Free and open source web app scanner

Release 2.16.1$$$This is a bug fix release; along with some minor enhancements.$$$$$$This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP.$$$$$$These release notes do not include all of the changes included in add-ons updated since 2.16.0.$$$$$$The enhancements include:$$$$$$Use Main Output Tab for Scripts $$$The Script Console no longer includes its own “Script Output” panel. Instead it uses the main Output tab.$$$$$$Support Sub-tabs in Output Tab $$$The Output tab now supports sub-tabs. The Script Console add-on will add one tab for each script that generates any output; making it much easier to see where output messages come from.$$$$$$API Support for Plugable Authentication and Session Management $$$The API now supports plugable Authentication and Session Management methods; which means you can configure modern options like Browser Based Authentication.$$$$$$Authentication Enhancements $$$Many enhancements have been made to ensure ZAP handles authentication more easily and effectively; including support for TOTP.$$$$$$Windows Native Decorations Support $$$ZAP now supports Native Decorations on Windows systems; providing a more unified and visually pleasing experience.$$$$$$AJAX Spider URL Count $$$The AJAX Spider no longer counts URLs that are out of scope. This may affect any tests you have in place.$$$$$$Dependency Updates $$$As usual the release includes dependency updates.$$$$$$The following libraries were updated:$$$$$$Commons Beanutils; 1.9.4 ? 1.10.1$$$Commons Codec; 1.17.1 ? 1.18.0$$$Commons Logging; 1.3.4 ? 1.3.5$$$Commons Text; 1.12.0 ? 1.13.0$$$log4j-1.2-api; 2.24.2 ? 2.24.3$$$log4j-api; 2.24.2 ? 2.24.3$$$log4j-core; 2.24.2 ? 2.24.3$$$log4j-jul; 2.24.2 ? 2.24.3$$$Rsyntaxtextarea; 3.5.3 ? 3.6.0$$$Enhancements $$$Issue 8843 : Support CakePHP CSRF Token name$$$Issue 8868 : Adjust Footer Status Icons Label$$$Issue 8872 : Tag verification requests$$$Issue 8879 : Look and feel: Use native decorations on Windows$$$Issue 8885 : Allow API access to dynamically added Authn & Session Mgmt Method Types$$$Issue 8886 : Provide DB details and notify close$$$Issue 8892 : Add TOTP to credentials$$$Bug fixes $$$Issue 8760 : Links are unreadable in the Flat Darcula theme$$$Issue 8819 : Fix error when no Java version is found in zap.sh$$$Issue 8862 : Fix alert editing through the GUI

Release 2.16.1$$$This is a bug fix release; along with some minor enhancements.$$$$$$This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP.$$$$$$These release notes do not include all of the changes included in add-ons updated since 2.16.0.$$$$$$The enhancements include:$$$$$$Use Main Output Tab for Scripts $$$The Script Console no longer includes its own “Script Output” panel. Instead it uses the main Output tab.$$$$$$Support Sub-tabs in Output Tab $$$The Output tab now supports sub-tabs. The Script Console add-on will add one tab for each script that generates any output; making it much easier to see where output messages come from.$$$$$$API Support for Plugable Authentication and Session Management $$$The API now supports plugable Authentication and Session Management methods; which means you can configure modern options like Browser Based Authentication.$$$$$$Authentication Enhancements $$$Many enhancements have been made to ensure ZAP handles authentication more easily and effectively; including support for TOTP.$$$$$$Windows Native Decorations Support $$$ZAP now supports Native Decorations on Windows systems; providing a more unified and visually pleasing experience.$$$$$$AJAX Spider URL Count $$$The AJAX Spider no longer counts URLs that are out of scope. This may affect any tests you have in place.$$$$$$Dependency Updates $$$As usual the release includes dependency updates.$$$$$$The following libraries were updated:$$$$$$Commons Beanutils; 1.9.4 ? 1.10.1$$$Commons Codec; 1.17.1 ? 1.18.0$$$Commons Logging; 1.3.4 ? 1.3.5$$$Commons Text; 1.12.0 ? 1.13.0$$$log4j-1.2-api; 2.24.2 ? 2.24.3$$$log4j-api; 2.24.2 ? 2.24.3$$$log4j-core; 2.24.2 ? 2.24.3$$$log4j-jul; 2.24.2 ? 2.24.3$$$Rsyntaxtextarea; 3.5.3 ? 3.6.0$$$Enhancements $$$Issue 8843 : Support CakePHP CSRF Token name$$$Issue 8868 : Adjust Footer Status Icons Label$$$Issue 8872 : Tag verification requests$$$Issue 8879 : Look and feel: Use native decorations on Windows$$$Issue 8885 : Allow API access to dynamically added Authn & Session Mgmt Method Types$$$Issue 8886 : Provide DB details and notify close$$$Issue 8892 : Add TOTP to credentials$$$Bug fixes $$$Issue 8760 : Links are unreadable in the Flat Darcula theme$$$Issue 8819 : Fix error when no Java version is found in zap.sh$$$Issue 8862 : Fix alert editing through the GUI

Free and open source web app scanner

Release 2.16.0$$$This is a bug fix and enhancement release. Look out for new Blog Posts and Videos which will cover some of these new features in much more depth in the coming days and weeks.$$$$$$This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP.$$$$$$These release notes do not include all of the changes included in add-ons updated since 2.15.0.$$$$$$Some of the more significant enhancements include:$$$$$$Update to a Minimum of Java 17 $$$ZAP now requires a minimum of Java 17 to run. This allows us to use more modern Java features in the ZAP codebase.$$$$$$As a result of this move scripts which use the Nashorn JavaScript engine may no longer work; this is because the engine is no longer present in Java 17. Any scripts configured to use Nashorn will automatically be changed to use the Graal.js JavaScript engine. However you may still need to migrate these scripts; see the Migration Guide from Nashorn to GraalJS.

Release 2.16.0$$$This is a bug fix and enhancement release. Look out for new Blog Posts and Videos which will cover some of these new features in much more depth in the coming days and weeks.$$$$$$This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP.$$$$$$These release notes do not include all of the changes included in add-ons updated since 2.15.0.$$$$$$Some of the more significant enhancements include:$$$$$$Update to a Minimum of Java 17 $$$ZAP now requires a minimum of Java 17 to run. This allows us to use more modern Java features in the ZAP codebase.$$$$$$As a result of this move scripts which use the Nashorn JavaScript engine may no longer work; this is because the engine is no longer present in Java 17. Any scripts configured to use Nashorn will automatically be changed to use the Graal.js JavaScript engine. However you may still need to migrate these scripts; see the Migration Guide from Nashorn to GraalJS.

Release 2.15.0$$$This is a bug fix and enhancement release.$$$These release notes do not include all of the changes included in add-ons updated since 2.14.0.$$$$$$This release was made possible thanks to our biggest supporter; the Crash Override.$$$$$$Some of the more significant enhancements include:

Release 2.15.0$$$This is a bug fix and enhancement release.$$$These release notes do not include all of the changes included in add-ons updated since 2.14.0.$$$$$$This release was made possible thanks to our biggest supporter; the Crash Override.$$$$$$Some of the more significant enhancements include:

Release 2.14.0$$$This is a bug fix and enhancement release.$$$These release notes do not include all of the changes included in add-ons updated since 2.13.0.$$$$$$This release was made possible thanks to our Platinum Sponsor; the Software Security Project.$$$$$$Some of the more significant enhancements include:$$$$$$Rebranding and Docker Hub Move $$$ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.$$$$$$As part of that move the official ZAP Docker images are being published to the Software Security Project Docker Hub Organisation. The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.$$$$$$Note that you can also pull the ZAP Docker images from GitHub Container Registry.$$$$$$Host Header Manipulation $$$Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time! The Break; Manual Request and Requester dialogs all have a new “Update Host Header” button. This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.$$$$$$ZAPit $$$This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified. For more details see the ZAPit help page$$$$$$API File Transfers $$$You can now upload and download files to and from ZAP via the API. Note that this feature is disabled by default as a security measure. For more details; including how to enable it; see the API help page.$$$$$$Graal JS Add-on Access $$$Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support. Unfortunately due to classloader issues it was not able to access add-on classes; which significantly limited its functionality.$$$$$$These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP. Note that existing Nashorn scripts may need changes to work with Graal JS.$$$$$$Postman Support $$$ZAP can now import Postman collections thanks to the new Postman add-on.$$$$$$SBOMs $$$ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX for both the ZAP core and all of the add-ons maintained by the ZAP team. For more details see the Software Bill of Materials help page.$$$$$$ZAP API OpenAPI Definition $$$An OpenAPI definition for the ZAP API is available in the main repository; which can be used to generate custom API clients. This definition is planned to be kept up to date for the latest core and add-on releases.$$$$$$Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.$$$$$$ZAP Browser Extensions $$$The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension These are included in the new Client Side Integration add-on which supports: * Browser Recording * Streaming client side events to ZAP This is not (yet) included in the main ZAP releases so you will need to download it from the Marketplace.$$$$$$Dependency Updates $$$As usual the release includes dependency updates.$$$$$$The following libraries were updated:$$$$$$Commons Lang; 3.12.0 ? 3.13.0$$$Flatlaf 3.1.1 ? 3.2.1$$$RSyntaxTextArea; 3.3.3 ? 3.3.4$$$The following library was added:$$$$$$Log4j JUL Adapter 2.20.0$$$Add-Ons $$$New Add-Ons $$$The following add-ons are included by default in this release for the first time:$$$$$$Postman Support - allows to import Postman Collections.$$$Updated Add-Ons $$$All of the add-ons included by default have been updated since the last full release.$$$$$$Enhancements $$$Issue 1926 : Remove Alerts for defined Context through ZAP API$$$Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit$$$Issue 7607 : Allow to download/upload files through the ZAP API$$$Issue 7951 : Validate API parameter names$$$Issue 7984 : Allo

Release 2.14.0$$$This is a bug fix and enhancement release.$$$These release notes do not include all of the changes included in add-ons updated since 2.13.0.$$$$$$This release was made possible thanks to our Platinum Sponsor; the Software Security Project.$$$$$$Some of the more significant enhancements include:$$$$$$Rebranding and Docker Hub Move $$$ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.$$$$$$As part of that move the official ZAP Docker images are being published to the Software Security Project Docker Hub Organisation. The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.$$$$$$Note that you can also pull the ZAP Docker images from GitHub Container Registry.$$$$$$Host Header Manipulation $$$Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time! The Break; Manual Request and Requester dialogs all have a new “Update Host Header” button. This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.$$$$$$ZAPit $$$This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified. For more details see the ZAPit help page$$$$$$API File Transfers $$$You can now upload and download files to and from ZAP via the API. Note that this feature is disabled by default as a security measure. For more details; including how to enable it; see the API help page.$$$$$$Graal JS Add-on Access $$$Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support. Unfortunately due to classloader issues it was not able to access add-on classes; which significantly limited its functionality.$$$$$$These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP. Note that existing Nashorn scripts may need changes to work with Graal JS.$$$$$$Postman Support $$$ZAP can now import Postman collections thanks to the new Postman add-on.$$$$$$SBOMs $$$ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX for both the ZAP core and all of the add-ons maintained by the ZAP team. For more details see the Software Bill of Materials help page.$$$$$$ZAP API OpenAPI Definition $$$An OpenAPI definition for the ZAP API is available in the main repository; which can be used to generate custom API clients. This definition is planned to be kept up to date for the latest core and add-on releases.$$$$$$Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.$$$$$$ZAP Browser Extensions $$$The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension These are included in the new Client Side Integration add-on which supports: * Browser Recording * Streaming client side events to ZAP This is not (yet) included in the main ZAP releases so you will need to download it from the Marketplace.$$$$$$Dependency Updates $$$As usual the release includes dependency updates.$$$$$$The following libraries were updated:$$$$$$Commons Lang; 3.12.0 ? 3.13.0$$$Flatlaf 3.1.1 ? 3.2.1$$$RSyntaxTextArea; 3.3.3 ? 3.3.4$$$The following library was added:$$$$$$Log4j JUL Adapter 2.20.0$$$Add-Ons $$$New Add-Ons $$$The following add-ons are included by default in this release for the first time:$$$$$$Postman Support - allows to import Postman Collections.$$$Updated Add-Ons $$$All of the add-ons included by default have been updated since the last full release.$$$$$$Enhancements $$$Issue 1926 : Remove Alerts for defined Context through ZAP API$$$Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit$$$Issue 7607 : Allow to download/upload files through the ZAP API$$$Issue 7951 : Validate API parameter names$$$Issue 7984 : Allo

Release 2.13.0$$$This is a bug fix and enhancement release.$$$These release notes do not include all of the changes included in add-ons updated since 2.12.0.$$$$$$Some of the more significant enhancements include:$$$$$$HTTP/2 Support $$$HTTP/2 is now supported; with no configuration changes required.$$$$$$$$$Please refer the below link for more detail$$$https://www.zaproxy.org/docs/desktop/releases/2.13.0/

Release 2.13.0$$$This is a bug fix and enhancement release.$$$These release notes do not include all of the changes included in add-ons updated since 2.12.0.$$$$$$Some of the more significant enhancements include:$$$$$$HTTP/2 Support $$$HTTP/2 is now supported; with no configuration changes required.$$$$$$If you proxy HTTP/2 traffic through ZAP then ZAP will make the same HTTP/2 requests to the target. Any tools that work on proxied requests will also automatically use HTTP/2.

Release 2.12.0$$$This is a bug fix and enhancement release; which now requires a minimum of Java 11.$$$As the main zaproxy/zaproxy repo has just reached 10k stars we’re calling this the ‘Ten Thousand Star’ Release!$$$$$$These release notes do not include all of the changes included in add-ons updated since 2.11.1.$$$$$$Some of the more significant enhancements include:$$$$$$Network Add-On $$$The core networking code has been replaced by a new add-on which means changes are no longer bound to core/stable releases. This add-on uses a modern network stack which will make it much easier to support modern protocols such as HTTP/2.$$$In addition the following features have been added:$$$$$$Proxy/Local Server Aliases$$$Proxy and ZAP API are no longer tied together.$$$HTTPS pass-through$$$Certificate validity period configuration$$$$$$Please refer the below link for more details$$$https://www.zaproxy.org/docs/desktop/releases/2.12.0/

Release 2.12.0$$$This is a bug fix and enhancement release; which now requires a minimum of Java 11.$$$As the main zaproxy/zaproxy repo has just reached 10k stars we’re calling this the ‘Ten Thousand Star’ Release!$$$$$$These release notes do not include all of the changes included in add-ons updated since 2.11.1.$$$$$$Some of the more significant enhancements include:$$$$$$Network Add-On $$$The core networking code has been replaced by a new add-on which means changes are no longer bound to core/stable releases. This add-on uses a modern network stack which will make it much easier to support modern protocols such as HTTP/2.$$$In addition the following features have been added:$$$$$$Proxy/Local Server Aliases$$$Proxy and ZAP API are no longer tied together.$$$HTTPS pass-through$$$Certificate validity period configuration$$$$$$$$$Please refer the below link for more detail$$$https://www.zaproxy.org/docs/desktop/releases/2.12.0/

Release 2.11.1$$$This release includes an important security fix - users are urged to upgrade asap. For more details refer to the blog post ZAP and Log4Shell.$$$$$$Changes in Bundled Libraries $$$The following library was updated:$$$$$$Log4j 2; 2.14.1 ? 2.15.0$$$Updated Add-Ons $$$All of the add-ons included by default have been updated since the last full release.

Release 2.11.1$$$This release includes an important security fix - users are urged to upgrade asap. For more details refer to the blog post ZAP and Log4Shell.$$$$$$Changes in Bundled Libraries $$$The following library was updated:$$$$$$Log4j 2; 2.14.1 ? 2.15.0$$$Updated Add-Ons $$$All of the add-ons included by default have been updated since the last full release.