Release 2.12.0

Network Add-On

• Proxy/Local Server Aliases
• Proxy and ZAP API are no longer tied together.
• HTTPS pass-through
• Certificate validity period configuration

Spider Add-On

Import/Export Add-On

• Import files containing URLs
• Log File Importer
• Save Raw Message
• Save XML Message

Database Add-On

The permanent database allows storing information that may be used across ZAP sessions. For example, it is used by the OAST add-on to persist BOAST payloads that can be polled in future ZAP sessions to list out-of-band interactions made to the service while ZAP wasn't running.

Multi-threaded Passive Scanner

Bit.ly Telemetry Removal

Scan Rule Promotions

The following Active scan rules have been promoted to Release status:

• .env Information Leak
• Cloud Metadata Attack
• Cross Site Scripting (DOM Based)
• GET for POST
• Heartbleed OpenSSL Vulnerability
• Hidden File Finder
• Padding Oracle
• Remote Code Execution - CVE-2012-1823
• Source Code Disclosure - CVE-2012-1823
• SQL Injection - Hypersonic (Time Based)
• SQL Injection - MsSQL (Time Based)
• SQL Injection - MySQL (Time Based)
• SQL Injection - Oracle (Time Based)
• SQL Injection - PostgreSQL (Time Based)
• SQL Injection - SQLite
• Trace.axd Information Leak
• User Agent Fuzzer
• XSLT Injection
• XXE

• Big Redirects Detected
• Directory Browsing
• Hash Disclosure
• Heartbleed OpenSSL Vulnerability (Indicative)
• HTTP to HTTPS Insecure Transition in Form Post
• HTTPS to HTTP Insecure Transition in Form Post
• Reverse Tabnabbing
• Modern App Detection
• PII Disclosure
• Retrieved From Cache
• Server Header Info Leak
• Strict Transport Security
• User Controlled Charset
• User Controlled Cookie
• User Controlled HTML Attributes
• User Controlled Javascript Event
• User Controlled Open Redirect
• X-Backend-Server Information Leak
• X-ChromeLogger-Data Info Leak

• CORS
• Exponential Entity Expansion
• Forbidden Bypass
• Log4Shell
• Out-of-Band XSS
• Spring4Shell
• Spring Actuator
• Server Side Template Injection (Blind)
• Server Side Template Injection

• Content Cacheable
• In Page Banner Info Leak
• Dangerous JS Functions
• Java Serialization Object
• Permissions Policy Header Not Set
• Sub-Resource Integrity Attribute Missing

Dependency Updates

The following libraries were updated:

• Commons CSV, 1.8 → 1.9.0
• Commons Text, 1.9 → 1.10.0
• Flatlaf 1.6 → 2.6
• HSQLDB, 2.5.2 → 2.7.1
• Log4j 2, 2.15.0 → 2.19.0
• RSyntaxTextArea, 3.1.3 → 3.3.0
• XOM, 1.3.7 → 1.3.8

• Bouncy Castle
• Commons Validator
• Ice4j
• SQLite JDBC

• Commons XPath

Add-Ons

New Add-Ons

• Database - provides database engines and related infrastructure.
• Import/Export - Import and Export functionality.
• Requester - Allows to manually edit and send messages.
• Spider - provides traditional spider functionality.

Updated Add-Ons

Removed Add-Ons

• Import files containing URLs
• Save Raw Message
• Save XML Message

Desktop HTML Injection Fix

Enhancements

• Issue 1623 : Provide better error message when cert path validation fails
• Issue 2280 : Import Root CA certificate via API
• Issue 3113 : Move Spider to an add-on
• Issue 3594 : ZAP API Ability to specify domains/addresses that API will be served from
• Issue 4388 : Allow to configure the irrelevant parameters for the Spider
• Issue 4673 : Allow to configure validity period of generated certificates
• Issue 4788 : Persist column configuration in History tab
• Issue 6001 : Context endpoint on API does not output included and excluded technologies
• Issue 6577 : Show input vector in the alerts
• Issue 6735 : File>Open Recent>
• Issue 6832 : Support HTTPS pass-through
• Issue 6916 : Add support for mandatory add-ons
• Issue 6932 : Use new callhome add-on for CFU requests
• Issue 6940 : Report size for installed add-ons
• Issue 6942 : Remove parent nodes in param container panel
• Issue 6949 : Deprecate core endpoints related to root CA cert
• Issue 6950 : Use Network add-on to manage server certificates
• Issue 7047 : Show source of CONNECT requests as proxy
• Issue 7079 : Get False Positive count using alertCountsByRisk api
• Issue 7090 : Support Info dialog user friendliness improvements (copy button)
• Issue 7110 : Don't allow setting invalid scan policy params
• Issue 7135 : Spider: find more URLs in headers
• Issue 7142 : Spider: find more URLs in HTML
• Issue 7153 : Spider: find img longdescs
• Issue 7159 : Spider: find applet attrs, img dynsrc/lowsrc, and input src
• Issue 7160 : Spider: find object attrs, isindex action, audio src, and process form buttons
• Issue 7169 : Spider: Parse Links from embed src
• Issue 7174 : Don't log parsing exception when request with json content type has empty body
• Issue 7177 : Follow unencoded redirects
• Issue 7181 : Active Scan Analyser will now be used more often
• Issue 7190 : Populate Find dialog with selected text
• Issue 7206 : ascan, pscan: Update enable/disable API actions
• Issue 7207 : Add Auth. Issue Custom Page type and handling
• Issue 7229 : Allow to generate CSRF form with custom action through the API
• Issue 7236 : Notify listeners of all redirects followed
• Issue 7240 : Deprecate proxy.pac core endpoint
• Issue 7249 : Use latest proxy settings always
• Issue 7261 : Allow to request shutdown when executing args
• Issue 7266 : Remove single cookie request header option
• Issue 7267 : Use latest user-agent and timeout always
• Issue 7270 : Support passive scan threading
• Issue 7271 : Index Alert ID in the Alert Tags Table
• Issue 7275 : Enable reveal password functionality
• Issue 7279 : Deprecate setproxy core endpoint
• Issue 7291 : Use Network add-on to manage connection options
• Issue 7299 : Spider: find table/td background, video src/poster, and img srcset
• Issue 7300 : Confirm the deletion with the name of the context
• Issue 7302 : Clarify History Tags vs Alert Tags
• Issue 7304 : Use Network add-on to manage client certificates
• Issue 7310 : Pass Control, Model, View singletons to scripts
• Issue 7342 : Allow to hook history type info
• Issue 7352 : Reduce passive scanner logging for messages that were deleted
• Issue 7433 : deprecate: Core HAR API Endpoints
• Issue 7439 : Change auth header env vars to use ScriptVars
• Issue 7441 : Set the filename script attribute
• Issue 7443 : Attempt to provide more script error details
• Issue 7456 : Allow arbitrary HTTP versions
• Issue 7459 : Disable/deprecate the Manual Request Editor
• Issue 7463 : Add persistent callbacks
• Issue 7473 : Remove SQLite dependency
• Issue 7475 : Clear pscan queue option
• Issue 7488 : L&F which disables HTML JLabels by default
• Issue 7500 : Exclude browser/OS updates by default

Spider Add-on

Requester Add-On

The Requester tab was also updated to provide the same functionalities that the dialogues provide.

Bug fixes

• Issue 541 : Break panel icons do not resize
• Issue 5223 : Missing parts on Transfer-Encoding: chunked request
• Issue 5637 : Unable to select options panel with duplicated name
• Issue 5791 : Big messages cause GUI to freeze
• Issue 5815 : Weird delay with chunked encoding and HTTPS status 401?
• Issue 5935 : Path input vector not properly encoding values
• Issue 6509 : Passive Scan tag html_mailto performance issues
• Issue 6947 : Fix webswing detection
• Issue 6992 : Graal Engine Issue with Multi Threaded Access
• Issue 7059 : Fix Stats Concurrent access bug
• Issue 7076 : Set parent of warning messages in param dialogue
• Issue 7085 : API - Do not require Authentication Realm and use default value
• Issue 7134 : Scan Policy Manager Policy multiplies while modifying the name
• Issue 7171 : Loss of new line chars for GZIP HTTP responses returned by the API
• Issue 7221 : Default policy on start up not using edited policy rules
• Issue 7228 : Scan Rule with empty name in the Scan Progress window and Scan Policy window
• Issue 7269 : Fix get all alert tags
• Issue 7276 : Correct Enable/Disable All buttons enabled state
• Issue 7280 : Fix escaping on API param desc for setContextCheckingStrategy
• Issue 7286 : Centre dialogue on screen if no owner
• Issue 7292 : Client connection kept open longer than it should after forwarding response
• Issue 7332 : Fix PatternSyntaxException in Analyser
• Issue 7423 : `File`>`Persist Session...` should be disabled with open session
• Issue 7424 : Install/update add-ons first in automation
• Issue 7432 : sites tree: Invalidate href cache on session open
• Issue 7436 : Invalid session path causes ZAP to fail to start
• Issue 7464 : Restore component/view on configuration load
• Issue 7471 : site node: use contains check for DDN prefix
• Issue 7484 : Using the Active Scan for GET targets sends a 'Content-Length' header

ZAP API Breaking Changes:

VIEW alert / alertCountsByRisk

{"High":0,"Low":3,"Medium":0,"Informational":2,"False Positive":1}

{"High":0,"Low":3,"Medium":1,"Informational":2}

Endpoints With Response Changes

• ACTION ascan / enableScanners
• ACTION ascan / disableScanners
• ACTION ascan / setEnabledPolicies
• ACTION pscan / enableScanners
• ACTION pscan / disableScanners

ZAP API New Endpoints:

• ACTION pscan / clearQueue

ZAP API Deprecated Endpoints:

• OTHER core / messageHar
• OTHER core / messagesHar
• OTHER core / messagesHarById
• OTHER core / sendHarRequest

• ACTION core / addProxyChainExcludedDomain
• ACTION core / disableAllProxyChainExcludedDomains
• ACTION core / enableAllProxyChainExcludedDomains
• ACTION core / enablePKCS12ClientCertificate
• ACTION core / disableClientCertificate
• ACTION core / generateRootCA
• ACTION core / modifyProxyChainExcludedDomain
• ACTION core / removeProxyChainExcludedDomain
• ACTION core / setOptionDefaultUserAgent
• ACTION core / setOptionDnsTtlSuccessfulQueries
• ACTION core / setOptionHttpStateEnabled
• ACTION core / setOptionProxyChainName
• ACTION core / setOptionProxyChainPassword
• ACTION core / setOptionProxyChainPort
• ACTION core / setOptionProxyChainPrompt
• ACTION core / setOptionProxyChainRealm
• ACTION core / setOptionProxyChainSkipName
• ACTION core / setOptionProxyChainUserName
• ACTION core / setOptionSingleCookieRequestHeader
• ACTION core / setOptionTimeoutInSecs
• ACTION core / setOptionUseProxyChain
• ACTION core / setOptionUseProxyChainAuth
• ACTION core / setOptionUseSocksProxy
• ACTION localProxies / addAdditionalProxy
• ACTION localProxies / removeAdditionalProxy
• OTHER core / proxy.pac
• OTHER core / rootCaCert
• OTHER core / setproxy
• VIEW core / optionDefaultUserAgent
• VIEW core / optionDnsTtlSuccessfulQueries
• VIEW core / optionHttpState
• VIEW core / optionHttpStateEnabled
• VIEW core / optionProxyChainName
• VIEW core / optionProxyChainPassword
• VIEW core / optionProxyChainPort
• VIEW core / optionProxyChainPrompt
• VIEW core / optionProxyChainRealm
• VIEW core / optionProxyChainUserName
• VIEW core / optionSingleCookieRequestHeader
• VIEW core / optionTimeoutInSecs
• VIEW core / optionUseProxyChain
• VIEW core / optionUseProxyChainAuth
• VIEW core / optionUseSocksProxy
• VIEW core / proxyChainExcludedDomains
• VIEW localProxies / additionalProxies

Binary Incompatible Changes

• org.parosproxy.paros.common.FileXML
• org.parosproxy.paros.core.proxy.SenderThread
• org.parosproxy.paros.core.proxy.SenderThreadListener
• org.parosproxy.paros.core.proxy.StreamForwarder
• org.parosproxy.paros.core.scanner.AbstractDefaultFilePlugin
• org.parosproxy.paros.extension.history.BrowserDialog
• org.parosproxy.paros.extension.history.PopupMenuResend
• org.parosproxy.paros.extension.history.PopupMenuResendSites
• org.parosproxy.paros.model.HistoryList
• org.parosproxy.paros.model.HttpMessageList
• org.parosproxy.paros.network.ByteVector
• org.parosproxy.paros.network.ProxyExcludedDomainMatcher
• org.zaproxy.zap.extension.brk.BreakpointMessageHandler
• org.zaproxy.zap.extension.brk.ExtensionBreak$DialogType
• org.zaproxy.zap.extension.history.PopupMenuShowInHistory
• org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderContext
• org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderContextAsUser
• org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderDialog
• org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderScope
• org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderSite
• org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderSubtree
• org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderURL
• org.zaproxy.zap.extension.stdmenus.PopupMenuSpiderURLAsUser
• org.zaproxy.zap.httputils.RequestUtils
• org.zaproxy.zap.view.HistoryReferenceTableModel
• org.zaproxy.zap.view.MessagePanelsPositionController
• org.zaproxy.zap.view.PopupMenuHistoryReference
• org.zaproxy.zap.view.PopupMenuHttpMessage
• org.zaproxy.zap.view.PopupMenuSiteNode

• org.parosproxy.paros.CommandLine#getConfigs()
• org.parosproxy.paros.control.Control#createAndOpenUntitledDb()
• org.parosproxy.paros.core.proxy.ProxyParam#isModifyAcceptEncodingHeader()
• org.parosproxy.paros.core.proxy.ProxyParam#setModifyAcceptEncodingHeader(boolean)
• org.parosproxy.paros.core.scanner.Alert#getAlert()
• org.parosproxy.paros.core.scanner.Alert#getReliability()
• org.parosproxy.paros.core.scanner.Alert#setAlert(java.lang.String)
• org.parosproxy.paros.core.scanner.Alert#setDetail(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,org.parosproxy.paros.network.HttpMessage)
• org.parosproxy.paros.core.scanner.Alert#setRiskReliability(int,int)
• org.parosproxy.paros.core.scanner.HostProcess#setPluginRequestCount(int,int)
• org.parosproxy.paros.core.scanner.HostProcess#setTestCurrentCount(org.parosproxy.paros.core.scanner.Plugin,int)
• org.parosproxy.paros.core.scanner.PluginFactory#loadedPlugin(java.lang.String)
• org.parosproxy.paros.core.scanner.PluginFactory#unloadedPlugin(java.lang.String)
• org.parosproxy.paros.core.scanner.VariantAbstractQuery#setParams(int,java.util.Map)
• org.parosproxy.paros.db.paros.ParosTableHistory#getHistoryList(long)
• org.parosproxy.paros.db.paros.ParosTableHistory#getHistoryList(long,int)
• org.parosproxy.paros.db.paros.ParosTableHistory#setHistoryTypeAsTemporary(int)
• org.parosproxy.paros.db.paros.ParosTableHistory#unsetHistoryTypeAsTemporary(int)
• org.parosproxy.paros.db.RecordAlert#getReliability()
• org.parosproxy.paros.db.RecordAlert#setReliability(int)
• org.parosproxy.paros.extension.ExtensionPopupMenuItem#isSuperMenu()
• org.parosproxy.paros.extension.history.ExtensionHistory#clearLogPanelDisplayQueue()
• org.parosproxy.paros.extension.history.LogPanel#clearDisplayQueue()
• org.parosproxy.paros.extension.history.LogPanel#LogPanel()
• org.parosproxy.paros.extension.history.LogPanel#setDisplayPanel(org.zaproxy.zap.extension.httppanel.HttpPanel,org.zaproxy.zap.extension.httppanel.HttpPanel)
• org.parosproxy.paros.extension.option.OptionsParamView#getShowMainToolbar()
• org.parosproxy.paros.extension.option.OptionsParamView#setShowMainToolbar(int)
• org.parosproxy.paros.model.Session#addGlobalExcludeURLRegexs(java.lang.String)
• org.parosproxy.paros.model.Session#setGlobalExcludeURLRegexs(java.util.List)
• org.parosproxy.paros.network.ConnectionParam#getProxyChainSkipName()
• org.parosproxy.paros.network.ConnectionParam#setProxyChainSkipName(java.lang.String)
• org.parosproxy.paros.view.AbstractFrame#loadIconImages()
• org.parosproxy.paros.view.MainFrame#changeDisplayOption(int)
• org.parosproxy.paros.view.MainFrame#MainFrame(int)
• org.parosproxy.paros.view.View#getDisplayOption()
• org.parosproxy.paros.view.View#getMessagePanelsPositionController()
• org.parosproxy.paros.view.View#setDisplayOption(int)
• org.parosproxy.paros.view.WorkbenchPanel#changeDisplayOption(int)
• org.parosproxy.paros.view.WorkbenchPanel#getTabbedOldSelect()
• org.parosproxy.paros.view.WorkbenchPanel#getTabbedOldStatus()
• org.parosproxy.paros.view.WorkbenchPanel#getTabbedOldWork()
• org.parosproxy.paros.view.WorkbenchPanel#removeSplitPaneWork()
• org.parosproxy.paros.view.WorkbenchPanel#setTabbedOldSelect(org.zaproxy.zap.view.TabbedPanel2)
• org.parosproxy.paros.view.WorkbenchPanel#setTabbedOldStatus(org.zaproxy.zap.view.TabbedPanel2)
• org.parosproxy.paros.view.WorkbenchPanel#setTabbedOldWork(org.zaproxy.zap.view.TabbedPanel2)
• org.parosproxy.paros.view.WorkbenchPanel#splitPaneWorkWithTabbedPanel(org.parosproxy.paros.view.TabbedPanel,int)
• org.parosproxy.paros.view.WorkbenchPanel#WorkbenchPanel(int)
• org.zaproxy.zap.control.AddOn#AddOn(java.io.File)
• org.zaproxy.zap.control.AddOn#AddOn(java.lang.String)
• org.zaproxy.zap.control.AddOn#canLoad()
• org.zaproxy.zap.control.AddOn#isAddOn(java.io.File)
• org.zaproxy.zap.control.AddOn#isAddOn(java.lang.String)
• org.zaproxy.zap.control.ControlOverrides#getConfigs()
• org.zaproxy.zap.control.ControlOverrides#setConfigs(java.util.Hashtable)
• org.zaproxy.zap.db.sql.SqlTableHistory#setHistoryTypeAsTemporary(int)
• org.zaproxy.zap.db.sql.SqlTableHistory#unsetHistoryTypeAsTemporary(int)
• org.zaproxy.zap.extension.api.DotNetAPIGenerator#generateCSharpFiles(java.util.List)
• org.zaproxy.zap.extension.api.GoAPIGenerator#generateGoFiles(java.util.List)
• org.zaproxy.zap.extension.api.JavaAPIGenerator#generateJavaFiles(java.util.List)
• org.zaproxy.zap.extension.api.NodeJSAPIGenerator#generateNodeJSFiles(java.util.List)
• org.zaproxy.zap.extension.api.PhpAPIGenerator#generatePhpFiles(java.util.List)
• org.zaproxy.zap.extension.api.PythonAPIGenerator#generatePythonFiles(java.util.List)
• org.zaproxy.zap.extension.api.WikiAPIGenerator#generateWikiFiles(java.util.List)
• org.zaproxy.zap.extension.ascan.ActiveScan#updatePluginRequestCounts()
• org.zaproxy.zap.extension.autoupdate.AddOnsTableModel#AddOnsTableModel(java.util.Comparator,org.zaproxy.zap.control.AddOnCollection,int)
• org.zaproxy.zap.extension.brk.ExtensionBreak#canAddBreakpoint()
• org.zaproxy.zap.extension.brk.ExtensionBreak#canEditBreakpoint()
• org.zaproxy.zap.extension.brk.ExtensionBreak#canRemoveBreakpoint()
• org.zaproxy.zap.extension.brk.ExtensionBreak#dialogClosed()
• org.zaproxy.zap.extension.brk.ExtensionBreak#dialogShown(org.zaproxy.zap.extension.brk.ExtensionBreak$DialogType)
• org.zaproxy.zap.extension.brk.ExtensionBreak#getBreakPanel()
• org.zaproxy.zap.extension.ExtensionPopupMenu#prepareShow()
• org.zaproxy.zap.extension.history.PopupMenuPurgeSites#purge(org.parosproxy.paros.model.SiteMap,org.parosproxy.paros.model.SiteNode)
• org.zaproxy.zap.extension.pscan.ExtensionPassiveScan#addPassiveScanner(java.lang.String)
• org.zaproxy.zap.extension.pscan.PassiveScanThread#PassiveScanThread( org.zaproxy.zap.extension.pscan.PassiveScannerList, org.parosproxy.paros.extension.history.ExtensionHistory, org.zaproxy.zap.extension.alert.ExtensionAlert)
• org.zaproxy.zap.extension.search.SearchPanel#SearchPanel()
• org.zaproxy.zap.extension.search.SearchPanel#setDisplayPanel(org.zaproxy.zap.extension.httppanel.HttpPanelRequest,org.zaproxy.zap.extension.httppanel.HttpPanelResponse)
• org.zaproxy.zap.extension.spider.SpiderScan#SpiderScan( org.zaproxy.zap.extension.spider.ExtensionSpider, org.zaproxy.zap.spider.SpiderParam, org.zaproxy.zap.model.Target, org.apache.commons.httpclient.URI, org.zaproxy.zap.users.User, int)
• org.zaproxy.zap.extension.spider.SpiderThread#SpiderThread( org.zaproxy.zap.extension.spider.ExtensionSpider, org.zaproxy.zap.spider.SpiderParam, java.lang.String, org.zaproxy.zap.model.ScanListenner)
• org.zaproxy.zap.spider.Spider#Spider(org.zaproxy.zap.extension.spider.ExtensionSpider,org.zaproxy.zap.spider.SpiderParam,org.parosproxy.paros.network.ConnectionParam,org.parosproxy.paros.model.Model,org.zaproxy.zap.model.Context)
• org.zaproxy.zap.spider.SpiderParam#getScope()
• org.zaproxy.zap.spider.SpiderParam#getScopeText()
• org.zaproxy.zap.spider.SpiderParam#setScopeString(java.lang.String)
• org.zaproxy.zap.view.ContextExcludePanel#getPanelName(org.zaproxy.zap.model.Context)
• org.zaproxy.zap.view.ContextIncludePanel#getPanelName(org.zaproxy.zap.model.Context)
• org.zaproxy.zap.view.MainToolbarPanel#setDisplayOption(int)
• org.zaproxy.zap.view.ScanPanel2#ScanPanel2(java.lang.String, javax.swing.ImageIcon, org.zaproxy.zap.model.ScanController, org.parosproxy.paros.common.AbstractParam)
• org.zaproxy.zap.view.TabbedPanel2#clone(org.zaproxy.zap.view.TabbedPanel2)

• org.parosproxy.paros.Constant#FILE_CONFIG_DEFAULT
• org.parosproxy.paros.Constant#VULNS_BASE
• org.parosproxy.paros.core.scanner.Alert#MSG_RELIABILITY
• org.parosproxy.paros.core.scanner.Alert#SUSPICIOUS
• org.parosproxy.paros.core.scanner.Alert#WARNING
• org.parosproxy.paros.model.HistoryReference#TYPE_RESERVED_11
• org.parosproxy.paros.view.View#DISPLAY_OPTION_BOTTOM_FULL
• org.parosproxy.paros.view.View#DISPLAY_OPTION_LEFT_FULL
• org.parosproxy.paros.view.View#DISPLAY_OPTION_TOP_FULL
• org.zaproxy.zap.extension.ascan.ActiveScanPanel#PANEL_NAME
• org.zaproxy.zap.extension.search.SearchPanel#PANEL_NAME

See Also