Release 2.9.0

This is a bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.8.0.

Some of the more significant enhancements include:

Session Management Scripts

It's now possible to define scripts which handle non standard or more complex session management.
Session Management scripts have full access to the authentication request and response and can define custom mandatory and optional parameters. An example session management script for OWASP Juice shop is provided.

Active Scan Filter

It's now possible to filter requests in Active Scan. Below are the supported criteria's:

  • HTTP method
  • Status code
  • Tags
  • URL pattern

Custom Global/Script Variables

It's now possible for scripts to share custom global/script variables, which can be of any type not just strings, for example, lists, maps, GUI models.
In JavaScript they are accessed/set as follows:

var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars")

ScriptVars.setScriptCustomVar(this.context, "var.name", {x: 1, y: 3})
print(ScriptVars.getScriptCustomVar(this.context, "var.name").y) // Prints 3

ScriptVars.setGlobalCustomVar("var.name", ["A", "B", "C", "D"])
print(ScriptVars.getGlobalCustomVar("var.name")[2]) // Prints C

Scan Rule Promotions

The following scan rules have been promoted:

Passive Scan Rules - Release

  • Cookie Without SameSite Attribute
  • Cross Domain Misconfiguration
  • Information Disclosure: In URL
  • Information Disclosure: Referrer
  • Information Disclosure: Suspicious Comments
  • Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
  • Timestamp Disclosure
  • Username Hash Found
  • X-AspNet-Version Response Header Scanner
  • X-Debug-Token Information

Filters Classes Removal

The classes/code for Filters functionality, deprecated since ZAP 2.4.0, has been removed. Add-ons that still use that will stop working.

Changes in Bundled Libraries

The following libraries were removed:

  • JDOM
  • Diff Utils

no longer in use by core, add-ons should bundle the library, if needed. The following libraries were updated:

  • Bouncy Castle, 1.61 → 1.64
  • Commons BeanUtils, 1.9.3 → 1.9.4
  • Commons Codec, 1.12 → 1.13
  • Commons CSV, 1.6 → 1.7
  • Commons Text, 1.6 → 1.8
  • HSQLDB, 2.4.1 → 2.5.0
  • Nashorn Sandbox, 0.1.25 → 0.1.26
  • RSyntaxTextArea, 3.0.3 → 3.0.4
  • SQLite JDBC, 3.27.2.1 → 3.28.0

Enhancements

  • Issue 2016 : Choose a unique port in the GUI if theres a clash
  • Issue 2619 : Allow add-ons to declare/bundle its dependencies
  • Issue 3358 : Enhancement: Options Panel Filter
  • Issue 3402 : Share custom variables between scripts
  • Issue 3491 : Feature-Request: Select Multiple Contexts
  • Issue 4963 : Allow to specify the URI of the login page
  • Issue 5278 : Ability to filter what requests the Active Scans run against
  • Issue 5303 : API calls for adding and changing alerts
  • Issue 5436 : Add new languages to context tech
  • Issue 5464 : Deprecate Context.getIndex and implement Context.getId
  • Issue 5466 : Add utility methods to Alert class
  • Issue 5550 : Load additional local proxies with defaults
  • Issue 5563 : Include Import/Online menus in Options > Keyboard
  • Issue 5598 : Revise site certificate validity period to 825d
  • Issue 5614 : Manual Request Editor Icon
  • Issue 5630 : Support session management scripts
  • Issue 5656 : Add Base64url to Encoder/Decoder Tool
  • Issue 5667 : Improve permissions and space handling when saving/exporting
  • Issue 5671 : Check for updates in daemon mode
  • Issue 5672 : Do not prompt to accept the license on first start
  • Issue 5680 : Update dependencies
  • Issue 5681 : Remove unused dependencies
  • Issue 5691 : Expose Context details to passive scan rules
  • Issue 5696 : Expose Context techset directly to passive scan rules
  • Issue 5723 : AntiCSRF Tokens Add New Defaults
  • Issue 5756 : HttpHeader provide List variant for getHeaders(String)
  • Issue 5774 : Allow to enable/disable all passive tags through the API
  • Issue 5779 : MacOS DMG - switch back to HFS+
  • Issue 5782 : Update default user agent
  • Issue 5785 : Add tooltip listing all proxies to the footer Primary Proxy label
  • Issue 5795 : Handle quoted URL in meta refresh

Bug fixes

  • Issue 1164 : Manual “Resend” sets cookies on response
  • Issue 4003 : Issues when using ‘low memory’ mode.
  • Issue 5427 : Update HTTP Protocol Version in Manual Request Editor
  • Issue 5449 : API not responding - Internal Error
  • Issue 5452 : Do not remove resource bundle of other extensions
  • Issue 5486 : Fix counting error in Statistics
  • Issue 5487 : Add saved scripts of registered script type
  • Issue 5490 : Anti-CSRF tokens not encoded in authentication requests
  • Issue 5491 : Auth request without request-target from auth script causes exceptions
  • Issue 5492 : Improve error handling when creating scan policies
  • Issue 5518 : ZAP might not use outgoing proxy authentication credentials
  • Issue 5585 : ZAP 2.8.1 hanging on kali
  • Issue 5613 : Cope with missing token in auth POST data
  • Issue 5619 : The -configfile option can fail with arrays
  • Issue 5622 : Consistent SessionTracking Button Sync
  • Issue 5624 : Alert parameter might not be properly loaded
  • Issue 5636 : script.js never served on localhost
  • Issue 5704 : Wait for add-ons to be installed
  • Issue 5743 : Find + Cancel buttons are neither centered nor flush right
  • Issue 5744 : Improve labels of Search menu items
  • Issue 5780 : Don't display messages when deleting them
  • Issue 5783 : Disable JAR caching by default
  • Issue 5794 : Correct MailTo pattern for RegexAutoTagScanner

ZAP API New Endpoints:

VIEW script / globalCustomVar

Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set.

VIEW script / globalCustomVars

Gets all the global custom variables (key/value pairs, the value is the string representation).

VIEW script / scriptCustomVar

Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set.

VIEW script / scriptCustomVars

Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists.

ACTION alert / addAlert

Add an alert associated with the given message ID, with the provided details. (The ID of the created alert is returned.)

ACTION alert / updateAlert

Update the alert with the given ID, with the provided details.

ACTION pscan / disableAllTags

Disables all passive scan tags.

ACTION pscan / enableAllTags

Enables all passive scan tags.

ACTION script / clearGlobalCustomVar

Clears a global custom variable.

ACTION script / clearScriptCustomVar

Clears a script custom variable.

See also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible