Release 2.7.0

This is a bug fix and enhancement release, which requires a minimum of Java 8.

Some of the more significant enhancements include:

Browser launch included by default - this allows you to launch browsers from ZAP that are preconfigured to proxy through ZAP and ignore the certificate warnings due to the ZAP root certificate.
Allow ZAP to listen on multiple addresses/ports
Support Server Name Indication
Updated NTLM engine implementation - this fixes the cases where the domain is being validated and improves interoperability with other (server) NTLM implementations
Lots of new API endpoints - see below for details

Note that if you do have any problems with this release then there is also a new 'Help/Support Info...' menu item that provides essential information about your ZAP installation which you should include with any issues you raise.

Enhancements:

Issue 1015 : Support Server Name Indication
Issue 1313 : Spider - Allow to configure the size limit of parseable responses
Issue 1604 : Import policy file via API
Issue 1620 : Add endpoint to get number of alerts grouped by risk level
Issue 1681 : Change 'Active Scan' to show the last n requests instead of the first ones
Issue 2411 : Warn if dynamic SSL root CA certificate is expired
Issue 2615 : Filtering ZAP Reports to Show High Risk Items
Issue 3040 : Export param tab contents
Issue 3101 : Allow add-ons to use Semantic Versioning
Issue 3156 : Use G1 as default garbage collector
Issue 3253 : Export URLs Per Context
Issue 3365 : Enhancement: Additional Global Exclude default patterns
Issue 3367 : Expose ZAP's home dir path through the ZAP API
Issue 3374 : Adjust to more user favorable column widths
Issue 3381 : i18n Core Extension Names
Issue 3387 : Allow esc to close AbstractFormDialog
Issue 3392 : Show all messages sent by the Spider
Issue 3395 : Add option to spider anonymously with a session
Issue 3398 : Increase limit of global script variables' value
Issue 3404 : Add new Default CSRF Token for OWASP CSRF Guard
Issue 3408 : Improve error handling when resetting the options
Issue 3443 : Expose Alerts options through the ZAP API
Issue 3446 : Enhancement: Add ability to export a Site Map via Context Menu
Issue 3457 : Allow to filter core view "urls" by base URL
Issue 3460 : Enhancement: Provide help finding the Log directory in the UI
Issue 3461 : Enhancement: Browse API Doesn't work when browser isn't using ZAP as proxy
Issue 3476 : Allow passive rules to choose the type of msgs
Issue 3481 : Export Tables via UI
Issue 3498 : Minor Enhancement: Support Same Columns in Search Results as History Tab
Issue 3500 : Allow to manage messages' tags in multiple tabs
Issue 3508 : Use newer ECMAScript engine if available
Issue 3514 : Allow to obtain multiple messages by ID
Issue 3521 : Enhancement Request: Add Filter To Passive Scan Rules Options Panel
Issue 3527 : Update baseline script to support python 3
Issue 3529 : Allow to add tags with Passive Rules
Issue 3533 : Additional Table Export Buttons
Issue 3539 : Enhancement: Collect messages to scan before active scanning
Issue 3552 : Expose message's tags through the ZAP API
Issue 3559 : ZAP API option to output report in JSON format
Issue 3574 : Show the add-on name in Extensions panel
Issue 3587 : Allow to use system's locale for formatting
Issue 3595 : Print args and error msg when failed to parse args
Issue 3599 : Always attack Data Driven Nodes
Issue 3619 : Show plugin as OFF, in policy panels, if disabled
Issue 3626 : Allow to delete messages with keyboard shortcut
Issue 3676 : Enhancement: Delete single Alert using the api
Issue 3681 : Use number spinner for connection timeout
Issue 3686 : Allow to select alert's CWE/WASC IDs and Source
Issue 3688 : Show scanner's ID/name in Alert tab
Issue 3691 : Modernized and refined HTML reports
Issue 3700 : Ensure panel with validation errors is visible
Issue 3714 : Spider - report # of new endpoints discovered
Issue 3727 : Sites Tree Alpha Sort should ignore HTTP Method
Issue 3733 : Ascan API - Return alert count for each scanner
Issue 3739 : Allow to skip pending scanners
Issue 3765 : Show alert count in Scan Progress dialogue
Issue 3769 : Add Check for Updates toolbar button
Issue 3770 : Clear dockerfiles
Issue 3782 : Add msg and alert count to active scans API view
Issue 3787 : Added passive scan timeout
Issue 3793 : Allow to filter Keyboard options panel
Issue 3808 : added bare docker image file
Issue 3810 : Add JSON output support to zap-full-scan.py
Issue 3818 : Change right-click "Resend..." to "Send to Manual Request Editor"
Issue 3836 : Allow IPv6 loopback address to access the API by default
Issue 3837 : Add anoncsrf as anticsrf token name
Issue 3851 : Spider New Scan UI Consistency
Issue 3871 : Default to checking for updates on start
Issue 3878 : Support persistent connections in the API
Issue 3910 : Allow to skip scanners through the API
Issue 3918 : improved docker file
Issue 3922 : Refactor target access in docker scripts
Issue 3931 : Minor Enhancement to Very large response body message
Issue 3977 : Include spider messages when comparing sessions
Issue 3983 : Allow ZAP to listen on multiple addresses/ports
Issue 3992 : Allow to enable code folding in body text views
Issue 3993 : Added checkbox secure to callback option dialog.
Issue 4001 : Allow to delete a Context with keyboard shortcut
Issue 4049 : Allow to delete alerts with keyboard shortcut
Issue 4053 : AlertViewPanel line wrapping
Issue 4055 : New splash screen
Issue 4061 : Update NTLM engine implementation
Issue 4063 : Validate that -cmd and -daemon are not both set
Issue 4066 : Improve error message in script API

