Release 2.10.0

This is a 10 year anniversary bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.9.0.

Some of the more significant enhancements include:

Custom Pages

Custom Pages can be defined on a per context basis - these allow ZAP to identify various non-standard error handling conditions such as custom error pages and handle them more effectively.

Authentication Polling

The concept of Authentication Verification Strategies has been introduced which allows ZAP to handle a wider range of authentication mechanisms including the option to poll a specified page for the authentication status of a user.

Site Tree Control

Scripts and add-ons now have full access to how nodes are represented in the Sites Tree. Both Input Vector Scripts and add-ons which include implementations of the Variant class can change both the tree structure and names used for new nodes.

For more details see the Site Tree Modifiers Blog post.

Dynamic Look and Feel including Dark Mode

The Desktop UI includes a new set of open source Look and Feel's c/o FlatLaf including 2 Dark Mode options.
You can also dynamically switch the Look and Feel via a button on the Top Level Toolbar.

For more details of the dark mode see the Dark Mode in the Weekly Release Blog post.

Authentication Headers via Env Vars

A new set of environmental variables are available which allow you to easily add an authentication header to all of the requests that are proxied through ZAP or initiated by the ZAP tools, including the spiders and active scanner. These are documented on the Authentication page.

SOCKS Proxy Configuration

It is now possible to dynamically configure the outgoing SOCKS proxy in the Options' Connection screen. By default the SOCKS proxy configuration applies to all connections made by ZAP.

Cached Scripts

The following script types are now cached between invocations reducing the time it takes to reuse them:

Active Rules
HTTP Sender
Input Vectors, when used for the Sites tree
Passive Rules
Proxy

Add-Ons

New Add-Ons

The following add-ons are included by default in this release for the first time:

Advanced Encode / Decode / Hash dialog - this replaces the old core encode/decode/hash dialog
DOM XSS Scan Rule - an Active Scan rule for detecting DOM XSS vulnerabilities
Form Handler - allows for the custom configuration of values used in forms based on field names
GraalVM JavaScript - included as Java 15+ no longer includes the Oracle Nashorn JavaScript engine
GraphQL Support - allows you to import and active scan GraphQL definitions
Retire.js - a Passive Scan rule which implements checks provided by Retire.js in order to identify vulnerable or out-dated JavaScript packages
SOAP Support - allows you to import and active scan WSDL files containing SOAP endpoints

Updated Add-Ons

The following add-ons have been updated since the last full release:

Docker Updates

The following changes are included in the latest Stable Docker image:

Update Webswing to latest version (20.2.1) to work with newer Java versions.
Update Java in stable image to version 11.
Add support for authenticated scans.
Add zap_tune function (disable all tags and limit pscan alerts to 10), zap_tuned hook and disable recovery log.
Update zap-api-scan.py to add support for GraphQL.
Fail immediately if the spider scans were not started to provide better error message.
Packaged scans will use the provided context when spidering and active scanning.
Add `IS_CONTAINERIZED` environment variable to the container image, used in the python script to check for containerized environments (e.g. containerd) without relying on container runtime specific files.
Make podman compatible
Make docker stable use ubuntu 20.04
Make `python` command use Python 3.
Removed python 2, only python 3 will be supported going forward.
Changed zap-full-scan.py and zap-api-scan.py to include the -I option to ignore only warning used by zap-baseline-scan.py

For full list of changes made to the docker images see the docker CHANGELOG.md.

Changes in Bundled Libraries

The following libraries were updated:

Bouncy Castle, 1.61 → 1.67
Commons Codec, 1.13 → 1.15
Commons CSV, 1.7 → 1.8
Commons IO, 2.6 → 2.8.0
Commons Lang3, 3.9 → 3.11
Commons Text, 1.8 → 1.9
HSQLDB, 2.5.0 → 2.5.1
JFreeChart, 1.0.13 → 1.5.1
RSyntaxTextArea, 3.0.4 → 3.1.1
SQLite JDBC, 3.28.0 → 3.32.3.2

Logging Library

The logging library, Log4j, was updated to the new major version (2.x). The previous version is still included for compatibility with existing code, add-on and script authors are encouraged to migrate to the new API.
For example, the logger can now be obtained with:

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

// ...

Logger logger = LogManager.getLogger(MyClass.class);

Enhancements

Issue 9 : No Way to Specify Custom 404
Issue 29 : SOCKS (outgoing) proxy support
Issue 78 : Show message type in History tab
Issue 111 : Provide a button on the resend screen to inject a CSRF token
Issue 408 : Add support to encoding transformations
Issue 560 : Content-Length header always updated on Send - cannot Resend some requests
Issue 1351 : Decode gzip'ed content in Request tab
Issue 1701 : Lack of Encoding Breaks Syntax Highlighting
Issue 3452 : Add "Remove from site tree" in search
Issue 5542 : Improve dark mode
Issue 5732 : HTML Reports should offer a table based on alert names
Issue 5738 : Improve version message in Manage Add-ons dialogue
Issue 5844 : Add context menu item to mark false positives
Issue 5845 : Alert API Additions
Issue 5864 : Add buttons to select the file types ignored on Break
Issue 5873 : Add FlatLaf L&F, for dark mode
Issue 5874 : Revise Site Certificates to Max 398d
Issue 5898 : Allow to import from file into regular expression panels (e.g. Include in Context)
Issue 5923 : Expose enable related state in scripts API
Issue 5934 : Allow language to be specified on commandline
Issue 5963 : Add host and path columns to the history table
Issue 5973 : added known csrf token for pfsense
Issue 6010 : Do not recompile unchanged scripts
Issue 6038 : Allow Parsing of Some Non-text Messages by the Spider
Issue 6068 : On CSRF variable detection search for partial match instead of full
Issue 6075 : Allow to override ApiImplementor i18n key prefix
Issue 6079 : Allow to differentiate requests by body content in Sites tree
Issue 6084 : Add generation date to the HTML and MD reports
Issue 6126 : Add more control over the site tree
Issue 6163 : Support authentication polling
Issue 6196 : Upgrade the version of log4j
Issue 6201 : Support dynamic Look and Feel switching
Issue 6226 : Allow to define the maximum body size to passive scan
Issue 6277 : Add OneTouchExapandable control to Sites Tree/Request&Response panels
Issue 6278 : Add Alert reference field
Issue 6295 : Added support for dynamic technologies
Issue 6296 : Add auth header define in envvars
Issue 6299 : Tweak browser page for browser launch
Issue 6313 : Manual Request response send
Issue 6333 : Refactor SessionStructure and Session
Issue 6353 : Update default and common user agents
Issue 6354 : Update email used in certs

Bug Fixes

Issue 1584 : GZip de-compression causes loss of newlines
Issue 4235 : Warn when unable to save (malformed) HTTP message in Request/Response panels
Issue 5701 : Fuzzer runs progressively slower
Issue 5899 : Allows Regex duplication in the same Context through the UI
Issue 5902 : Active scan script - JSON number values - Weird replaces
Issue 5952 : Stats includes Content-Type byteranges limits
Issue 5991 : Hook HttpSenderListener when installing add-ons
Issue 6008 : Initialization of scripts via ZAP API
Issue 6037 : Changing look and feel messes with macOS integrations
Issue 6043 : Active scanner tests the same request twice
Issue 6102 : Error starting Active Scan in "Everything in Scope" mode.
Issue 6121 : html encode in Generate anti-CSRF Test FORM
Issue 6138 : Persistent growing high CPU usage with proxy
Issue 6206 : Unable to import context without optional fields
Issue 6223 : Exception while authenticating with form-based and anti-csrf tokens
Issue 6267 : HTML / Markdown Report Generation Fails When Path Contains '#'
Issue 6297 : Site tree doesnt correctly represent URLs ending in a /

ZAP API New Endpoints:

VIEW ascrf / optionPartialMatchingEnabled

Define if ZAP should detect CSRF tokens by searching for partial matches

ACTION ascrf / setOptionPartialMatchingEnabled

Define if ZAP should detect CSRF tokens by searching for partial matches.

ACTION alert / updateAlertsConfidence

Update the confidence of the alerts.

ACTION alert / updateAlertsRisk

Update the risk of the alerts.

ACTION context / setContextCheckingStrategy

Set the checking strategy for a context - this defines how ZAP checks that a request is authenticated.

VIEW core / optionUseSocksProxy

Gets whether or not the SOCKS proxy should be used.

ACTION core / setOptionUseSocksProxy

Sets whether or not the SOCKS proxy should be used.

VIEW users / getAuthenticationState

Gets the authentication state information for the user identified by the Context and User Ids.

VIEW users / getAuthenticationSession

Gets the authentication session information for the user identified by the Context and User Ids, e.g. cookies and realm credentials.

Action users / authenticateAsUser

Tries to authenticate as the identified user, returning the authentication request and whether it appears to have succeeded.

Action users / pollAsUser

Tries to poll as the identified user, returning the authentication request and whether it appears to have succeeded. This will only work if the polling verification strategy has been configured.

Action users / setAuthenticationState

Sets fields in the authentication state for the user identified by the Context and User Ids.

Action users / setCookie

Sets the specified cookie for the user identified by the Context and User Ids.

	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible