": "443",
    "host": "example.com",
    "methodName": "httpAuthentication",
    "realm": "example"
  }
}

instead of:

{
  "port": "443",
  "host": "example.com",
  "methodName": "httpAuthentication",
  "realm": "example"
}

VIEW core / alertsSummary

This change will break the consumers that were manually parsing/extracting the JSON response. The structure of the data was changed to have an object wrap the alerts summary, to be consistent with all other views. The returned data would be, for example:

{
  "alertsSummary": {
    "High": 0,
    "Low": 3,
    "Medium": 1,
    "Informational": 1
  }
}

instead of:

{
  "High": 0,
  "Low": 3,
  "Medium": 1,
  "Informational": 1
}

VIEW core / alerts

The view will now validate the risk ID, returning an error (ILLEGAL_PARAMETER) if not valid.

VIEW core / numberOfAlerts

The view will now validate the risk ID, returning an error (ILLEGAL_PARAMETER) if not valid.

ZAP API Deprecated Endpoints:

All alert related core endpoints were deprecated, they are now accessible through a new component alert.

ZAP API Changed Endpoints:

ACTION authentication / setAuthenticationMethod

The action will no longer remove existing users, instead the user is disabled and its credentials reset if the type of credentials of the authentication method being set is different.

ACTION context / excludeContextTechnologies

The action will now accept the string with technologies even if there are spaces before or after the names, for example:

os.linux, db.mysql

will now be valid.

ACTION context / includeContextTechnologies

The action will now accept the string with technologies even if there are spaces before or after the names, for example:

os.linux, db.mysql

will now be valid.

ACTION core / snapshotSession

Added optional parameters name and overwrite, to allow to specify a name and overwrite existing files.

ZAP API New Endpoints:

View ascan / optionAddQueryParam

Tells whether or not the active scanner should add a query parameter to GET request that don’t have parameters to start with.

VIEW autoupdate / localAddons

Returns a list with all local add-ons, installed or not.

VIEW context / urls

Lists the URLs accessed through/by ZAP, that belong to the context with the given name.

VIEW httpSessions / defaultSessionTokens

Gets the default session tokens.

VIEW pscan / maxAlertsPerRule

Gets the maximum number of alerts a passive scan rule should raise.

VIEW script / globalVar

Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set.

VIEW script / globalVars

Gets all the global variables (key/value pairs).

VIEW script / listTypes

Lists the script types available.

VIEW script / scriptVar

Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set.

VIEW script / scriptVars

Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists.

ACTION ascan / setOptionAddQueryParam

Sets whether or not the active scanner should add a query param to GET requests which do not have parameters to start with.

ACTION core / enablePKCS12ClientCertificate

Enables use of a PKCS12 client certificate for the certificate with the given file system path, password, and optional index.

ACTION core / disableClientCertificate

Disables the option for use of client certificates.

ACTION httpSessions / addDefaultSessionToken

Adds a default session token with the given name and enabled state.

ACTION httpSessions / removeDefaultSessionToken

Removes the default session token with the given name.

ACTION httpSessions / setDefaultSessionTokenEnabled

Sets whether or not the default session token with the given name is enabled.

ACTION pscan / setMaxAlertsPerRule

Sets the maximum number of alerts a passive scan rule should raise.

ACTION script / clearGlobalVar

Clears the global variable with the given key.

ACTION script / clearGlobalVars

Clears the global variables.

ACTION script / clearScriptVar

Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists.

ACTION script / clearScriptVars

Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists.

ACTION script / setGlobalVar

Sets the value of the global variable with the given key.

ACTION script / setScriptVar

Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists.

See also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible