Release 2.11.0

This is the OWASP 20th anniversary bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.10.0.

Some of the more significant enhancements include:

Alert Tags

Alerts can now be tagged with arbitrary keys or key=value pairs.
The active and passive scan rules have been updated to include tags for the OWASP Top 10 2021 and 2017 - these are also now shown on the website Alert Details pages.

Automation Framework

The Automation Framework is a new way to automate ZAP and is expected to become the default option for most use cases. For more details see the Automation Framework page on the website.

Report Generation

The new Report Generation add-on allows you to generate much more flexible reports with access to much more data. The previous reporting add-ons have been removed from the marketplace as they provide less functionality and are no longer maintained.
New report templates include:

Risk and Confidence HTML - the new default report
Modern HTML Report with themes and options
High Level Report Sample
Traditional HTML Report with requests and responses

"Traditional" templates have been added which match the old reports for anyone who relies on their formats.

OAST Support

The new OAST Support add-on allows you to find and exploit out-of-band vulnerabilities. This add-on is alpha at the time of the 2.11.0 release but is expected to be updated soon, so check the help pages for the latest features.

Retest

The new Retest add-on allows you to retest for presence/absence of previously generated alerts. This add-on is alpha at the time of the 2.11.0 release but is expected to be updated soon, so check the help pages for the latest features.

Docker

The Docker stable and bare images will now be updated monthly, typically around the start of the month.
The updates will include any updated add-ons and any changes to the packaged scans. No core changes will be included in these updates.
The images will be tagged by date in case you wish to stay on a specific version.
The packaged scans are being migrated to use the Automation Framework - this migration will continue over the life of 2.11.0.

Statistics

A significant number of statistics have been added to the core, and are being added to add-ons. In part this is driven by the Automation Framework which can make direct use of statistics for sanity checks.
New core statistics include:

stats.api.call.<format>.<component>.<request-type>.<name> : The number of times the given API endpoint has been called
stats.api.error.<format>.<component>.<request-type>.<name> : The number of times the given API endpoint has returned an error
stats.ascan.<rule-id>.alerts : The number of alerts the given active scan rule has raised
stats.ascan.<rule-id>.skipped : The number of alerts the given active scan rule has been skipped
stats.ascan.<rule-id>.started : The number of alerts the given active scan rule has been started
stats.ascan.<rule-id>.time : The cumulative number of milliseconds that the given active scan rule has run for
stats.ascan.<rule-id>.urls : The number of URLs that the given active scan rule has requested
stats.ascan.started : The number of times the active scanner has been started
stats.ascan.stopped : The number of times the active scanner has been stopped (as opposed to finishing)
stats.ascan.time : The cumulative number of milliseconds that active scanner has run for
stats.ascan.urls : The number of URLs the active scanner has requested
stats.break.drop : The number of times a request or response has been dropped via a break point
stats.break.hit : The number of times a break point has been hit
stats.break.step : The number of times a break point has been stepped through
stats.pscan.<rule-id>.alerts : The number of alerts raised by the given scan rule
stats.pscan.<rule-id>.time : The cumulative number of milliseconds taken to run the given scan rule
stats.script.call.<engine-name>.<type> : The number of times the given type of script has been called
stats.script.error.<engine-name>.<type> : The number of times the given type of script has been returned an error
stats.spider.started : The number of times the spider has been started
stats.spider.stopped : The number of times the spider has been stopped (as opposed to completing)
stats.spider.time : The total number of milliseconds the spider has run for across all scans
stats.spider.url.error : The number of URLs the spider has found but failed to access
stats.spider.url.found : The number of URLs the spider has found and accessed

For details of the latest statistics including all of the ones also maintained by add-ons and links to the code see the website ZAP Internal Statistics pages.

Add-Ons

New Add-Ons

The following add-ons are included by default in this release for the first time:

Automation Framework - a simple, flexible and powerful way to automate ZAP
OAST Support - allows you to exploit out-of-band vulnerabilities
Report Generation - new and highly customisable reports
Retest - retest for presence/absence of previously generated alerts

Updated Add-Ons

All of the add-ons included by default have been updated since the last full release.

Docker Updates

The following changes are included in the latest Stable Docker image:

Updated to use Webswing 21.1.5
Added /zap/container file to make it easier to detect if we are running in a container like docker.
Changed to enable integration tests, inc enabling the AF for the baseline -c option if the --auto flag is used before it.
Changed to use user's home directory for the Automation Framework files so it will work for any user
Updated the baseline to use the Automation Framework by default for common options including the config file/URL.
Alert_on_Unexpected_Content_Types.js > Added Content-Type text/yaml to the list of expected types.
Check if messages being analyzed by API scan scripts are globally excluded or not.
Allow more flexibility to specify ZAP command line options when using Webswing
Python 3.5 is no longer supported.
Update Webswing to download prod version if valid key supplied.

For full list of changes made to the docker images see the docker CHANGELOG.md.

Changes in Bundled Libraries

The following libraries were updated:

Bouncy Castle, 1.67 → 1.68
Commons IO, 2.8.0 → 2.11.0
Commons Lang3, 3.11 → 3.12
HarLib, 1.1.2 → 1.1.3
HSQLDB, 2.5.1 → 2.5.2
JFreeChart, 1.5.1 → 1.5.3
Log4j 2, 2.14.0 → 2.14.1
RSyntaxTextArea, 3.1.1 → 3.1.3
SQLite JDBC, 3.32.3.2 → 3.36.0.1
XOM, 1.2.10 → 1.3.7

Enhancements

Issue 6023 : Quick add site in Context from History panel
Issue 6098 : Allow custom request headers to be set by spider parser
Issue 6413 : Allow to export regular expressions
Issue 6428 : Root Cert Download from Main API Page
Issue 6448 : Manual Request Editor: Send Hotkey
Issue 6469 : Cannot detect injection vulnerabilities on null value JSON objects
Issue 6598 : Do not require scan rules to implement setParent
Issue 6614 : Add AWP Identity manager PKCS11 cards (IDEMIA)
Issue 6625 : Deprecate core/view/homeDirectory API endpoint
Issue 6628 : Added `_token` to possible CSRF input names
Issue 6658 : Redirect core API reports to report add-on
Issue 6661 : Add "_csrf_token" accepted CSRF token names list
Issue 6678 : Make EventBus publishers easier to discover
Issue 6705 : Remove Paros Reports
Issue 6712 : Allow to regenerate expired certificate from warning dialogue
Issue 6769 : Support manual auth users with no session
Issue 6801 : Allow code to set the ZAP exit status
Issue 6803 : Enable anti csrf token handling in ascan by default
Issue 6807 : Add spider stats
Issue 6808 : Add container detection for Docker and Flatpak
Issue 6811 : Add option for allowing app integration in containers
Issue 6824 : Deprecate extension callback
Issue 6827 : Add support for controlling panel switching
Issue 6829 : Support Alert Tags
Issue 6834 : Adding Spring as a JAVA Technology
Issue 6835 : Active Scan stats
Issue 6836 : Passive Scan stats
Issue 6837 : API stats
Issue 6838 : Scripts stats
Issue 6840 : Break stats
Issue 6844 : Detect if running in WebSwing
Issue 6854 : Update user agents

Bug fixes

Issue 3988 : Selected checkbox tree nodes not correctly highlighted in macOS
Issue 4671 : Tag changes in Search tab not reflected in History tab
Issue 5165 : Not found response tab on options (keyboard shortcut setting)
Issue 6370 : Fix exception when checking for breakpoints
Issue 6381 : Proxy script return value misinterpreted in 2.10.0
Issue 6421 : Alerts related API enpoints might return malformed JSON
Issue 6427 : Manual Request Editor CONNECT Http Method Broken
Issue 6437 : Unable to set only breaks on message in scope
Issue 6508 : Detect WebSocket upgrade messages having multiple Connection directives
Issue 6512 : Buttons of Manage Tags dialog are too small
Issue 6520 : Can not scroll past 'contexts' in 'sites' tab with FlatLaf L&F
Issue 6536 : Extensions not stopped nor destroyed when add-on is uninstalled
Issue 6537 : CONNECT requests not shown in History tab
Issue 6557 : fix: HTTP Panels Font setting for dark LaFs (Theme)
Issue 6562 : Fixed regex generation for host site URLs included in context
Issue 6652 : Install missing libraries beforehand
Issue 6689 : X-ZAP-Scan-ID HTTP header is missing from some of the active scan requests
Issue 6691 : Do not add zero Content-Length by default in GET requests
Issue 6720 : Encode parameters when replacing in form auth data
Issue 6753 : Update Host header in place
Issue 6755 : Extension's errors during shutdown prevent ZAP to exit
Issue 6828 : Fix concurrency issue when downloading add-ons
Issue 6843 : Do not init extension's view if there's none

ZAP API New Endpoints:

ACTION ascan / setOptionScanNullJsonValues

Sets whether or not the active scanner should scan null JSON values.

VIEW ascan / optionScanNullJsonValues

Tells whether or not the active scanner should scan null JSON values.

ZAP API Deprecated Endpoints:

The following endpoints have been superseded by the Report Generation add-on:

OTHER core / htmlreport
OTHER core / jsonreport
OTHER core / mdreport
OTHER core / xmlreport

The following endpoint has been deprecated without replacement, it is an internal GUI property:

VIEW core / homeDirectory

	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible