Release 2.6.0

This release contains a large number of changes, in particular to the ZAP API.
We have added a significant number of new API endpoints, working towards our goal of making ZAP completely controllable via the API. We have also changed some of the existing endpoints and in all cases these changes are backwards compatible.

The full release also includes a new JxBrowser add-on as well as platform specific webdrivers to make it even easier to interact with ZAP through a wide variety of browsers.

API Security Changes

We have changed the API security in response to issues reported to us via our bug bounty program. Details of the vulnerabilities are given below.
The security changes are by necessity not backwards compatible, although we have include options for disabling them if you use ZAP in a safe environment.

By default all API calls now require either the API key or a nonce. These can be supplied via URL parameters, POST parameters or headers. The supported ZAP API clients (including Java and Python) have been updated to supply the API key via a header. Nonces are generated by ZAP and are intended to be used by ZAP add-ons that need to access the ZAP API. For full details see the Options API screen.

There are a set of new API options related to security:

All ZAP options can be specified via the command line when you start ZAP - see https://www.zaproxy.org/faq/why-is-an-api-key-required-by-default/ for full details.
We have also added even more security headers to the API including a strong Content Security Policy.

Enhancements

Bug fixes

ZAP API Changed Endpoints:

ACTION ascan / scan

The url parameter is now optional and an optional contextId parameter has been added. You must supply one of these.

ACTION ascan / scanAsUser

The url and contextId parameters are now optional. You must supply one of these.

ACTION ascan / addScanPolicy

Added optional alertThreshold and attackStrength parameters.

ZAP API New Endpoints:

VIEW ascan / optionMaxRuleDurationInMins

Returns the maximum time in minutes that a scan rule can run for, zero is unlimited.

VIEW ascan / optionMaxScanDurationInMins

Returns the maximum time in minutes that a full scan can run for, zero is unlimited.

ACTION ascan / setOptionMaxRuleDurationInMins

Sets the maximum time in minutes that a scan rule can run for, zero is unlimited.

ACTION ascan / setOptionMaxScanDurationInMins

Sets the maximum time in minutes that a full scan can run for, zero is unlimited.

ACTION ascan / updateScanPolicy

Updates the specified scan policy with the specified alertThreshold or attackStrength.

VIEW break / isBreakAll

Returns True if ZAP will break on both requests and responses.

VIEW break / isBreakRequest

Returns True if ZAP will break on requests.

VIEW break / isBreakResponse

Returns True if ZAP will break on responses.

VIEW break / httpMessage

Returns the HTTP message currently intercepted (if any).

ACTION break / break

Controls the global break functionality. The type may be one of: http-all, http-request or http-response. The state may be true (for turning break on for the specified type) or false (for turning break off). Scope is not currently used.

ACTION break / setHttpMessage

Overwrites the currently intercepted message with the data provided.

ACTION break / continue

Submits the currently intercepted message and unsets the global request/response breakpoints.

ACTION break / step

Submits the currently intercepted message, the next request or response will automatically be intercepted.

ACTION break / drop

Drops the currently intercepted message.

VIEW core / optionDnsTtlSuccessfulQueries

Gets the TTL (in seconds) of successful DNS queries.

ACTION core / sendRequest

Sends the HTTP request, optionally following redirections. Returns the request sent and response received and followed redirections, if any. The Mode is enforced when sending the request (and following redirections), custom manual requests are not allowed in 'Safe' mode nor in 'Protected' mode if out of scope.

ACTION core / setOptionDnsTtlSuccessfulQueries

Sets the TTL (in seconds) of successful DNS queries (applies after ZAP restart).

OTHER core / mdreport

Generates a report in Markdown format.

VIEW httpSessions / sites

Gets all of the sites that have sessions.

VIEW pscan / scanOnlyInScope

Tells whether or not the passive scan should be performed only on messages that are in scope.

ACTION pscan / setScanOnlyInScope

Sets whether or not the passive scan should be performed only on messages that are in scope.

VIEW spider / allUrls

Returns a list of unique URLs from the history table based on HTTP messages added by the Spider.

VIEW spider / optionMaxChildren

Gets the maximum number of child nodes (per node) that can be crawled, 0 means no limit.

ACTION spider / setOptionMaxChildren

Sets the maximum number of child nodes (per node) that can be crawled, 0 means no limit.

Vulnerability Details

The following vulnerabilities have been reported in previous versions of ZAP. Other less serious issues have been also been fixed as a matter of course.
Many thanks to all of the researchers who have ethically reported these issues to us via our bug bounty program. If you need more details about any of these vulnerabilities then please contact us.

RCE via Anti CSRF Test Form and API Key Disclosure

If the user used the Anti CSRF Test Form against a specifically crafted HTML page then the API key was leaked to that site. The site could then access the ZAP API and perform any action, including uploading ZAP scripts. Scripts can only be uploaded from ‘local’ filesystems but if the user is running ZAP on Windows then the attacker can make a malicious script available via a public SMB share. This appears to ZAP to be a local file and the script is therefore uploaded and can be run via the API.
The requirement for the API key or nonce on all API operations are a direct result of this vulnerability, as are changing add-ons to use nonces to reduce the risk of leaking the API key.

Credit: Artemy Bogdanov (@Abr1k0s)
Artemy was awarded a $1000 bug bounty as a result of this submission. This is the first bug bounty we have paid out - congratulations Artemy!

Windows Installer Vulnerable to DLL Hijacking

The ZAP Windows Installer for all versions up to and including 2.5.0 are vulnerable to DLL Hijacking on Windows 7 (and earlier versions). This is a vulnerability in the in 3rd party installer InnoSetup. The 2.6.0 Installers (on all platforms) are now generated using Install4J.

If for some reason you do need to install previous versions of ZAP on Windows 7 or earlier then we recommend that you move the installer to a clean directory before running it.

Note that Burp Suite also use Install4J so future vulnerabilities in Install4j-generated installers may be eligible for the Burp Suite bug bounty program: https://hackerone.com/portswigger

Credit: James Kettle (Burp Suite)

Arbitrary Code Execution via Invoke Applications Parameter Injection

HTML parameters could be specifically crafted to cause arbitrary code execution, if the user choose to invoke the targeted application with a request containing that parameter from within ZAP.
The Invoke Applications add-on has been updated to fix this issue - all ZAP users should install this new version before continuing to use the add-on.

Credit: Artemy Bogdanov (@Abr1k0s)

XSS via Anti CSRF Test Form

The Anti CSRF Test Form was vulnerable to XSS attacks if run against a specifically crafted HTML page.
The API now uses a strong Content Security Policy to prevent such issues

Credit: g_sato - https://bugcrowd.com/g_sato

API Vulnerable to DNS Rebinding

The API was vulnerable to DNS Rebinding attacks. It now checks the host header and rejects any requests from unexpected hosts.

Credit: Artemy Bogdanov (@Abr1k0s)

See also

    Introductionthe introduction to ZAP
    Releasesthe full set of releases
    Creditsthe people and groups who have made this release possible