Bug fixes:

Issue 765 : Ctrl-F key doesnt work on Resend / Manual Request Editor dialogs
Issue 1222 : False positive: XSS scanning
Issue 1984 : Alerts API should always return 'evidence' (and all other keys)
Issue 2375 : Unable to change Mode without main tool bar
Issue 2496 : ZAP only report the first alert in array
Issue 2744 : Unable to enable/disable Forced User mode without main tool bar
Issue 2756 : Class loading deadlock when loading httpsender script from API call and spidering
Issue 2989 : Redirect history not recorded when resend request
Issue 3154 : Execution Order for Plugins Displayed in Scan Progress Details, Progress Tab
Issue 3207 : History tab cleared when session persisted
Issue 3284 : Accept underscores in hostnames
Issue 3289 : Proxy excluded URLs still processed by ZAP
Issue 3350 : wrong comparison of HTTP Messages in queryEquals() method of HttpMessage class
Issue 3351 : the url disappear when i click it
Issue 3353 : ZAP API View:contextList method returns a string instead of JSON list
Issue 3359 : Missing Help details Options Connection screen
Issue 3363 : Spider Messages View Includes Underused Tags Column
Issue 3377 : ZAP can no longer load non UTF8 scripts
Issue 3382 : Fix "internal error" in ScriptAPI
Issue 3394 : Enable Session Tracking (Cookie) option not persisted
Issue 3397 : Do not uninstall a file if it no longer exists
Issue 3411 : Clear cached certs when setting Root CA cert
Issue 3440 : Log Exception when the provided config file could not be parsed
Issue 3456 : Bug: Paused Scans Wiped Out when Persisting a Session
Issue 3459 : Prescan Output is Confusing. Please Clarify.
Issue 3490 : Poor font rendering on linux
Issue 3531 : Docker scripts might get stuck on "Records to passive scan" seemingly indefinitely
Issue 3555 : Changing Session Name, doesn't Update the Window Name
Issue 3571 : Require extension's dependencies during extension loading
Issue 3590 : Set installation status to marketplace add-ons
Issue 3591 : Correctly check for add-on updates on dep calc
Issue 3620 : Return correct error on missing auth parameters
Issue 3621 : Sync HistoryReference cache in ExtensionHistory
Issue 3632 : Do not close session when changing its properties
Issue 3633 : "Generate Anti-CSRF Test Form" not working
Issue 3648 : Correct state of adv option in Spider dialogue
Issue 3667 : Markdown report heading format issue
Issue 3673 : API: sendHarRequest results in error if redirects are true
Issue 3675 : Sites tree option Show only URLs in Scope not working
Issue 3692 : zap-api-scan.py correct path handling
Issue 3696 : Correct API response for outgoing proxy changes
Issue 3703 : org.parosproxy.paros.db.DatabaseException: java.sql.SQLException: Can not issue executeUpdate() or executeLargeUpdate() for SELECTs
Issue 3711 : Session snapshots might "break" running scans
Issue 3723 : Properly reset Database options panel
Issue 3748 : Automatically skip dependent scanners
Issue 3759 : Update version check in zap.sh script for Java 9
Issue 3771 : Add-on files not updated when running newer ZAP/core version
Issue 3779 : Can't open the Resend window because of missing font
Issue 3799 : Declare ExtensionDynSSL as supporting low mem
Issue 3825 : Show error if failed to active the certificate
Issue 3827 : mysql NULL value in where in CLAUSE
Issue 3832 : Errors in Input Vector Templates
Issue 3849 : Pscanrule Content Type Missing not working with Spider messages
Issue 3854 : Error whilst using Api - ERROR ExtensionUserManagement - Unable to persist Users
Issue 3889 : Initialise the source of the Alert always
Issue 3895 : JSON Input Vector fails if string has quoted chars
Issue 3907 : Normalise form-based login URL validation/usage
Issue 3912 : VariantDirectWebRemotingQuery might hang in infinite loop
Issue 3914 : Use ZapVersions.xml file in Docker images
Issue 3927 : zap-full-scan on docker tries to reach out to external network
Issue 3955 : Database too small to handle large login request bodies
Issue 3965 : Empty Cookie header causes errors
Issue 3969 : Logged in/out indicators not persisted when cleared
Issue 4004 : zap.bat should use %USERPROFILE% instead of %HOMEDRIVE%%HOMEPATH%
Issue 4013 : Sending to the Callback Endpoint while proxying through ZAP logs an error
Issue 4014 : Issue when attempting to ignore all rules for a URL
Issue 4028 : Warn when check for updates fails
Issue 4056 : Use realm as domain for NTLM authentication
Issue 4065 : Deleting a parent URL in History tab should not delete all child URLs
Issue 4079 : Cookie with unknown path is falsely rejected by ZAP

ZAP API Breaking Changes:

ACTION authentication / setAuthenticationMethod

The authentication type "formBasedAuthentication" will now require the login URL always in encoded form. The change ensures the login URL is used/sent as it was specified. Previously it would accept partially encoded URLs but they would be re-encoded when used, potentially leading to a different URL being used/sent.

VIEW context / contextList

This change will break the consumers that were manually parsing/extracting the names from the string. The structure of the data returned was changed to properly separate each name:


{"contextList":["Context 1","Context 2"]}

and:


<contextList type="list">
    <contextName>Context 1</contextName>
    <contextName>Context 2</contextName>
</contextList>

instead of:


{"contextList":"[Context 1, Context 2]"}

and:


<contextList>[Context 1, Context 2]</contextList>

VIEW core / setOptionUseProxyChain

Changed to return FAIL if the outgoing proxy was not enabled (because the required address/hostname was not previously set), before it would return always OK.

ZAP API Changed Endpoints:

VIEW core / alerts

Added optional riskId parameter to facilitate filtering the risk. Where riskId is in the range 0 for Informational and 3 for High.

VIEW core / numberOfAlerts

Added optional riskId parameter to facilitate filtering the risk. Where riskId is in the range 0 for Informational and 3 for High.

VIEW core / urls

Added optional baseurl parameter, to filter the URLs that are returned.

VIEW ascan / scans

Changed to also return the total number of alerts raised and messages sent during each scan.

VIEW ascan / scanProgress

Changed to also return the number of alerts raised by each scanner.

ZAP API New Endpoints:

VIEW core / alertsSummary

A new summary view for Alerts which displays counts of Alerts per Risk level. Optionally, filtered by a baseurl value.


{"High":0,"Low":132,"Medium":39,"Informational":153}

VIEW core / messagesById

Gets the HTTP messages with the given IDs.

VIEW core / messagesHarById

Gets the HTTP messages with the given IDs, in HAR format.

VIEW core / optionAlertOverridesFilePath

Gets the path to the file with alert overrides.

VIEW core / optionMaximumAlertInstances

Gets the maximum number of alert instances to include in a report.

VIEW core / optionMergeRelatedAlerts

Gets whether or not related alerts will be merged in any reports generated.

VIEW core / zapHomePath

Gets the path to ZAP's home directory.

VIEW localProxies / additionalProxies

Gets all of the additional proxies that have been configured.

VIEW spider / optionAcceptCookies

Gets whether or not a spider process should accept cookies while spidering.

ACTION core / deleteAlert

Deletes the alert with the given ID.

ACTION core / setOptionAlertOverridesFilePath

Sets (or clears, if empty) the path to the file with alert overrides.

ACTION core / setOptionMaximumAlertInstances

Sets the maximum number of alert instances to include in a report. A value of zero is treated as unlimited.

ACTION core / setOptionMergeRelatedAlerts

Sets whether or not related alerts will be merged in any reports generated.

ACTION ascan / importScanPolicy

Imports a Scan Policy using the given file system path.

ACTION ascan / skipScanner

Skips the scanner using the IDs of the scan and the scanner.

VIEW localProxies / addAdditionalProxy

Adds a new proxy using the details supplied.

VIEW localProxies / removeAdditionalProxy

Removes the additional proxy with the specified address and port.

ACTION spider / setOptionAcceptCookies

Sets whether or not a spider process should accept cookies while spidering.

Vulnerability Details

The following vulnerability has been reported in a previous version of ZAP.
Many thanks to all of the researchers who have ethically reported issues to us via our bug bounty program.
If you need more details about this vulnerability then please contact us.

Windows Uninstaller Vulnerable to DLL Hijacking

The ZAP Windows Uninstaller for 2.6.0 is vulnerable to DLL Hijacking on Windows. This was a vulnerability in the 3rd party installer Install4j which has now been fixed.
Note that this can only occur if a malicious DLL is already on the path.

Credit: Sajeeb Lohani (sml555) of Bulletproof ZDS

	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible