Release 2.9.0

This is a bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.8.0.

Some of the more significant enhancements include:

Session Management Scripts

It's now possible to define scripts which handle non standard or more complex session management.
Session Management scripts have full access to the authentication request and response and can define custom mandatory and optional parameters. An example session management script for OWASP Juice shop is provided.

Active Scan Filter

It's now possible to filter requests in Active Scan. Below are the supported criteria's:

HTTP method
Status code
Tags
URL pattern

Custom Global/Script Variables

It's now possible for scripts to share custom global/script variables, which can be of any type not just strings, for example, lists, maps, GUI models.
In JavaScript they are accessed/set as follows:


var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars")

ScriptVars.setScriptCustomVar(this.context, "var.name", {x: 1, y: 3})
print(ScriptVars.getScriptCustomVar(this.context, "var.name").y) // Prints 3

ScriptVars.setGlobalCustomVar("var.name", ["A", "B", "C", "D"])
print(ScriptVars.getGlobalCustomVar("var.name")[2]) // Prints C

Scan Rule Promotions

The following scan rules have been promoted:

Passive Scan Rules - Release

Cookie Without SameSite Attribute
Cross Domain Misconfiguration
Information Disclosure: In URL
Information Disclosure: Referrer
Information Disclosure: Suspicious Comments
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
Timestamp Disclosure
Username Hash Found
X-AspNet-Version Response Header Scanner
X-Debug-Token Information

Filters Classes Removal

The classes/code for Filters functionality, deprecated since ZAP 2.4.0, has been removed. Add-ons that still use that will stop working.

Changes in Bundled Libraries

The following libraries were removed:

JDOM
Diff Utils

no longer in use by core, add-ons should bundle the library, if needed. The following libraries were updated:

Bouncy Castle, 1.61 → 1.64
Commons BeanUtils, 1.9.3 → 1.9.4
Commons Codec, 1.12 → 1.13
Commons CSV, 1.6 → 1.7
Commons Text, 1.6 → 1.8
HSQLDB, 2.4.1 → 2.5.0
Nashorn Sandbox, 0.1.25 → 0.1.26
RSyntaxTextArea, 3.0.3 → 3.0.4
SQLite JDBC, 3.27.2.1 → 3.28.0

Enhancements

Issue 2016 : Choose a unique port in the GUI if theres a clash
Issue 2619 : Allow add-ons to declare/bundle its dependencies
Issue 3358 : Enhancement: Options Panel Filter
Issue 3402 : Share custom variables between scripts
Issue 3491 : Feature-Request: Select Multiple Contexts
Issue 4963 : Allow to specify the URI of the login page
Issue 5278 : Ability to filter what requests the Active Scans run against
Issue 5303 : API calls for adding and changing alerts
Issue 5436 : Add new languages to context tech
Issue 5464 : Deprecate Context.getIndex and implement Context.getId
Issue 5466 : Add utility methods to Alert class
Issue 5550 : Load additional local proxies with defaults
Issue 5563 : Include Import/Online menus in Options > Keyboard
Issue 5598 : Revise site certificate validity period to 825d
Issue 5614 : Manual Request Editor Icon
Issue 5630 : Support session management scripts
Issue 5656 : Add Base64url to Encoder/Decoder Tool
Issue 5667 : Improve permissions and space handling when saving/exporting
Issue 5671 : Check for updates in daemon mode
Issue 5672 : Do not prompt to accept the license on first start
Issue 5680 : Update dependencies
Issue 5681 : Remove unused dependencies
Issue 5691 : Expose Context details to passive scan rules
Issue 5696 : Expose Context techset directly to passive scan rules
Issue 5723 : AntiCSRF Tokens Add New Defaults
Issue 5756 : HttpHeader provide List variant for getHeaders(String)
Issue 5774 : Allow to enable/disable all passive tags through the API
Issue 5779 : MacOS DMG - switch back to HFS+
Issue 5782 : Update default user agent
Issue 5785 : Add tooltip listing all proxies to the footer Primary Proxy label
Issue 5795 : Handle quoted URL in meta refresh

Bug fixes

Issue 1164 : Manual "Resend" sets cookies on response
Issue 4003 : Issues when using 'low memory' mode.
Issue 5427 : Update HTTP Protocol Version in Manual Request Editor
Issue 5449 : API not responding - Internal Error
Issue 5452 : Do not remove resource bundle of other extensions
Issue 5486 : Fix counting error in Statistics
Issue 5487 : Add saved scripts of registered script type
Issue 5490 : Anti-CSRF tokens not encoded in authentication requests
Issue 5491 : Auth request without request-target from auth script causes exceptions
Issue 5492 : Improve error handling when creating scan policies
Issue 5518 : ZAP might not use outgoing proxy authentication credentials
Issue 5585 : ZAP 2.8.1 hanging on kali
Issue 5613 : Cope with missing token in auth POST data
Issue 5619 : The -configfile option can fail with arrays
Issue 5622 : Consistent SessionTracking Button Sync
Issue 5624 : Alert parameter might not be properly loaded
Issue 5636 : script.js never served on localhost
Issue 5704 : Wait for add-ons to be installed
Issue 5743 : Find + Cancel buttons are neither centered nor flush right
Issue 5744 : Improve labels of Search menu items
Issue 5780 : Don't display messages when deleting them
Issue 5783 : Disable JAR caching by default
Issue 5794 : Correct MailTo pattern for RegexAutoTagScanner
Issue 5803 : Do not require the user password through the API

ZAP API New Endpoints:

VIEW script / globalCustomVar

Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set.

VIEW script / globalCustomVars

Gets all the global custom variables (key/value pairs, the value is the string representation).

VIEW script / scriptCustomVar

Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set.

VIEW script / scriptCustomVars

Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists.

ACTION alert / addAlert

Add an alert associated with the given message ID, with the provided details. (The ID of the created alert is returned.)

ACTION alert / updateAlert

Update the alert with the given ID, with the provided details.

ACTION pscan / disableAllTags

Disables all passive scan tags.

ACTION pscan / enableAllTags

Enables all passive scan tags.

ACTION script / clearGlobalCustomVar

Clears a global custom variable.

ACTION script / clearScriptCustomVar

Clears a script custom variable.

	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible