The ZAP Homepage on ZAP

Jit

Fri, 24 Feb 2023 00:00:00 +0000

ZAP has changed the adoption of security across the industry, enabling any organization to have better web application security through open source tooling. That is why after research and benchmarking Jit selected ZAP to be a critical tool in its DevSecOps orchestration platform. As a best of breed OSS DAST tool (dynamic application security testing), it provides development teams with the confidence in their application and API security, enabling them to deploy code at the velocity modern engineering organizations require.

Mon, 01 Jan 0001 00:00:00 +0000

The ZAP Project.

Access Control Status Tab

Mon, 01 Jan 0001 00:00:00 +0000

Access Control Status Tab

The Access Control Status Tab allows starting of new Access Control testing and displays the results obtained. For each User and for each URL attacked by ZAP, an entry is added with information about:

ZAP’s id of the message sent
the HTTP method used
the URL of the resource
the HTTP status code of the response
the User from whose point the resource was accessed
whether the request was identified as being authorized or not
the access rule used, which was either directly defined or inferred based on parent’s defined rules
the result obtained: successful (green check) if the access rule was followed of failed (red cross) otherwise


	Access Control Testing concepts	for a short introduction to Access Control Testing
	Access Control Context options	to learn about the related context options

Access Control Testing Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

11 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.
Maintenance changes.

10 - 2024-03-25

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.
Link website alert pages and help (Issues 8189).
The results table now presents the same context menu as other similar tables (History, Search, etc) facilitating copying URLs, etc (Issue 8356).
Now has a table export button (Issue 8356).
Adjusted some labels/titles to use title caps (Issue 2000 & 8356).

Fixed

Now uses the General Font (Issue 8356), as set in the Display options.

9 - 2023-09-08

Added

Add OWASP Top 10 tags to the alerts raised.
The add-on now includes example alert functionality for documentation generation purposes (Issue 6119).

Changed

Update minimum ZAP version to 2.13.0.
Depend on Common Library add-on.
Use vulnerability data directly from Common Library add-on.
Maintenance changes.

8 - 2022-10-28

Changed

Maintenance changes.
Update minimum ZAP version to 2.12.0.

7 - 2021-10-07

Changed

Don’t set the font color for inherited entries (Issue 6397).
Update minimum ZAP version to 2.11.0.
Maintenance changes (some changes impact the visibility of variables and add getters/setters, which may impact third party add-ons or scripts).
Change to no longer rely on core report classes, which are going to be deleted.

6 - 2020-10-06

Added

Add API support.
Add info and repo URLs.

Changed

Update minimum ZAP version to 2.9.0.

5 - 2018-11-02

Respect the current mode and react to changes.
Dynamically unload the add-on.
Inform of running tests (e.g. on session change, add-on uninstall).
Improve error handling during test.
Tweak alerts to use Other Info field instead of Attack/Evidence.

4 - 2017-11-28

Updated for 2.7.0.

3 - 2017-11-24

Fix exception that occurred with Java 9 (Issue 3934).
Allow to copy multiple results and copy correct value from the result column.
Display correct message when the table is sorted.

2 - 2016-06-02

Fix an exception when cancelling the “Save” access control report dialogue.
Do not allow to dynamically uninstall, not yet supported.

1 - 2015-04-13

Initial version

Access Control Testing Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Active Scan

Mon, 01 Jan 0001 00:00:00 +0000

Active Scan

Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets.

Active scanning is an attack on those targets.

You should NOT use it on web applications that you do not own.

In order to facilitate identifying ZAP traffic and Web Application Firewall exceptions, ZAP is accompanied by a script “AddZapHeader.js” which can be used to add a specific header to all traffic that passes through or originates from ZAP. eg: X-ZAP-Initiator: 3

Active Scan dialog

Mon, 01 Jan 0001 00:00:00 +0000

Active Scan dialog

This dialog launches the active scanner.

Scope

The first tab allows you to select or change the starting point.
If you have more that one scan policies then you will be able to select the one to use.
If the starting point is in one or more Contexts then you will be able to choose one of them.
If that context has any Users defined then you will be able to select one of them.
If you select one of the users then the active scan will be performed as that user, with ZAP (re)authenticating as that user whenever necessary.

Active scanner rules (alpha) Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

55 - 2025-12-30

Added

The following scan rule was added, having been demoted from Release:
- SQL Injection - SQLite (Time Based)

54 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.
Address redirections in references.

Removed

The following scan rules were removed, having been promoted to Beta:
- NoSQL Injection - MongoDB
- NoSQL Injection - MongoDB (Time Based)

53 - 2025-11-04

Added

SYSTEMIC tag to selected rules.

Changed

The Web Cache Deception scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).
Depends on an updated version of the Common Library add-on.
Reduced usage of error level logging.

52 - 2025-10-07

Added

Suspicious Input Transformation Script Scan Rule.

Removed

The two example active scan rules were removed from this add-on and are now part of: https://github.com/zaproxy/addon-java

51 - 2025-09-18

Changed

Update alert references to latest locations to fix 404s and resolve redirections.

50 - 2025-09-02

Changed

Depends on an updated version of the Common Library add-on.

Added

Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
The Web Cache Deception scan rule now has a CWE reference.

49 - 2025-06-20

Changed

Update minimum ZAP version to 2.16.0.
Maintenance changes.
Depends on an updated version of the Common Library add-on.

Added

All rules (except examples) have been tagged of interest to Penetration Testers.

48 - 2024-09-02

Changed

Update minimum ZAP version to 2.15.0.

Fixed

Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.
Potential false positives in the LDAP Injection scan rule when the original message resulted in an error to start with (Issue 8519).

47 - 2024-03-28

Changed

References for the LDAP Injection scan rule’s Alerts were updated (Issue 8262).

46 - 2024-01-26

Changed

Move MongoDB time based tests to its own scan rule, NoSQL Injection - MongoDB (Time Based) with ID 90039 (Issue 7341).
Depend on newer version of Common Library add-on.

45 - 2024-01-16

Changed

Update minimum ZAP version to 2.14.0.
Depend on newer version of Common Library add-on.
Add website alert links to the help page (Issue 8189).

Fixed

Fix time-based false positives in NoSQL Injection - MongoDB scan rule.

44 - 2023-09-08

Changed

Maintenance changes.
Remove the dependency on OAST add-on, no longer required.
Depend on newer version of Common Library add-on.
Use vulnerability data directly from Common Library add-on.

43 - 2023-07-20

Changed

Update minimum ZAP version to 2.13.0.
Maintenance changes.

Removed

The following scan rules were removed, having been promoted to Beta:
- Server Side Request Forgery
- Text4shell (CVE-2022-42889)

42 - 2022-12-13

Added

LDAP protocol technology support.

Fixed

Preserve the HTTP version in Web Cache Deception scan rule.

Added

Server Side Request Forgery Scan Rule.

41 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
The Text4shell scan rule now includes an alert tag for its CVE reference.

40 - 2022-10-19

Added

Text4shell (CVE-2022-42889) Scan Rule.

Fixed

Fix an exception in Bypassing 403 scan rule when creating example alerts.

Changed

Maintenance changes.

Removed

The following scan rules were removed, having been promoted to Beta:
- CORS
- Exponential Entity Expansion
- Forbidden Bypass
- Log4Shell
- Out-of-Band XSS
- Spring4Shell
- Spring Actuator
- Blind SSTI
- SSTI

39 - 2022-09-22

Changed

Maintenance changes.
Forbidden Bypass scan rule will now also try a bypass based on the use of a tab character.

Fixed

Fix an exception in Spring Actuator Information Leak scan rule when scanning responses without Content-Type header.
Correct path composition in Web Cache Deception scan rule.

38 - 2022-04-08

Added

Scan rules for Server Side Template Injection (Issue 2332).

37 - 2022-04-04

Added

Spring4Shell (CVE-2022-22965) Scan Rule.

Changed

The Web Cache Deception scan rule now uses a comparison mechanism which should be more performant, and will no longer scan messages which had an error response to start with (Issue 6655).

36 - 2022-02-15

Added

Out-of-band XSS Scan Rule.
Exponential Entity Expansion (Billion Laughs Attack) Scan Rule.

Changed

Improved performance of a Web Cache Deception scan rule (Issue 6655).

35 - 2022-01-07

Fixed

Log4Shell: Fixed the RMI Payloads (Issue 7002).
Log4Shell: Continue with further payloads if one payload throws an error

Changed

Log4Shell: Added detection for CVE-2021-45046

34 - 2021-12-12

Added

Log4Shell (CVE-2021-44228) Scan Rule.

Changed

Update minimum ZAP version to 2.11.1.
Depend on the OAST add-on.

33 - 2021-12-06

Changed

Fixed typo in payload in Forbidden (403) Bypass scan rule.

Added

OWASP Web Security Testing Guide v4.2 mappings where applicable.

32 - 2021-10-07

Added

Spring Boot Actuator Scan Rule.
OWASP Top Ten 2021/2017 mappings.

Changed

Maintenance changes.
Update minimum ZAP version to 2.11.0.

31 - 2021-06-17

Changed

Update links to zaproxy and zap-extensions repos.
Target 2.10 core and use new logging infrastructure (Log4j 2.x).
The LDAP Injection scan rule was modified to use:
- The Dice algorithm for calculating the match percentage, thus improving its performance.
- The URI in encoded form in alerts’ other info field.
Maintenance changes.

Added

CORS active scan rule.
Forbidden (403) Bypass scan rule.
Web Cache Deception scan rule.

Removed

Unused file, it was used by promoted scan rule.

Fixed

Correct Context check in NoSQL Injection - MongoDB scan rule.

30 - 2020-11-26

Changed

‘Hidden File Finder’ ensure that test requests are appropriately rebuilt for this scan rule (Issue 6129).
Maintenance changes.

Fixed

Terminology.
SocketTimeoutException in the LDAP Injection scan rule.

Removed

The following scan rules were removed and promoted to Beta: Cloud Meta Data, .env File, Hidden Files, XSLT Injection (Issue 6211).

29 - 2020-08-13

Changed

Maintenance changes.
‘Hidden File Finder’ will raise fewer alerts at Thresholds other than High (Issue 6116).

Fixed

Fixed Mongo DB Injection false positive (Issue 6025).

Added

‘Hidden File Finder’ added more patterns.

28 - 2020-06-01

Added

Add repo URL.
Add links to the code in the help.
Add scan rule for MongoDB (Issue 3480).
‘Hidden File Finder’ add pattern for vim_settings.xml (CVE-2019-14957).

Changed

Update minimum ZAP version to 2.9.0.
Change info URL to link to the site.
Update ZAP blog links.
Updated owasp.org references (Issue 5962).

Fixed

Fix exception when scanning a message without path with Hidden File Finder.

27 - 2019-12-16

Added

Added Hidden Files Finder (issue 4585) largely based on Snallygaster by Hanno Böck, also supports use of the Custom Payloads addon.

Removed

The following scan rules were removed in being promoted from Alpha to Beta:
- Apache Range Header DoS
- Cookie Slack Detector
- ELMAH Information Leak
- GET for POST
- .htaccess Information Leak
- HTTP Only Site
- Httpoxy - Proxy Header Misuse
- HTTPS Content Available via HTTP
- Proxy Disclosure
- Relative Path Confusion
- Source Code Disclosure - File Inclusion
- Source Code Disclosure - Git
- SQL Injection - MsSQL
- SQL Injection - SQLite
- Trace.axd Information Leak
- User Agent Fuzzer

26 - 2019-10-31

Added

Add dependency on Custom Payloads add-on. The payloads of the Test User Agent scanner are now customizable.
Added XSLT Injection Scanner (issue 3572).

Changed

Update minimum ZAP version to 2.8.0.

25 - 2019-07-11

Fixed

Fix FP in Cloud Metadata rule where no content returned.
Fix FP in Ht Access Scanner where HTML, XML, JSON or empty response is returned (Issue 5433).

24 - 2019-06-07

Fixed

Fix typo in request header used by Apache Range Header DoS.

23 - 2019-02-06

Update minimum ZAP version to 2.6.0.
Added Cloud Metadata Scanner

22 - 2018-09-27

Update minimum ZAP version to 2.5.0.
Maintenance changes.
Add active scan rule for .env files.

21 - 2018-03-20

Add .htaccess scanner (Issue 3972).
Modified trace.axd scanner to leverage new AbstractAppFilePlugin component.
Remove unnecessary help entry.
Sorted help content alphabetically, adjusted names to match scan rules, and added missing entries.

20 - 2017-11-24

Code changes for Java 9 (Issue 2602).
Correct handling of messages with empty path.
Add Get for Post Scanner.

19 - 2017-05-25

Improve error handling in some scanners.
Add MsSQL specific Injection scanner.
Issue 3441: Add proper reference links to Proxy Discovery scanner.
Issue 3279: Add ELMAH scanner.
Issue 3280: Add trace.axd scanner.

18 - 2016-10-24

Added Apache Range Header DoS (CVE-2011-3192) scanner.
Fix exception when raising a “Source Code Disclosure - File Inclusion” alert.
Adjust log levels of some scanners, from INFO to DEBUG.

17 - 2016-07-21

Added Httpoxy scanner.

16 - 2016-06-02

Deleted Integer Overflow scanner.
Issue 823: i18n (internationalise) alpha rules.
Add CWE and WASC IDs to active scanners which may have been lacking those details.
Issue 2207: Added Http Only Site Active scan rule.

15 - 2015-12-04

Update add-on’s info URL.
Added Integer Overflow scanner.
Added new scanner User Agent Fuzzer. The scanner checks for differences in response based on fuzzed User Agent.
Slightly improve performance of “Source Code Disclosure - File Inclusion”.
Demoted LDAP rule due to performance issues

14 - 2015-09-07

Deleted Format String.

13 - 2015-08-24

Updated add-on’s info URL.
Minor code changes.
Added a new scanner to search for format string errors in compiled code.
Change scanners to honour the technologies enabled (1618).

12 - 2015-04-13

Added “Relative Path Confusion” scanner
Added “Proxy Disclosure” scanner
Updated for ZAP 2.4

11 - 2014-10-20

Promoted Backup File Disclosure to beta
Promoted Cross Domain Scanner to beta
Promoted HeartBleed to beta
Promoted Insecure HTTP Method to beta
Promoted Remote Code Execution - CVE2012-1823 to beta
Promoted Shell shock to beta
Promoted Source Code Disclosure - CVE2012-1823 to beta
Promoted Source Code Disclosure - SVN to beta
Promoted Source Code Disclosure - WEB-INF to beta

10 - 2014-09-29

Improved “Shell Shock” scanner to also detect the vulnerability in PHP scripts.

9 - 2014-09-26

Added “HTTPS Content Available via HTTP” scanner. (Issue 1295)
Added “SQLite” SQL Injection scanner. (Issue 734).
Added “ShellShock” scanner. (Issue 1347)
Only show example alerts in dev mode (Issue 1349)

8 - 2014-07-24

Added “Cookie Slack Detector” scanner.
Added “Insecure HTTP Method” scanner.
Added “Source Code Disclosure - WEB-INF folder” scanner.
Added “Source Code Disclosure - CVE-2012-1823.
Added “Remote Code Execution - CVE-2012-1823.
Updated Source Code Disclosure - Git” scanner to not scan 404 URLs unless Attack Strength = High or Insane.
Updated Source Code Disclosure - SVN” scanner to not scan 404 URLs unless Attack Strength = High or Insane.
Updated Source Code Disclosure - CVE-2012-1823" scanner to not scan 404 URLs unless Attack Strength = High or Insane.

7 - 2014-06-14

Added a Example File scanner;
Added “Cross-Domain Misconfiguration” scanner.

6 - 2014-04-15

Added a Heartbleed scanner

5 - 2014-04-03

Promoted to beta XXE and Padding Oracle Plugins
Added a new Expression Language Plugin
Implemented Internationalization for ELInjection
Added ExampleSimpleActiveScanner

2 - 2013-09-11

Updated for ZAP 2.2.0

1 - 2013-05-07

First version, including persistent XSS tests

Active scanner rules (alpha) Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Active scanner rules (beta) Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

64 - 2025-12-15

Added

The following scan rules were added, having been promoted from Alpha:
- NoSQL Injection - MongoDB
- NoSQL Injection - MongoDB (Time Based)

Changed

Update minimum ZAP version to 2.17.0.

Removed

The following scan rules were removed, having been promoted to Release:
- Exponential Entity Expansion (Billion Laughs Attack)
- HTTP Only Site
- HTTPS Content Available via HTTP
- ShellShock - CVE-2014-6271

63 - 2025-11-04

Added

SYSTEMIC tag to selected rules.

Changed

Depends on an updated version of the Common Library add-on.
Reduced usage of error level logging.

62 - 2025-09-18

Added

QA CICD policy tag to selected rules.

Changed

Update alert references to latest locations to fix 404s and resolve redirections.

61 - 2025-09-10

Changed

Add alert references to CORS Header scan rule alerts (Issue 7100).

60 - 2025-09-02

Changed

Depends on an updated version of the Common Library add-on.
Add help details about behavior of scan rules which leverage OAST (Issue 8682)

Fixed

Error logs to always include stack trace.

Added

Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
The 403 Bypass scan rule now has a CWE reference.
The Shell Shock scan rule now has the TEST_TIMING alert tag.

59 - 2025-06-20

Changed

The extension now has a user friendly name for use in the GUI.
Depends on an updated version of the Common Library add-on.

Added

All rules have been tagged of interest to Penetration Testers.

58 - 2025-03-04

Changed

Replace usage of CWE-200 for the Insecure HTTP Method scan rule (Issue 8714).
Include exception message of failed attacks in the Server Side Request Forgery scan rule.

Fixed

Address potential/theoretical reDoS issue in the Insecure HTTP Method scan rule.

57 - 2025-01-15

Changed

Update minimum ZAP version to 2.16.0.
The following scan rules now use more specific CWE IDs:
- Proxy Disclosure (Issue 8713)
- Possible Username Enumeration (Issue 8715)
Remove double dot in skipped message of scan rules that use the Active Scan OAST service.

Fixed

Address exception when scanning a message without path with Possible Username Enumeration scan rule.
The WSTG alert tags on the HTTP Only Site scan rule.

Added

Standardized Scan Policy related alert tags on various rules.

56 - 2024-09-24

Changed

Log exception details in Out of Band XSS scan rule.
Maintenance changes.
The Anti-CSRF Tokens Check scan rule now only considers GET requests at Low Threshold (Issue 7741).

Fixed

Address time-based false positives in Remote Code Execution - Shell Shock scan rule (Issue 8516).

55 - 2024-09-02

Changed

The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
- Expression Language Injection
- Cookie Slack Detector

Fixed

Potential false positives in the Source Code Disclosure - File Inclusion scan rule when responses are empty or the original message resulted in an error to start with (Issue 8517).
A spacing/punctuation issue in the Cookie Slack Detector scan rule, whereby the Other Info field would not have a space after colons and before lists of cookie names.

54 - 2024-07-22

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

Fixed

Fixed regex for Relative Path Confusion, which detected absolute URL as relative.
Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.

53 - 2024-03-28

Changed

Change links to use HTTPS in other info of Insecure HTTP Method (Issue 8262).

52 - 2024-03-25

Changed

Updated reference for scan rule: Possible Username Enumeration (Issue 8262)
Cookie Slack Detector scan rule now has a more specific CWE.
Possible Username Enumeration scan rule now includes CWE-204 as a reference link.
The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
- Relative Path Confusion
- Integer Overflow Error

Removed

Removed HTTP only reference for scan rule: Integer Overflow Error (Issue 8262)

51 - 2024-02-16

Changed

The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
- Backup File Disclosure
- Httpoxy - Proxy Header Misuse
- Anti-CSRF Tokens Check
- HTTP Parameter Pollution
- Cross-Domain Misconfiguration
Alerts from the HTTP Parameter Pollution scan rule are now raised with Low confidence.
Updated reference for scan rules (Issue 8262):
- Session Fixation
- Cross-Domain Misconfiguration
Add website alert links to the help page (Issue 8189).

50 - 2024-01-26

Changed

References for the following scan rules were updated (Issue 8262):
- Exponential Entity Expansion (Billion Laughs Attack)
- Relative Path Confusion
- HTTPS Content Available via HTTP
- Remote Code Execution - Shell Shock
The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
- HTTPS Content Available via HTTP
- Remote Code Execution - Shell Shock (it now also uses Alert Refs (Issue 7100))

49 - 2024-01-16

Changed

Update minimum ZAP version to 2.14.0.
Update references for Expression Language Injection and HTTP Parameter Pollution (Issue 8262).
The Source Code Disclosure - SVN scan rule includes example alert functionality for documentation generation purposes (Issue 6119).

Removed

Help entry for the Spring Actuators scan rule (missed during previous removal/promotion).

48 - 2023-09-08

Added

The HTTP Only Site scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).

Changed

Maintenance changes.
Depend on newer version of Common Library add-on.
Use vulnerability data directly from Common Library add-on.

Fixed

The Source Code Disclosure - File Inclusion alerts now consistently leverage the description and solution from the associated vulnerability details.

47 - 2023-07-20

Added

The Source Code Disclosure - File Inclusion now includes example alert functionality for documentation generation purposes (Issue 6119).
The following scan rules were added, having been promoted from Alpha:
- Server Side Request Forgery
- Text4shell (CVE-2022-42889)

Changed

Update minimum ZAP version to 2.13.0.

Removed

The following scan rules were removed, having been promoted to Release:
- Log4Shell
- Spring Actuator Information Leak
- Spring4Shell
- Server Side Template Injection
- Server Side Template Injection (Blind)
- XPath Injection

46 - 2023-05-03

Changed

Maintenance changes.
The Insecure HTTP Method Scan rule now allows PUT/PATCH methods, if they return JSON or XML data in response (Issue 7772).
The Source Code Disclosure - Git scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).

45 - 2023-03-03

Changed

Maintenance changes.
The Log4Shell scan rule alerts now include Alert References and Tags.
The Spring4Shell scan rule now includes a CVE Alert Tag and reference link.

Fixed

Use same non-default port in the HTTP Only Site scan rule.

44 - 2022-12-13

Changed

Use lower case HTTP field names for compatibility with HTTP/2.

Fixed

Preserve the HTTP version in the scan rules:
- Backup File Disclosure
- Bypassing 403
- Cross-Domain Misconfiguration
- Relative Path Confusion
- Source Code Disclosure - Git
- Source Code Disclosure - SVN
- Possible Username Enumeration

43 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Depend on database add-on.
Maintenance changes.
Rely on Network add-on to obtain more information about socket timeouts.

Added

The following scan rules were added, having been promoted to Beta:
- CORS
- Exponential Entity Expansion
- Forbidden Bypass
- Log4Shell
- Out-of-Band XSS
- Spring4Shell
- Spring Actuator
- Blind SSTI
- SSTI

Fixed

NPE in Source Code Disclosure File Inclusion Scan Rule

Removed

The following scan rules were removed, having been promoted to Release:
- .env Information Leak
- Cloud Metadata Attack
- GET for POST
- Heartbleed OpenSSL Vulnerability
- Hidden File Finder
- Padding Oracle
- Remote Code Execution - CVE-2012-1823
- Source Code Disclosure - CVE-2012-1823
- SQL Injection - Hypersonic (Time Based)
- SQL Injection - MsSQL (Time Based)
- SQL Injection - MySQL (Time Based)
- SQL Injection - Oracle (Time Based)
- SQL Injection - PostgreSQL (Time Based)
- SQL Injection - SQLite
- Trace.axd Information Leak
- User Agent Fuzzer
- XSLT Injection
- XXE

42 - 2022-09-22

Changed

Maintenance changes.
Improved description, solution, and references for the Integer Overflow scan rule.
Added new Custom Payloads alert tag to the example alerts of the Hidden File Finder and User Agent scan rules.

Added

New User Agent strings to the User Agent fuzz scan rule.
Additional source control paths for the Hidden Files finder scan rule.

41 - 2022-06-08

Changed

Maintenance changes.
Adding more checks to Hidden File Finder scan rule.
The Cloud Metadata scan rule will now be attempted with additional payloads (using DNS not just IPs), and supporting Alibaba.

Fixed

False Positive in XSLT Injection where “Microsoft-Azure-Application-Gateway” can be returned in a 403 if the gateway detects an attack.

40 - 2022-03-15

Changed

Hidden File Finder scan rule, content checking has been added for .svn/entries as well as detection for wc.db.
Use Network add-on to detect/serve HttPoxy scan rule requests.
Maintenance changes.
The CSRF Token scan rule will now raise alerts as Medium risk (Issue 7021).

Fixed

Adapted Cloud Metadata Attack scan rule to use Custom Pages and active scan analyzer to help reduce false positives in certain cases (Issue 7033).
Generic Padding Oracle scan rule will no longer raise an alert for validation fields when the error response contains expected error patterns (Issue 6183).
Hidden File Finder no longer follows redirects when sending requests for potential hidden files which should make it less false positive prone (Issue 7036).

39 - 2021-12-13

Changed

Update minimum ZAP version to 2.11.1.
Maintenance changes.

38 - 2021-12-06

Changed

Dependency updates.
XxeScanRule: Use Out-of-band payloads in addition to existing attacks.

Added

OWASP Web Security Testing Guide v4.2 mappings where applicable.

37 - 2021-10-07

Added

OWASP Top Ten 2021/2017 mappings.

Changed

Now targeting ZAP 2.11.
Maintenance changes.
Use OAST Callbacks for the XXE Scan Rule.
Backup File Disclosure Scan Rule: When checkout a parent folder for 404 behavior assume a minimum folder name length of four to further eliminate chance of collision on short folder names (Issue 5330).

36 - 2021-09-17

Removed

Apache Range Header DoS (CVE-2011-3192) scan rule has been retired (Issue 6516)

35 - 2021-07-06

Fixed

Correct dependency requirements.

34 - 2021-06-17

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
The .env file scan rule now performs even better checks to reduce false positives (Issue 6099, 6629).
The trace.axd file scan rule now performs a content check to reduce false positives (Issue 6517).
XML External Entity Attack scan rule changed to detect a possible XML File Reflection Attack when XML validation is present. (Issue 6204)
Added/updated the details of some alerts (some changes might break Alert Filters)
- Backup File Disclosure
  - The attack, evidence, and other info will use URIs in encoded form.
- Insecure HTTP Method
  - The URI field will be in encoded form.
- Integer Overflow
  - Added evidence
- Relative Path Confusion
  - The attack and URI field will use URIs in encoded form.
- Source Code Disclosure - File Inclusion
  - The URI field will be in encoded form.
- Source Code Disclosure - Git
  - The URI field will be in encoded form.
- Source Code Disclosure - SVN
  - The URI field will be in encoded form.
- SQL Injection - Hypersonic SQL
  - The URI field will be in encoded form.
- SQL Injection - MySQL
  - The URI field will be in encoded form.
- SQL Injection - Oracle
  - The URI field will be in encoded form.
- SQL Injection - PostgreSQL
  - The URI field will be in encoded form.
- SQL Injection - SQLite
  - Evidence is now the string that was matched in the response
  - The URI field will be in encoded form.
- XPath Injection
  - Added evidence
The Source Code Disclosure - File Inclusion scan rule was modified to make use of the Dice algorithm for calculating the match percentage, thus improving its performance.
Update links to repository.
Maintenance changes.

Fixed

Add missing file, used by Hidden File Finder scan rule.
Correct Context check in scan rules:
- Session Fixation
- Possible Username Enumeration

33 - 2020-12-15

Changed

Now targeting ZAP 2.10.
The following scan rules now support Custom Page definitions:
- Hidden Files
- HTTPS as HTTP
- Insecure HTTP Methods
- Integer Overflow
- Padding Oracle
- Remove Code Execution CVE-2012-1823
- Session Fixation
- Source Code Disclosure CVE-2012-1823
- Source Code Disclosure Git
- Source Code Disclosure SVN

32 - 2020-11-26

Changed

XML External Entity Attack scan rule changed to parse response body irrespective of the HTTP response status code. (Issue 6203)
XML External Entity Attack scan rule changed to skip only Remote File Inclusion Attack when Callback extension is not available.
Maintenance changes.
The Relative Path Confusion scan rule no longer treats ‘href="#"’ as a problematic use.

Fixed

Terminology.
Correct reason shown when the XML External Entity Attack scan rule is skipped.
SocketTimeoutException in the Proxy Disclosure scan rule.

Added

The following scan rules were promoted to Beta: Cloud Meta Data, .env File, Hidden Files, XSLT Injection (Issue 6211).

Removed

The following scan rules were removed and promoted to Release: ELMAH Information Leak, .htaccess Information Leak (Issue 6211).

31 - 2020-09-02

Changed

ELMAH Information Leak ensure that test requests are appropriately rebuilt for this scan rule (Issue 6129).
SQL rules changed to double check timing attacks
Significantly reduced the number of attacks made by the SQLite rule

30 - 2020-07-23

Changed

Anti-CSRF Tokens Check address potential false positives by only analyzing HTML responses (Issue 6089).

29 - 2020-07-22

Changed

Maintenance Changes.
Backup File Disclosure: don’t raise issues for non-success codes unless at LOW threshold (Issue 6059).
ELMAH Information Leak: don’t raise issues unless content looks good unless at LOW threshold (Issue 6076).
Session Fixation scan rule fix potential false positive on session cookie HttpOnly, and Secure flags (Issue 6082).

28 - 2020-06-01

Added

Add info and repo URLs.
Add links to the code in the help.

Changed

Update minimum ZAP version to 2.9.0.
Backup File Disclosure scan rule - updated CWE to 530, added reference links to alerts, made sure WASC and CWE identifiers are included in alerts.
Maintenance changes.
Updated owasp.org references (Issue 5962).

Fixed

Use correct risk (INFO) in User Agent Fuzzer, to run later in the scan.

27 - 2019-12-16

Added

The following scan rules were promoted from Alpha to Beta:
- Apache Range Header DoS
- Cookie Slack Detector
- ELMAH Information Leak
- GET for POST
- .htaccess Information Leak
- HTTP Only Site
- Httpoxy - Proxy Header Misuse
- HTTPS Content Available via HTTP
- Proxy Disclosure
- Relative Path Confusion
- Source Code Disclosure - File Inclusion
- Source Code Disclosure - Git
- SQL Injection - MsSQL
- SQL Injection - SQLite
- Trace.axd Information Leak
- User Agent Fuzzer

Changed

Add dependency on Custom Payloads add-on.
Fixed ArrayIndexOutOfBoundsException issue in XML External Entity Attack scan rule.
- Now removes original XML header in “Local File Reflection Attack”.
Maintenance changes.
Update minimum ZAP version to 2.8.0.
Elmah scan rule updated to include a response content check, and vary alert confidence values accordingly.

26 - 2019-07-11

Fix FP in “Source Code Disclosure SVN” where the contents exactly matches, and only report issues with less evidence at a LOW threshold.
Fix NPE in “Session Fixation” scan rule when the path of the request URI is null.
Changed “Source Code Disclosure CVE20121823” to only analyze JS responses when a LOW alert threshold is used.

25 - 2019-06-07

Correct HTTP message usage in Insecure HTTP Method scanner.
Fix missing resource messages with Cross-Domain Misconfiguration scanner.
Remove Source Code Disclosure WEB-INF Scanner (promoted to release Issue 4448).
Report source code disclosure alerts at Medium instead of High
Bundle Diff Utils library instead of relying on core.

24 - 2018-07-31

Maintenance changes.
Issue 1142: Logic and alert risk ratings modified.
Correct timeout per attack strength in Heartbleed OpenSSL Vulnerability scanner.
Issue 174: Added further method checks to the Insecure HTTP Methods Scanner.
Skip “Source Code Disclosure - /WEB-INF folder” on Java 9+ (Issue 4038).
BackupFileDisclosure - Handle empty “backup” responses.

23 - 2018-01-19

At HIGH threshold only perform CSRF checks for inScope messages (Issue 1354).

22 - 2017-11-24

Fix FP in “Source Code Disclosure - /WEB-INF folder” on successful responses (Issue 3048).
Fix FP in “Integer Overflow Error” on 500 error responses (Issue 3064).
Support security annotations for forms that dont need anti-CSRF tokens.
Changed XXE rule to use new callback extension.
Notify of messages sent during Heartbleed scanning (Issue 2425).
Fix false positive in Code Disclosure - CVE-2012-1823 on image content (Issue 3846).
Fix false positive in Backup File Disclosure scanner on 403 responses (Issue 3911).
CsrfTokenScan : Keep session cookies instead of deleting all of them

21 - 2016-10-24

Support changing the length of time used in timing attacks via config options.
Support ignoring specified forms when checking for CSRF vulnerabilities.
Do not attempt to parse empty cross domain policy files.
Correct creation of attack URL in Source Code Disclosure - CVE-2012-1823.
Correct creation of attack URL in Remote Code Execution - CVE-2012-1823.
Respect OS techs included when scanning with Remote Code Execution - CVE-2012-1823.
Adjust log levels of some scanners, from INFO to DEBUG.

20 - 2016-06-02

Prevent XXE vulnerability.
Issue 2174: Adjust logging, catch specific exceptions.
Issue 2178: SQLInjectionMySQL - adjust logging, catch specific exceptions.
Issue 2179: SQLInjectionPostgresql - adjust logging, catch specific exceptions.
Issue 2272: SQLInjectionHypersonic - adjust logging, catch specific exceptions.
Issue 2177: SourceCodeDisclosureSVN - adjust logging.

19 - 2016-02-05

Adding Integer Overflow Scanner.
Issue 823: i18n (internationalise) beta active scan rules.
Issue 1713: Source Code Disclosure SVN Throws False Positive - Fixed.
Add CWE and WASC IDs to active scanners which may have been lacking those details.
Create help for scanners which were missing entries.
Issue 2180: Adjust logging, and implement plugin skip if runtime requirements not met.
Security fixes, to be detailed later.

18 - 2015-12-04

Removing Format String.
Fix unloading issue (Issue 1972).
Slightly improve performance of “LDAP Injection” and “Username Enumeration”.
Demoted LDAP rule due to performance issues

17 - 2015-09-07

Moved Format String scanner from alpha to beta.
Removing Buffer Overflow.

16 - 2015-08-24

Minor code changes.
Change scanners to honour the technologies enabled (Issue 1618).
Added Buffer Overflow scanner to beta (Issue 1605).

15 - 2015-04-13

Solved Comparison operator in XpathInjectionPlugin (Issue 1189).
Promoted Backup File Disclosure to beta
Promoted Cross Domain Scanner to beta
Promoted HeartBleed to beta
Promoted Insecure HTTP Method to beta
Promoted Remote Code Execution - CVE2012-1823 to beta
Promoted Shell shock to beta
Promoted Source Code Disclosure - CVE2012-1823 to beta
Promoted Source Code Disclosure - SVN to beta
Promoted Source Code Disclosure - WEB-INF to beta
Fixed minor regex escaping issue with Source Code Disclosure - SVN (Issue 1377)
Updated for ZAP 2.4

14 - 2014-10-20

Solved Comparison operator in XpathInjectionPlugin (Issue 1189).
Promoted Backup File Disclosure to beta
Promoted Cross Domain Scanner to beta
Promoted HeartBleed to beta
Promoted Insecure HTTP Method to beta
Promoted Remote Code Execution - CVE2012-1823 to beta
Promoted Shell shock to beta
Promoted Source Code Disclosure - CVE2012-1823 to beta
Promoted Source Code Disclosure - SVN to beta
Promoted Source Code Disclosure - WEB-INF to beta

13 - 2014-04-10

Promoted new XXE Plugin to test for remote and local XML External Entity Vulnerability.
Promoted new PaddingOracle plugin to test for possible encryption padding errors.
Promoted PXSS tests to beta.
Promoted Command Injection release.
Promoted new Expression Language Plugin to test JSP EL Injection.
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

12 - 2014-02-15

Fixed a ClassNotFoundException while installing the add-on.
Removed the scanner “Server Side Code Injection Plugin” (promoted to “Active scanner rules” add-on).
Changed the “LDAP Injection” scanner to scan the parameters defined in the “Active Scan” options.
Updated the “LDAP Injection” scanner to perform logic-based LDAP injection vulnerability detection

11 - 2013-10-14

Corrected IDs to prevent clash

10 - 2013-09-27

Fixed various errors logged

9 - 2013-09-11

Updated to be compatible with 2.2.0

5 - 2013-06-18

Fixed NullPointerExceptions when scanning with “Anti CSRF tokens scanner”

4 - 2013-05-13

Fixed a MissingResourceException when scanning with “Anti CSRF tokens scanner”

3 - 2013-01-25

Moved SQL Injection to release, tweaked SQL timing rules names

2 - 2013-01-17

Updated to support new addon format

Active scanner rules (beta) Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Active scanner rules Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

80 - 2026-03-02

Added

Checks for cloud metadata from IBM and OpenStack.
Evidence for cloud metadata.

Changed

Update dependency.

Fixed

Cloud metadata false positives by making the evidence checks more specific.

79 - 2025-12-30

Changed

Update dependency.

Removed

The following scan rule was removed, having been demoted to Alpha:
- SQL Injection - SQLite (Time Based)

78 - 2025-12-15

Added

The following scan rules were added, having been promoted from beta:
- Exponential Entity Expansion (Billion Laughs Attack)
- HTTP Only Site
- HTTPS Content Available via HTTP
- ShellShock - CVE-2014-6271

Changed

Update dependency.
Update minimum ZAP version to 2.17.0.

77 - 2025-12-05

Fixed

React2Shell multipart boundries.

76 - 2025-12-05

Added

Remote Code Execution (React2Shell) Scan Rule (CVE-2025-55182, CVE-2025-66478)

Changed

The External Redirect scan rule has been updated to account for potential false positives involving JavaScript comments.

75 - 2025-11-04

Added

SYSTEMIC tag to selected rules.

Changed

Address potential false positives with the XSLT Injection scan rule when payloads cause a failure which may still contain the expected evidence.
Depends on an updated version of the Common Library add-on.
Reduced usage of error level logging.

74 - 2025-09-18

Added

QA CICD policy tag to selected rules.

Changed

Update alert references to latest locations to fix 404s and resolve redirections.
The SQL Injection - Oracle (Time Based) rule now uses DBMS_SESSION.SLEEP instead of an “expensive” query.

Fixed

Hidden Files rule raising false positives if server returning 200 for files that don’t exist (Issue 8434).

73 - 2025-09-02

Changed

Maintenance changes.
Depends on an updated version of the Common Library add-on.
The following scan rules and their alerts have been renamed to clarify that they’re time based (Issue 7341).
- SQL Injection - Oracle
- SQL Injection - MsSQL
- SQL Injection - MySQL
- SQL Injection - Hypersonic
- SQL Injection - SQLite
- SQL Injection - PostgreSQL
The Remote OS Command Injection scan rule has been broken into two rules; one feedback based, and one time based (Issue 7341). This includes assigning the time based rule ID 90037.
The External Redirect scan rule payload were slightly re-ordered to prioritize HTTPS variants.
For Alerts raised by the SQL Injection scan rules the Attack field values are now simply the payload, not an assembled description.
The Cross Site Scripting (Reflected) scan rule was updated to address potential false negatives when the injection context is a tag name and there is some filtering.
The Path Traversal scan rule now includes further details when directory matches are made (Issue 8379).
Add help details about behavior of scan rules which leverage OAST (Issue 8682).

Added

Rules (as applicable) have been tagged in relation to HIPAA and PCI DSS.
The Cloud Metadata Potentially Exposed scan rules now has a CWE reference.
Scan rules which execute time based attacks now include the “TEST_TIMING” alert tag.
The XPath Injection scan rule now supports error patterns provided via the Custom Payloads add-on (Issue 8958). A minimum of Custom Payloads 0.15.0 is required to take advantage of this optional functionality.

72 - 2025-06-20

Added

Some Postgres error messages in the SQL Injection scan rule.
All rules have been tagged of interest to Penetration Testers.

Changed

SQL Injection scan rule to start using ComparableResponse - part of the work to reduce False Positives.
Depends on an updated version of the Common Library add-on.
Due to it being 2025 and the mass adoption of HTTPS: De-prioritized plain HTTP payloads in the External Redirect scan rule.

Fixed

SQL Injection scan rule to treat a 500 response to an SQLi attack as a likely vulnerability.
Use location header in SQL injection response comparisons (Issue 8651).
Addressed False Negative with simple allow list handling in the External Redirect scan rule.

71 - 2025-03-04

Fixed

External Redirect scan rule to regenerate anti CSRF tokens.

70 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.
Updated help with specific Category identifiers for use with the Custom Payloads add-on for rules:
- Hidden File Finder
- User Agent Fuzzer
Now depends on minimum Common Library version 1.29.0.
Add the OUT_OF_BAND alert tag to the following scan rules:
- Server Side Template Injection (Blind)
- XML External Entity Attack
Cloud Metadata Attack scan rule is improved to support GCP, Azure, and OCI.
Remove double dot in skipped message of a scan rule that uses the Active Scan OAST service.

Fixed

A situation where the Server-Side Template Injection (SSTI) scan rule might result in false positives related to the Go payloads (Issue 8622).
False Positives in Cloud Metadata Attack scan rule (Issue 8514).

Added

Standardized Scan Policy related alert tags on the rule.

69 - 2024-10-23

Changed

The XML External Entity Attack scan rule now include example alert functionality for documentation generation purposes (Issue 6119).

Fixed

Added more checks for valid .htaccess files to reduce false positives (Issue 7632).

68 - 2024-09-24

Changed

Maintenance changes.
The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
- Spring Actuator
- XSLT Injection
- XPath Injection

Fixed

Address false positives with Source Code Disclosure - CVE-2012-1823 scan rule, by not scanning binary responses and responses that already contain PHP source (Issue 8638).
Cross Site Scripting Rule false positives at medium threshold by matching the expected context (Issue 8640).

67 - 2024-07-22

Changed

The following rules now includes example alert functionality for documentation generation purposes (Issue 6119), as well as now including Alert Tags (OWASP Top 10, WSTG, and updated CWE):
- Server Side Template Injection
- Server Side Template Injection (Blind)

Fixed

False positives in the Path Traversal rule.
Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.
False Positives in the Remote File Inclusion rule (Issue 8561).

66 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

65 - 2024-03-28

Changed

Change link to use HTTPS in other info of SQL Injection - SQLite (Issue 8262).

64 - 2024-03-25

Changed

The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
- Source Code Disclosure - CVE-2012-1823
- Remote Code Execution - CVE-2012-1823
- Server Side Include
- Cross Site Scripting (Reflected)
The Alerts from the Remote Code Execution - CVE-2012-1823 scan rule no longer have evidence duplicated in the Other Info field.
The GET for POST scan rule now uses a different comparison mechanism which should be more tolerant of unrelated response differences.

63 - 2024-02-12

Changed

Maintenance changes.

Added

The SQL Injection scan rule now includes a MySQL/MariaDB generic error message.

62 - 2024-01-26

Changed

The Source Code Disclosure - /WEB-INF Folder rule now includes example alert functionality for documentation generation purposes (Issue 6119).

61 - 2024-01-24

Changed

Update reference for Server Side Include (Issue 8262)

Fixed

False positives on redirects for:
- Cloud Metadata (Issue 7710)
- Hidden Files

60 - 2024-01-16

Changed

Leave data empty instead of adding “N/A” for the scan rules:
- Cross Site Scripting (Persistent) - Prime
- Cross Site Scripting (Persistent) - Spider
Update reference for Server Side Code Injection (Issue 8262).
Now depends on minimum Common Library version 1.21.0.

Fixed

Threshold handling in the Hidden File Finder scan rule.
Improved the following scan rules by using time-based linear regression tests:
- Server Side Template Injection (Blind)
- SQL Injection - Hypersonic SQL
- SQL Injection - MsSQL
- SQL Injection - MySQL

Added

Help entry for the Spring Actuators scan rule (missed during previous promotion).
Website alert links to the help page (Issue 8189).
The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119) and in some cases updated references (Issue 8262).
- CRLF Injection
- Remote OS Command Injection
- GET for POST
- ELMAH Information Leak
- .env Information Leak
- .htaccess Information Leak
- Trace.axd Information Leak

59 - 2023-12-07

Added

Support for mutations in reflected XSS rule.

Changed

Depend on newer version of Common Library add-on.

Fixed

Use high and low delays for linear regression time-based tests to fix false positives from delays that were smaller than normal variance in application response times, which affected Command Injection scan rule.
Improved SQL Injection - PostgreSQL (Time Based) scan rule by using time-based linear regression tests.
Catch correct context while analysing attributes instead of the last attribute where eyecatcher was reflected.

58 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

57 - 2023-09-08

Changed

Maintenance changes.
Depend on newer version of Common Library add-on.
Use vulnerability data directly from Common Library add-on.

Fixed

False positive where linear regression time-based tests returned true when there were not enough requests for a statistically meaningful measurement.

56 - 2023-07-11

Added

The Format String Error scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).
Corrected Hidden File Finder scan rule Blazor WASM config file path.
The following scan rules were added, having been promoted from Beta:
- Log4Shell
- Spring Actuator Information Leak
- Spring4Shell
- Server Side Template Injection
- Server Side Template Injection (Blind)
- XPath Injection

Changed

Update minimum ZAP version to 2.13.0.

55 - 2023-06-06

Changed

The Parameter Tamper Scan rule now includes example alert functionality for documentation generation purposes (Issue 6119)

Fixed

Fix typo in ASP payload of Server Side Code Injection scan rule.
Include complete solution of Server Side Include scan rule.
Ensure Custom Payloads support can be properly unloaded.

Added

The Hidden File Finder scan rule now check for Blazor WASM config files.

54 - 2023-05-03

Changed

Maintenance changes.

Fixed

Correct IP used for AWS/GCP in the Cloud Metadata Potentially Exposed scan rule (Issue 7829).

53 - 2023-03-03

Changed

Maintenance changes.
The SQL Injection Scan Rule filters reflected payload containing escaped characters like ‘&’ and ‘"’ before response content comparison to reduce false negatives.

52 - 2023-02-03

Changed

The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119 & 7100).
- Buffer Overflow
- Cloud Metadata
- Code Injection
- Path Traversal
- Remote File Include
The Path Traversal scan rule no longer populates the Other Info field with check information, as the Alert Reference now provides that detail.
Maintenance changes.
Update dependency.
CVE-2012-1823 Remote Execution and Source Code Disclosure, and Heart Bleed scan rules now include Alert Tags for the applicable CVEs.

Fixed

A false positive that could occur in the External Redirect scan rule if the payload was included in the redirect as a param or portion of the value.

51 - 2023-01-03

Changed

Command Injection Scan Rule: Time-based blind detection heuristic has been replaced with linear regression.

Fixed

SQL rule should not target NoSQL Dbs.

Changed

Maintenance changes.

50 - 2022-12-13

Changed

The Directory Browsing scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).
Use lower case HTTP field names for compatibility with HTTP/2.
Maintenance changes.

Fixed

False positive in case of javascript: protocol xss attacks, when attack payload is modified by the application (Issue 6013).
Preserve the HTTP version in the scan rules:
- Remote Code Execution - CVE-2012-1823
- Source Code Disclosure - CVE-2012-1823
- Source Code Disclosure - /WEB-INF folder

Added

The Hidden File Finder scan rule will now also check for “/_wpeprivate/config.json”.

49 - 2022-10-27

Added

The following scan rules were added, having been promoted from Beta:
- .env Information Leak
- Cloud Metadata Attack
- GET for POST
- Heartbleed OpenSSL Vulnerability
- Hidden File Finder
- Padding Oracle
- Remote Code Execution - CVE-2012-1823
- Source Code Disclosure - CVE-2012-1823
- SQL Injection - Hypersonic (Time Based)
- SQL Injection - MsSQL (Time Based)
- SQL Injection - MySQL (Time Based)
- SQL Injection - Oracle (Time Based)
- SQL Injection - PostgreSQL (Time Based)
- SQL Injection - SQLite
- Trace.axd Information Leak
- User Agent Fuzzer
- XSLT Injection
- XXE

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.
Rely on Network add-on to obtain more information about socket timeouts.

48 - 2022-09-22

Changed

Command Injection Scan Rule: Decode HTML entities in HTML responses before attempting to search for attack validation patterns.

47 - 2022-08-16

Added

Cross Site Scripting header splitting attacks.
The External Redirect scan rule now includes alert references on Alerts, and has example alert functionality for documentation generation purposes.

Changed

Maintenance changes.
Updated the External Redirect scan rule to be more accurate.
The Reflected XSS scan rule now generates alerts for all content-types when alert threshold set to LOW. If alert threshold MEDIUM or HIGH, alerts are raised for HTML responses only.

Fixed

The Remote File Inclusion scan rule no longer follows redirects before checking the response for content indicating a vulnerability (Issue 5887).
False positive where Cross Site Scripting payloads are safely rendered in a textarea tag.
Unescaped tag end causing Cross Site Scripting rule to throw an exception.

46 - 2022-03-21

Changed

Maintenance changes.

Fixed

Fix Cross Site Scripting (Reflected) scan rule false negatives introduced in previous version.

45 - 2022-03-15

Changed

Remote OS Command Injection rule now has more information in the Other Info field to differentiate feedback-based or time-based tests
Path Traversal scan rule, updated the regex for case 5 to be case-insensitive when searching for Error or Exception in content body.
Maintenance changes.

Fixed

Server Side Code Injection scan rule, prevent use of zero when injecting ASP multiplication to avoid false positives (Issue 7107).
External Redirect scan rule to detect redirects with dots deny listed.
Cross Site Scripting (Reflected) scan rule will no longer raise an alert for unsuccessful JavaScript string injections (Issue 1641).

44 - 2022-01-13

Changed

Update minimum ZAP version to 2.11.1.
The XSS scan rule will try several different payloads if the payload is being reflected outside of any HTML tags (for example in a JSON response body).

43 - 2021-12-06

Added

OWASP Web Security Testing Guide v4.2 mappings where applicable.

42 - 2021-11-29

Changed

Command Injection scan rule will now initially attempt a simple injection without the original parameter value (Issue 6538).
Reflected XSS rule: added a generic ‘onerror’ attack and tweaked the case of the script attack

41 - 2021-10-06

Changed

Added OWASP Top Ten 2021/2017 mappings.
Update minimum ZAP version to 2.11.0.

40 - 2021-06-17

Changed

The SQL Injection scan rule will raise alerts with the URI field in encoded form.
Update links to repository.

Fixed

Correct Context check in SQL Injection scan rule.
“Source Code Disclosure - /WEB-INF folder” is no longer skipped on Java 9+ (Issue 4038).
Fix ascan rules not enforcing MaxRuleDuration when getting IOExceptions (Issue 6647).

39 - 2021-05-10

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
Maintenance changes.
The Path Traversal scan rule should now be less False Positive prone at High Threshold, one of it’s checks will now be excluded at High Threshold (Issues: 4209, 6030, 6219, 6372, and 6380).
- The Other info field of Alerts will now include a reference indicating which check the triggered alert is caused by, in order to assist in future user inquiries.
Added/updated the details of some alerts (some changes might break Alert Filters)
- Buffer Overflow
  - Includes an Attack string
  - Evidence changed from the whole request header to the specific string sought
- Code Injection
  - Includes evidence for PHP and ASP related alerts
- CRLF Injection
  - Attack and Evidence are now more specific
- Directory Browsing
  - Attack is now the URL of the request
  - Evidence added
Parameter Tampering scan rule, adjusted regular expression related to VBScript errors.
Code Injection scan rule is now using random numbers for the ASP related check.
SQL Injection scan rule now has one more payload for error based checks, and an additional SQLite related check string (Issue 6588).

Fixed

Fix XSS false positive (Issue 5958).

38 - 2020-12-15

Changed

Now targeting ZAP 2.10.
The following scan rules now support Custom Page definitions:
- Buffer Overflow
- Directory Browsing
- Format String
- Parameter Tamper
- Path Traversal
- Remote File Include
- Source Code Disclosure WEB-INF

37 - 2020-11-26

Changed

Maintenance changes.

Fixed

Terminology

Added

The following scan rules were promoted to Beta: ELMAH Information Leak, .htaccess Information Leak (Issue 6211).

36 - 2020-08-04

Changed

Maintenance changes.

35 - 2020-06-01

Changed

Update minimum ZAP version to 2.9.0.
Command Injection, Test Path Traversal, Test Cross Site ScriptV2 and Remote File Include rules are updated to include payloads for Null Byte Injection (Issue 3877).
Updated owasp.org references (Issue 5962).

Fixed

Fix typo in the help page.
Use correct risk (HIGH) in External Redirect, to run earlier in the scan.
Correct tech check in SQL Injection scan rule, which could cause it to be skipped with imported contexts (Issue 5918).

34 - 2020-01-17

Added

Add info and repo URLs.
Add links to the code in the help.

Changed

Improved PowerShell injection control patterns to reduce false positives.
Maintenance changes.
Issue 5271: Fix SQLi false positive (and potential false negative) when response bodies contain injection strings.

33 - 2019-06-07

Maintenance changes.
Promote Source Code Disclosure WEB-INF (Issue 4448).
Bundle Diff Utils library instead of relying on core.

32 - 2018-10-04

Maintenance changes.
Persistent XSS scanner updated to address various false negatives (Issue 4692).
Command Injection plugin updated to include payloads for Uninitialized environment variable WAF bypass (Issue 4968).
Correct Remote OS Command Injection to use the expected time in all time based payloads.

31 - 2018-03-05

Issue 1852: Fix reflected XSS false negative with poor quality HTML filtering.
Issue 1640: Fix reflected XSS false negative with double decoded output.
Issue 2290: Fix SQLi false negative with ODBC error message.

30 - 2018-02-06

Issue 1366: Allow SSI detection patterns to include new lines, and pre-check the original response for detection patterns to reduce false positives.
Issue 4168 and 4230: Pre-check the original response for detection patterns.

29 - 2018-01-19

Issue 3979: Fix reflected XSS in PUT response.
Issue 3978: Handle reflected XSS in JSON response.
Issue 4211: Fix false positive in FormatString scanner.

28 - 2017-11-27

Updated for 2.7.0.

27 - 2017-11-24

Issue 1365: Additional Path Traversal detection.
Correct alert’s evidence/attack of Parameter Tampering (Issue 3524).
Fix Path Traversal false positives when etc is a substring (Issue 3735).
Code changes for Java 9 (Issue 2602).
TestSQLInjection Modifications to improve handling of injected math expressions and reflected params (Issue 3139).

26 - 2017-04-06

Issue 2973: Drop suffix on *Nix Blind Command Injection time based variants to maximize compatibility.
Improve error handling in some scanners.
Support changing the length of time used in timing attacks via config options.
Issue 3065: Ensure active scanners perform initial status checks against the proper original message(s) to prevent False Negative and False Positive conditions.

25 - 2016-09-28

Issue 1211 - SQLi Scanner may raise seemingly duplicate alerts (fixed).
Use correct HTTP message and attack for alerts of “Format String Error”.
Fixed test for wrong tag in Reflected XSS rule.
Issue 1632 - False Negative XSS on injection outside of HTML tags.

24 - 2016-07-15

TestPathTraversal - catch InvalidRedirectLocationException and URIException.
TestRemoteFileInclude - adjust logging (debug not error).
Run SQL Injection if any DB tech is enabled but skip specific non-applicable error checks.
Issue 2624: Improve Error Logging in PathTraversal Plugin.

23 - 2016-06-02

Issue 823 - i18n (internationalise) release active scan rules.
Issue 2001 - Add PowerShell variants to CommandInjection Plugin.
Add CWE and WASC IDs to active scanners which may have been lacking those details.
Add missing skip/stop checks to some scanners (Issue 1734).
Remote File Include FP if original title includes ‘Google’ (Issue 2240).
Issue 2264: TestPathTraversal - adjust logging, catch specific exceptions.
Issue 2265: TestRemoteFileInclude - adjust logging, catch specific exceptions.
Issue 2266: TestCrossSiteScriptV2 - adjust logging, catch specific exceptions.
Issue 2267 & 1860: TestSQLInjection - adjust logging, catch specific exceptions.
Issue 2268: CodeInjectionPlugin - adjust logging, catch specific exceptions.
Issue 2269: BufferOverflow - adjust logging, catch specific exceptions.
Issue 2270: FormatString - adjust logging, catch specific exceptions.
Issue 2271: TestParameterTamper - adjust logging, catch specific exceptions.
Issue 1550: CommandInjectionPlugin - adjust logging, catch specific exceptions.

21 - 2015-11-19

Change Path Traversal scanner to also check HTML responses in decoded form.
Move Format String from Beta to Release.
Improve memory usage when scanning for persistent XSS vulnerabilities (Issue 1974).
Fix False Positives in Buffer Overflow.
Fixed False Positives in Format String.
Fixed incorrect i18n string being used which caused the External Redirects code to fail.

20 - 2015-09-07

Added Buffer Overflow scanner.

19 - 2015-08-24

Issue 1146: variable ‘param’ is used instead of ‘value’? in TestCrossSiteScriptV2.
Handle cases where the response is the full XSS payload.

18 - 2015-07-30

Improved “Path Traversal” scanner.
Change scanners to honour the technologies enabled.

17 - 2015-04-13

Changes to TestInjectionCRLF: address FindBugs issue, remove forced HTML elements in
references, add proper WASC ID.
Added blind command injection checks for CommandInjectionPlugin.
Upgraded to ZAP 2.4.
Issue 823: i18n active/passive scan rules.
Issue 1529: TestExternalRedirect minor performance improvement, injection generation changed to reduce collisions or false positives.
Issue 1569: TestExternalRedirect plugin ID changed from 30000 to 20019.
Issue 1499: Replace active ‘Client Browser Cache’ with passive ‘Cache Control’ rule. TestClientBrowserCache removed.
Issue 1592: CommandInjectionPlugin timing false positives

16 - 2014-07-22

Fixed bug in Persistent XSS rule (Issue 1273)

15 - 2014-05-20

Tweaked the SQLi rule to maximize vuln detection and minimize fps (Issue 1195)
Fixed XSS false positive in non URL tag attributes (Issue 964)

14 - 2014-04-10

Fix for TestRemoteFileInclude failing if Google return localized page.
Moved PXXS tests from beta.
Moved Command Injection from beta.
Reviewed and enforced the External Redirect plugin.
Removed duplicated TestRedirect plugin (it was a subset of the TestExternalRedirect one)
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

13 - 2013-12-11

Fix for TestRemoteFileInclude failing if Google return localized page

12 - 2013-09-27

Fixed various errors logged

11 - 2013-09-11

Updated to be compatible with 2.2.0

9 - 2013-07-20

Improved the “SQL Injection” scanner with detection of parameters used in the “ORDER BY” clause of the SQL select statement;
Changed the “Session ID in URL rewrite” scanner to allow the characters “-” and “!” in “JSESSIONID” session token value.

8 - 2013-06-24

Updated language files.

7 - 2013-05-27

Updated language files.

6 - 2013-04-18

Updated for ZAP 2.1.0

5 - 2013-03-18

Modified the generic SQL Injection scanner to detect “.NET Framework Data Provider for OLE DB.” error message fragments,
added an error fragment for generic JDBC error messages,
fixed an encoding issue with special argument values,
and try both replacing and appending the parameter value when attempting to force SQL error messages.

4 - 2013-01-25

Split out Remote File Inclusions to separate rule, moved SQL Injection from beta, added ‘Reflected’ to XSS test name

3 - 2013-01-17

Updated to support new addon format

1 - 2012-12-10

Active scanner rules Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Advanced SQLInjection Scanner Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

16 - 2025-04-30

Changed

Update minimum ZAP version to 2.16.0.
Maintenance changes.
The included active scan rule has been tagged of interest to Penetration Testers.

15 - 2021-10-20

Fixed

Re-ordered variable initialization to prevent an NPE.

14 - 2021-10-07

Added

Add help and link to the code.
Add info and repo URLs.
OWASP Top Ten 2021/2017 mappings.

Fixed

Terminology

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.
Updated owasp.org references (Issue 5962).

13 - 2019-06-07

Update minimum ZAP version to 2.5.0.
Bundle JDOM library instead of relying on core.

12 - 2017-11-27

Minor code changes.

11 - 2016-07-07

Check all DB techs when evaluating if the scanner should be run.

10 - 2016-06-02

Prevent XXE vulnerability.
Log level adjustments.
Internationalisation of scanner and alert’s data.
Check for skip/stop more often.
Added EXP error based payloads
Preserved the space in commented suffixes

9 - 2015-07-30

Split boundary and plugin definition in two different files
Updated all plugin and boundary files to the newest SQLMap database
Changed to target DB technology (Issue 1618).

8 - 2015-04-20

Improved execution time when a WAF or Reverse Proxy is in place disabling keep-alive for all request
Enforced the time based statistical model taking in account also the wait time threshold
Solved some wrong “escape” that happened on some time based SQLi
Users can specify the technology of interest, enabling or disabling them using the Advanced Active Scan tab

7 - 2015-04-13

Updated for ZAP 2.4

6 - 2014-04-10

Updated add-on dir structure (Issue 1113).

5 - 2014-02-15

Resolved some race conditions related to slow and not responding sites

4 - 2013-11-25

Solved some bugs and updated the SQLi payload configuration file

3 - 2013-09-11

Added support for HyperSQL DB

Advanced SQLInjection Scanner Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Ajax Spider Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

23.29.0 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

23.28.0 - 2025-12-03

Fixed

Correct bundled logging dependencies.

23.27.0 - 2025-11-04

Added

Spider stats.

Fixed

Correctly validate browser IDs.

23.26.0 - 2025-09-02

Added

Support for stopping the spiderAjax automation job.

23.25.0 - 2025-07-10

Fixed

Correct configuration key for Logout Avoidance (Issue 8994).
Error logs to always include stack trace.

23.24.0 - 2025-06-20

Added

Allow to configure how the scope is checked, either Flexible or Strict, to allow or not access to out of scope domains.
Allow to avoid logout elements.

Changed

Maintenance changes.

Fixed

Allow access to domains out of context (e.g. SSO) when using Client Script and Browser Based Authentication.

23.23.0 - 2025-03-25

Changed

Maintenance changes.

Fixed

Only count processed URLs. Browsers can make lots of background requests which distort the numbers.

23.22.0 - 2025-01-10

Added

Option to enable browser extensions added by other add-ons, previously they were always enabled but now the default is false.

Changed

Update minimum ZAP version to 2.16.0.
Updated automation framework documentation and templates for spiderAjax job to reflect changes to the default value of numberOfBrowsers parameter
Fields with default or missing values are omitted for the spiderAjax job in saved Automation Framework plans.
Default the number of browsers to the number of available cores.
Updated the job GUI to add an aditional “Elements” tab.

23.21.0 - 2024-09-02

Changed

Maintenance changes related to Passive Scanner add-on (Issue 7959).

23.20.0 - 2024-07-22

Fixed

Issue with browser based auth.

23.19.0 - 2024-05-07

Added

Video link in help for Automation Framework job.
Support for menu weights (Issue 8369)

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

Fixed

A typo in an API end-point description.

23.18.0 - 2023-11-10

Added

Add context menu item to Contexts tree to show the AJAX Spider dialogue with the selected Context.

Changed

Add icon to the Tools menu item.
Scale icons.

23.17.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

Fixed

Add URL to start event.

23.16.0 - 2023-09-26

Changed

Maintenance changes.
Depend on newer versions of Automation Framework and Common Library add-ons (Related to Issue 7961).
Depend on newer version of Network add-on and allow to access the ZAP API while spidering.

23.15.0 - 2023-07-11

Added

Support for authentication handlers.

Changed

Update minimum ZAP version to 2.13.0.
Depend on newer version of Selenium add-on.
Update Crawljax to 3.7.1, to use the newer version of Selenium.

23.14.1 - 2023-06-02

Fixed

Handle job with no parameters when reading Excluded Elements (Issue 7889).

23.14.0 - 2023-05-31

Added

Allow to exclude elements from crawl (Issue 5875).
Configure logging of dependencies directly, instead of relying on core.

23.13.1 - 2023-04-05

Fixed

Honour -config arguments when applying the default allowed resources (Issue 7809).

23.13.0 - 2023-03-15

Added

Automation Framework - HTML elements to click support

Fixed

Close the AJAX Spider dialogue when uninstalling the add-on.

23.12.0 - 2023-02-23

Added

Automation Framework - inScopeOnly option

Changed

Add default Allowed Resources if none present in existing home directory when updating the add-on (Issue 7719).

23.11.0 - 2023-02-06

Changed

Maintenance changes.
Default number of threads to 2 * processor count.

Fixed

Ensure default Allowed Resources are present with a new home directory (Issue 7719).

23.10.0 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.

23.9.0 - 2022-09-23

Changed

Maintenance changes.

Added

Support for automation monitor tests.
Added ‘runOnlyIfModern’ Automation Framework option.

Fixed

Automation Framework dialog - min numberOfBrowsers now 1.
Automation Framework job - correctly pick up URL from context.

23.8.0 - 2022-08-04

Added

Missing ‘user’ param in the Automation Framework help

Changed

Update minimum ZAP version to 2.11.1.
Use Network add-on to proxy Crawljax/browser requests.
Maintenance changes.

Fixed

Stop the spider scans when ZAP shuts down (Issue #6643).

23.7.0 - 2021-11-02

Added

Automation authentication support

Changed

Dependency updates.

23.6.0 - 2021-10-06

Changed

Update minimum ZAP version to 2.11.0.

23.5.0 - 2021-09-16

Added

Add Job Name field in AJAX Spider Automation dialogue

Fixed

Address errors when running the AJAX Spider with Automation Framework.
Fixed var support in URLs (Issue #6726)

Changed

Maintenance changes.

23.4.0 - 2021-08-05

Added

Automation Framework GUI

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
Maintenance changes.
Handle multiple context URLs in automation.

Deprecated

Automation parameters failIfFoundUrlsLessThan and warnIfFoundUrlsLessThan in favour of the spiderAjax.urls.added statistic test.

23.3.0 - 2021-03-09

Added

Initial support for the automation framework

Changed

Update minimum ZAP version to 2.10.0.

23.2.0 - 2020-11-09

Added

Allow to specify allowed resources (Issue 3236). The allowed resources are always fetched even if out of scope, allowing to include necessary resources (e.g. scripts) from 3rd-parties. By default it allows files with extension .js and .css.

Changed

Update minimum ZAP version to 2.9.0.
Maintenance changes.

Fixed

Unregister the event publisher when the add-on is uninstalled.
Persist the state of “Remove Without Confirmation” of non-default elements to click.

23.1.0 - 2020-01-17

Added

Add repo URL.

Changed

Enable websockets (Issue 4521)
Change info URL to link to the site.

23.0.0 - 2019-06-07

Correct WebDriver requester ID.
Remove unused resource messages.
Generate start and stop events.
Run with Firefox headless by default (Issue 3866).
Depend on newer version of Selenium add-on.

22 - 2018-08-08

Maintenance changes.
Add Export button to results table (Issue 4875).

21 - 2018-01-19

Reset API scan also when in daemon mode (Issue 4163).

20 - 2017-11-27

Updated for 2.7.0.

19 - 2017-11-24

Code changes for Java 9 (Issue 2602).
Fix “Internal Error” when accessing the full results API view.

18 - 2017-08-18

Update to support Selenium version 3.4.0 (Issue 3509).
Fix WebDriver process leak (Issue 3155).

17 - 2017-03-06

Show alerts/tags in the AJAX Spider tab.
Use a custom initiator ID (10) for AJAX Spider requests.
Show always the latest configured browsers in AJAX Spider dialogue (Issue 3057).
Honour global excluded URLs (Issue 3172).
Reset URL counter on session change.
Show excluded URLs in the AJAX Spider tab and through the ZAP API.
Use provided browsers from Selenium add-on.
Show messages that were not successful because of I/O errors.
Ensure New Scan button is enabled, when the mode allows it.

16 - 2016-09-05

Allow to show the AJAX Spider dialogue through Tools menu (and keyboard shortcut).
Fixed the issue that prevented the ajaxSpider from resetting the crawled url count to zero while starting a new scan (Issue 2610).
Warn always if attempting to AJAX spider “localhost” with PhantomJS.
Allow to spider a context (Issue 1955).
Allow to spider as a user (Issue 1956).
Allow to manually specify the start URL in AJAX Spider dialogue (Issue 1957).
Allow to spider just a site’s subtree (Issue 2847).

15 - 2016-06-02

Fix issue that prevented the spider from clicking all elements set in the options (Issue 2151).
Minor update in help pages.
Suppress log of innocuous warning.

14 - 2015-12-04

Issue 2102: Allow ajax spider options to be set via the API.

13 - 2015-07-30

Updated add-on’s info URL.
Changed to use the (full) URI of selected node (to be used as spider’s seed).

12 - 2015-04-13

Promoted to ‘release’ status (Issue 1326).
Set to depend on ‘Selenium’ add-on (Issue 1534).
Updated Crawljax to version 3.6 (Issue 1535).
Advanced scan dialog (Issue 1177).

11 - 2014-09-22

Exposed several Crawljax options (Issue 945).
A warning message is shown if the selected browser was not successfully started.
Disable the attack menu item “AJAX Spider Site” when the spider is running (Issue 1289).
Updated Crawljax to version 3.5.1 and Selenium which adds support for Firefox 32 (Issue 1336).
Error while updating “Ajax Spider” add-on (Issue 1337).
Allow to use PhantomJS (Issue 1338).
Allow to use Internet Explorer (Issue 1340).

10 - 2014-04-10

Updated to use the latest core changes (Issues 609 and 1102).
Changed to display the spider results in a table (Issue 503).
Moved the Ajax Spider help pages from ZAP core to the add-on (Issue 1098).
Updated add-on dir structure (Issue 1113).

9 - 2013-12-16

Added support for modes and scope (Issue 334).
Added API to control the Ajax Spider (Issue 369).
AJAX Spider will now use the HTTP authentication credentials set in “Options” > “Authentication” (Issue 584).
AJAX Spider will now use the options set in “Options” > “Connection”.
Changed to persist the configurations (Issue 678).
Changed to proxy SSL traffic (Firefox) (Issue 824).
Fixed a ChromeDriver process leak that occurred after closing the “Options” with Chrome browser selected (Issue 831).
Changed to verify and deny all requests outside of spider scope (Issue 833).
Updated Crawljax library (version 3.4) and dependencies (Issue 834).
Changed to allow to set ChromeDriver’s path through the “AJAX Spider” options (Issue 835).
Changed to automatically configure the proxy settings (Issue 836).
Changed to clear the results tab when a new spider process is started (Issue 926).
Changed to not allow to start a new spider process if one is already running (Issue 927).
Changed the AJAX Spider to listen to session changes (Issue 928).

8 - 2013-12-10

Fixed problem where self referencing links could trap the spider

7 - 2013-09-11

Updated for 2.2.0.

5 - 2013-06-02

Changed to remove the footer status label when uninstalling;
Updated Crawljax library (and its dependencies);
Fixed a NoSuchMethodError which prevented the use of “Firefox” browser;
Fixed a NoSuchMethodError which prevented the use of “HtmlUnit” browser;
Changed the selection of browsers to use radio buttons.

4 - 2013-04-18

Updated for ZAP 2.1.0

3 - 2013-01-28

Updated to Selenium 2.28.0

2 - 2013-01-17

Updated to support new addon format

1 - 2012-11-23

Ajax Spider Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Ajax Spider Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Ajax Spider Automation Framework Support

This add-on supports the Automation Framework.

Job: spiderAjax

The spiderAjax job allows you to run the Ajax Spider - it is slower than the traditional spider but handles modern web applications well.

Alert Filters Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

26 - 2025-12-15

Changed

Update the automation framework template and help to include missing fields (ruleName and methods).
Update minimum ZAP version to 2.17.0.

25 - 2025-11-04

Changed

Include String as supported type for the Automation Framework alertFilter job’s ruleId field.

24 - 2025-06-20

Changed

Use the alert reference for statistics.
Workaround core issue that prevents the filters to be correctly applied (Issue 8888).

Added

Added parameter descriptions for the ZAP API.

23 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.
Fields with default or missing values are omitted for the alertFilter job in saved Automation Framework plans.
Depend on Passive Scanner add-on (Issue 7959).

22 - 2024-10-07

Fixed

Handle deleted alerts gracefully.

21 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

20 - 2024-04-02

Added

Video link in help for Automation Framework job.

Changed

Reword label in the automation job to prevent any confusion between the Alert Filters and the Alerts.
Maintenance changes.

19 - 2023-11-16

Changed

Allow to filter by alert reference (Issue 7438).
Allow to specify custom IDs through the GUI.
Maintenance changes.

Fixed

Do not fail to import or load a context with invalid alert filters.
Incorrect warning about ‘Unrecognised parameter’ for deleteGlobalAlerts.
Persist context filter data.

18 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.
Depend on newer version of Automation Framework add-on for the automation job (Related to Issue 7961).

17 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.

Fixed

Allow to filter Directory Browsing (ID 0) alerts through the Automation Framework job, previously would report as a missing ID.

16 - 2023-06-12

Added

Allow to specify the HTTP method when filtering the alerts (Issue 5967).

Changed

Maintenance changes.

15 - 2023-01-03

Changed

Maintenance changes.

Fixed

Prevent exception if no display (Issue 3978).

14 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
When the automation Job is edited via UI Dialog then the status will be set to Not started
Maintenance changes.

Fixed

Include the ID when listing scan rules, to allow to differentiate scan rules with the same name (Issue 5699).

13 - 2021-10-06

Added

Stats for alerts changed

Changed

Update minimum ZAP version to 2.11.0.

Fixed

Dialogs being shown under the owning dialog / frame.

12 - 2021-09-16

Added

Support for the Automation Framework

11 - 2021-07-29

Changed

Update minimum ZAP version to 2.10.0.
Maintenance changes.

Added

API endpoints “applyAll”, “applyContext”, and “applyGlobal” to apply enabled Alert Filters to existing alerts (Issue 5966).
API endpoints “testAll”, “testContext”, and “testGlobal” to test enabled Alert Filters against existing alerts.

10 - 2020-01-17

Added

Add info and repo URLs.

9 - 2019-09-30

Added support for parameter regex, attack and evidence strings and regexes (Issue 5574)
Added support for global alert filters (Issue 5575)
Added option to create alert filters from alert
Added options to test which alerts will apply to and to actually apply them
Removed the “Context” from the add-on name
Promote Alert Filters addon to release status

8 - 2019-06-07

Correct required state of an API parameter.
Add description to API endpoints.

7 - 2018-02-15

Fix an exception when running ZAP in daemon mode (Issue 4405).

6 - 2017-11-27

Updated for 2.7.0.

5 - 2017-11-24

Dynamically unload the add-on.
Clear filters on session changes (Issue 3683).

4 - 2017-04-03

Minor functional improvement.

3 - 2016-06-02

Various minor UI improvements

2 - 2016-03-22

Updated to use alertIds from 2.4.3+
Misc minor bug fixes
HTML report reports the filtered false positives as true results (Issue 2311)
Promoted to beta and added icon
Various minor UI improvements

1 - 2015-09-07

First version

Alert Filters Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

All In One Notes - About

Mon, 01 Jan 0001 00:00:00 +0000

All In One Notes - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/allinonenotes

Authors

David Vassallo

All In One Notes Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

2 - 2021-10-07

Added

Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.
Update link to repository.
Maintenance changes.

1 - 2019-06-17

First version.

API Policy

Mon, 01 Jan 0001 00:00:00 +0000

API Policy

A policy focusing on issues likely to impact APIs and not UI.

For the list of scan rules included see the Alert Tag: POLICY_API page.

Programmatic Name: API

Return to main scan policies page.

Authentication Helper Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.37.0 - 2026-03-31

Added

Support for Microsoft login in a pop-up window

0.36.0 - 2026-03-19

Changed

Maintenance changes.

Fixed

Autodetect HTTP authentication, and added more auth diagnostics.

0.35.0 - 2026-03-02

Fixed

Exception in authentication diagnostics.
Ensure the login link verification URL has both logged in and out indicators.

Changed

Maintenance changes.

0.34.0 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

0.33.0 - 2025-12-03

Added

Handle account selection and TOTP step in Microsoft login.
Allow to include domains completely and partially out of scope in the Authentication Report.

Changed

Fail the Microsoft login if not able to perform all the expected steps.
Track GWT headers.
Handle additional exceptions when processing JSON authentication components.
Improved performance of the Session Detection scan rule.

Fixed

Do not include known authentication providers in context.
Ensure all domains accessed during authentication are included in the Authentication Report.

0.32.0 - 2025-11-07

Changed

Track authentication headers with key in the name.
No longer quote domains as these will not get counted as valid URLs in the Automation Framework.

0.31.0 - 2025-11-05

Added

Domains to auth tester.

0.30.0 - 2025-11-04

Added

Click on button when login form does not handle return in Browser Based Authentication.
Handle password fields by ID and name in Browser Based Authentication.
Check div elements when searching for login links.

Changed

Maintenance changes
Depend on newer version of Zest add-on.

Fixed

Inform when the Authentication Report being imported does not contain any diagnostics.

0.29.0 - 2025-09-18

Added

Add login word variant for Spanish.
Log exception during authentication with diagnostics enabled.
Add the statistics of the site of the verification URL to the Authentication Report.
Add Authentication Report section for the domains accessed during the authentication.

Changed

Update alert references to latest locations to fix 404 and resolve redirection.
Search also for login elements with ARIA role button.
Show always the diagnostic HTTP messages in the Sites tree and History tab when importing the Authentication Report.
Include the site in the site statistics of the Authentication Report.

Fixed

Collect the current value of the element’s attributes for the authentication diagnostics.
In the Authentication Report set authentication successful only when the login was verified with the indicators.

0.28.0 - 2025-09-02

Added

Add wait authentication step to Browser Based Authentication.
Include Web Element’s selector in the Authentication Report.
Support for tracking authentication and CSRF headers automatically for Header based auth.
Add Authentication Report section for the log file and for the Automation Framework plan.
Support for step delay in Browser Based Authentication, which replaces the auth tester “demo mode”.
Support for min wait for time in Client Script Authentication.
Allow to manage the authentication diagnostics through the GUI.

Changed

Now depends on minimum Common Library version 1.35.0 and Zest version 48.9.0.
Send the referer header on verification if set on the original request.
Removed requirement to set at least one header in the GUI for Header-Based Session Management.
Include step for errors in the authentication diagnostics.
Include messages’ RTT in the Authentication Report.
Browser based authentication to also support HTTP basic authentication for Firefox.
Verification rule to improve detection.
Add support for Microsoft login in Browser Based Authentication.
Consider login like URLs as candidates for verification URL.

Fixed

Do not fail the authentication on diagnostic errors.
Do not configure poll authentication verification without logged in indicator.
Handle errors collecting the browser storage diagnostics.
Fix proxy errors during authentication with Client Script Based Authentication.

0.27.0 - 2025-07-03

Added

Support for recorded scripts in the Authentication Tester.

Changed

Updated to depend on Zest add-on 48.8.0.

0.26.0 - 2025-06-20

Added

Add configuration support for the wait time after Client Script Based Authentication.
Include the Web Element being interacted with in the Client Script Based Authentication diagnostics.
Allow to enable authentication diagnostics for Client Script and Browser Based Authentication through the GUI.
Automation Framework errors to the Authentication Report.
Replace TOTP token during Client Script Based Authentication.
Include more diagnostics in Client Script and Browser Based Authentication methods.
Improve Authentication Report:
- Add the ID of the step to make it easier to match with extracted screenshots.
- Include the script used by the Client Script Based Authentication.
- Add the initiator to the HTTP Messages to know what those messages correspond to.
- Include the tag name of the Web Element, now collecting buttons along with inputs.
Detection of session tokens in non standard headers.
Search for username/password fields under shadow DOMs with Browser Based Authentication.

Changed

Warn when the recorded script used with Client Script Based Authentication does not launch a browser.
Updated to depend on Zest add-on 48.6.0.
Maintenance changes.
Depend on reports 0.39.0 to include AF errors.
Use Header Based Session Management configuration to find a better candidate authentication message with Client Script and Browser Based Authentication methods.
Client Script authentication to refresh the page of no suitable verification URL found.
Wait for the detection of the session method in Client Script Based Authentication method.
Include the name of the interaction in the Client Script Based Authentication diagnostics.
Clear fields before sending keys for Browser Based Authentication, including when using steps.
Do not add an empty line to the start of the Other Info of Session Management Response Identified scan rule’s alerts.
Update the Client Script Based Authentication help page with the new Automation Framework scriptInline field.
The Authentication Request Detection and Session Management Detection scan rules now skip resources (images, css, js, etc) which are unlikely to be relevant.
The Verification Detection scan rule now skips messages that seem related to login/logout/registration functionality.
Now depends on minimum Common Library version 1.33.0.

Fixed

Correct descriptions of the Zest script steps in the Authentication Report.
Fix loading/saving of Client Script Based Authentication through the GUI.
Inject user credentials into the script when running the Client Script Based Authentication browser integration.
Delay when recording diagnostics.
Allow to use zero login page wait for Client Script and Browser Based Authentication methods through the GUI.
Ensure Client Script Based Authentication method has a clean state when reauthenticating.
Handle missing username field in Browser Based Authentication.
Correct the processing of cookies with the same name in Header Based Session Management method.
Correct redirection handling when checking verification URLs.
Verification URL comparison.
Use the session token from JSON string response.
Do not auto configure the Header Based Session Management method with duplicated session tokens.
Ensure that auth messages with both known and unknown Session tokens are correctly processed.
Respect Client Script Based Authentication’s Login Page Wait when authenticating in browsers (e.g. AJAX Spider).
Correct handling of JSON arrays in the Authentication Request Identified scan rule.

0.25.0 - 2025-03-25

Changed

Use TOTP data defined under user credentials for Client Script and Browser Based Authentication, when available.
Maintenance changes.
Depend on newer version of Common Library add-on.

Added

The Authentication Report now includes information around authentication failures (if applicable).

0.24.0 - 2025-03-21

Added

Document custom steps for Browser Based Authentication.
Document Authentication Report diagnostics data.
Sanitized post data to auth diagnostics.
Help content for configuration and use of Header Based Session Management via ZAP API (these additions will only work properly when used with ZAP 2.16.1 or later).

Changed

Add any session related cookies which are not being tracked.
Ignore non proxied requests in auth tester diagnostics.
Replace credentials with special tokens.
Rewrite of the auth request detection code to handle more cases.
Add domain to context if creds posted to it and using using auto-detect for session management.
Skip disabled authentication steps when creating the context from the Authentication Tester dialog.

Fixed

Allow the Client Script Authentication, and Browser Based Authentication method types as well as Header Based Session Management to be configured via the API (these fixes will only work properly when used with ZAP 2.16.1 or later).
Bug where some of the data structures were not being reset when the session changed.
Address concurrent modification exceptions.

0.23.0 - 2025-03-04

Added

If authentication fails then try to find a likely looking login link.
Persist diagnostics to the session and include it in the Authentication Report (JSON) for Client Script and Browser Based Authentication methods.
A reset button.
Checks to try to find a verification URL with a login link, if nothing better has been found.

Changed

Prefer form related fields in Browser Based Authentication for the selection of username field.
Tweaked the auth report summary keys.
Only check URLs and methods once for being good verification requests.
Added API support to the browser based auth method proxy.

Fixed

Correctly read the API parameters when setting up Browser Based Authentication.
Tweaked auth report output to ensure that values are properly escaped.
Report to use better stats with browser based auth.
Session handling to cope with X-CSRF-Token headers.

0.22.0 - 2025-02-12

Added

Initial authentication report (JSON).

0.21.0 - 2025-02-10

Fixed

Delays identifying verification due to tests being performed on too many unlikely URLs (such as images).

0.20.0 - 2025-02-07

Changed

Reduce add-on size.
Improved session management detection.

Fixed

Maintain the correct cookie state when using client script authentication.
Do not close windows when running client auth in the spiders.
Always close all of the windows when running client auth not in the spiders.

0.19.0 - 2025-02-04

Added

Added support for Client Script Authentication when used in conjunction with the Ajax Spider add-on or the Client Spider via the Client Side Integration add-on.
Add support for custom authentication steps in Browser Based Authentication.

Fixed

Reset always the state of the demo mode in the Authentication Tester dialogue.

0.18.0 - 2025-01-27

Changed

Ignore non-displayed fields when selecting the user name and password.
Use single displayed field for user name, e.g. multi step login.

Fixed

Input fields that do not explicitly declare their type were no longer being chosen by the Browser Based Authentication.

0.17.0 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.
Depend on Passive Scanner add-on (Issue 7959).
Address deprecation warnings with newer Selenium version (4.27).
Optionally depend on the Client Integration add-on to provide Browser Based Authentication to the Client Spider.

0.16.0 - 2024-11-06

Fixed

Address concurrency issue while passive scanning with the Session Management Response Identified scan rule (Issue 8187).

0.15.1 - 2024-09-02

Changed

Restored stats removed in previous release as these could be used in AF tests.

0.15.0 - 2024-08-28

Changed

Maintenance changes.

Fixed

Bug in session detection scan rule which impacted performance.

0.14.0 - 2024-07-31

Fixed

Potential timing issue trying to use browser based auth to authenticate before the session management method has been identified.
Timing issue with session management detection.

0.13.0 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

0.12.0 - 2024-02-06

Changed

Handle traditional apps better in authentication detection dialog.
Make cookies set in auth request available to header based session management.

Fixed

Correct HTTP field names shown in diagnostic data.

0.11.0 - 2024-01-10

Changed

Maintenance changes.
Dropped “to Clipboard” from ZAP copy menu items or buttons (Issue 8179).
Update cookies in header based session management, to cope with apps that set them via JavaScript.

Fixed

Read the user details from the session rather than the individual messages, which could cause an NPE.

0.10.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.

0.9.0 - 2023-07-11

Added

Direct support for handling browser based authentication in the AJAX spider.
Support for cookie based session management.

Changed

Update minimum ZAP version to 2.13.0.

0.8.0 - 2023-06-06

Changed

Prefer username fields with known id/name strings.

Fixed

Correct example alert of Session Management Response Identified scan rule.

0.7.0 - 2023-05-23

Added

Authentication tester dialog.

Changed

Promoted to Beta

0.6.0 - 2023-05-09

Added

Support for login pages where the username has to be submitted before the password field is accessible.

0.5.0 - 2023-05-04

Added

Support for verification type of “autodetect” (post 2.12).

Fixed

Ensure verification processor shut down on exit, otherwise the AF hangs.

0.4.0 - 2023-04-28

Added

Support for session management identification.
Support for auto-detect authentication.
Support for auto-detect session management.
Support for auto-detect verification.

Fixed

Clear launched browser authentication when disabled, otherwise it would prevent enabling it again.

0.3.0 - 2023-03-13

Added

Support for browser based authentication.

0.2.0 - 2023-02-08

Added

Support for header based session management.

Fixed

Code link in help.

0.1.0 - 2023-01-17

Added

Support of authentication request identification and configuration.

Authentication Helper Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Request Identification

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Request Identification

This add-on includes a passive scan rule which attempts to identify authentication requests.
It identifies authentication requests by the presence of commonly used username and password field names. It also uses commonly used URL segments to identify more likely authentication requests, and uses commonly used registration URL segments to ignore registration requests.

Authentication Statistics Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

2 - 2021-10-07

Added

Add repo URL.

Changed

Update minimum ZAP version to 2.11.0.
Dynamically unload the add-on.
Change info URL to link to the site.

1 - 2016-08-16

First version

Automation Framework - GUI

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - GUI

The Automation Framework has a GUI that is in the process of being developed.

Automation Tab

This tab allows you to create, load, edit and run automation jobs.

Automation Framework Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.58.0 - 2025-12-15

Added

Support for a “soft” stop which allows “always run” jobs to run.

Changed

Update minimum ZAP version to 2.17.0.

0.57.0 - 2025-12-03

Added

Allow to specify the defaults for the alert threshold and attack strength of the active scan policy.

Changed

Maintenance changes.
Make the “pass” output of Monitor Tests consistent with the “fail” output.

Fixed

Restore default standard output on absent env parameters.
Delay Scan Policy validation to runtime phase in the activeScan job, the Scan Policy might be created dynamically by other jobs.

0.56.0 - 2025-11-07

Added

Command line -autocheck option which checks if the specified yaml plan has the right format.

Changed

Include in Context regular expressions when creating the plan from a context.

0.55.0 - 2025-11-05

Changed

Use CWD for relative file names if plan loaded from a URL.

0.54.0 - 2025-10-27

Added

Setting arbitrary config values

Changed

Reinstate the validation of the Scan Policy in the activeScan job.
Adjust the text for the plan load warning/error dialog text to be clear which output panel it’s referring to.
Maintenance changes.
Depend on newer version of Common Library add-on.

0.53.0 - 2025-09-18

Fixed

Correct Session Management script’s path validation with variables.
Correct default value for Active Scan option handleAntiCSRFTokens in templates and help.

0.52.0 - 2025-09-02

Added

Support for step delay in Browser Based Authentication.
Support for min wait for in Client Script Authentication.
Support for url in activeScan job.
Support for stopping plans and jobs.
Allow selecting rules in policy definitions using alert tags.

Changed

Refer to output panel for errors.

Fixed

Bug in handling headers with colons in the values.
Use default authentication poll frequency when none specified, if the value is less than one a progress warning occurs.
Do not warn if “enabled” or “alwaysRun” properties specified.
Use the authentication method’s diagnostics state when creating a plan from a context.

0.51.0 - 2025-07-17

Added

Support for exclude regexes to active scan config job.
Always run option for all jobs.
Support for data driven nodes in plan (not yet in the UI).

Changed

Job remains selected when moved in the GUI.

0.50.0 - 2025-06-20

Added

Add support for the wait time of the Client Script Based Authentication.
Allow to inline scripts for Script and Client Script Based Authentication.

Changed

Maintenance changes.
Adjusted further dialog, progress, and log messages with regard to preventing inclusion of commas in scan rule ID numbers. As well as ensuring consistency in use of ID (full caps) for table column headings, and the Add Add-ons dialog.

Fixed

Correctly handle missing script engines.
Correct error messages of the statistics test.
Allow to use zero login page wait for Client Script and Browser Based Authentication methods.
Ensure log and progress messages related to scripts and script engines are not all referred to as session management related.

0.49.0 - 2025-03-25

Added

Document how the TOTP data is defined for a user.
Use TOTP data defined under user credentials when creating or setting up a context.

Changed

Progress and log messages with regard to setting scan rule threshold or strength no longer include commas in scan rule ID numbers.
Depend on newer version of Common Library add-on.

Fixed

Address exception when loading Client Script authentication method.
Address exception that would happen when running a plan while having unsaved scripts.

0.48.0 - 2025-03-04

Changed

Allow to use variables for the TOTP data.
Allow to enable diagnostics for Client Script and Browser Based Authentication methods.

Fixed

Ensure that the Exit Status job accounts for False Positive alerts (Issue 8875).

0.47.0 - 2025-02-12

Added

Method to get the YAML representation of a plan.

0.46.0 - 2025-02-10

Changed

Read (and write) the TOTP data from user’s credentials in the automation plan.

0.45.0 - 2025-02-04

Fixed

Correctly load numeric user passwords.
Address malformed HTML in the help.
Correct default value of threadPerHost property of the activeScan-config job’s help.
Ensure the value zero is saved to the automation plan in the statistics test.

Added

Added support for Client Script Authentication when the Ajax Spider is used in conjunction with the Auth Helper add-on.
Add support for custom authentication steps in Browser Based Authentication.

0.44.0 - 2025-01-09

Added

Active scan policy job.
Add job to configure the active scanner, activeScan-config.
Allow to enable/disable jobs (Issue 5845).
Method to allow the user to set the exit code via a script.
Add exitStatus job (Issue #6928)

Changed

Update minimum ZAP version to 2.16.0.
Maintenance changes.
Updated automation framework documentation and templates for activeScan job to reflect changes to the default value of threadPerHost parameter
Update help for the “requestor” job.
Update help to indicate that job order is important (Issue 8675).
Fields with default or missing values are omitted for the following automation jobs in saved plans:
- activeScan
- delay
- requestor

Removed

Remove job implementations that were previously migrated to the Passive Scanner add-on (Issue 7959).

Fixed

Templates generated with -autogenmin or -autogenmax were invalid in some cases.
Allow to choose one thread for the activeScan job through the GUI.
Active Scan jobs will once again use the default policy if neither a policy nor a policyDefinition has been set.
Bug in job alert tests related to alert matching.
Active scan rule ID 0 (Directory Browsing) will be included in the plan (yaml) when saved (Issue 8746).
Sizing/display of the Active Scan Policy job rule add/modify dialogs.

0.43.0 - 2024-10-07

Fixed

Handle exceptions while running jobs.

Changed

In saved YAML plans:
- Fields with default values are omitted.
- The “name” and “type” fields are added before other fields.
- Values are not quoted unless required.

0.42.0 - 2024-09-02

Added

Allow to configure the structural parameters of a context (Issue 7780).

Fixed

NPE in GUI if the technology was not specified.

Changed

Rely on Passive Scanner add-on for the passive scan related jobs (Issue 7959).

Deprecated

The classes of the passive scan related jobs are now deprecated and will be removed in a following release, use the classes from the Passive Scanner add-on instead (Issue 7959).

0.41.0 - 2024-07-31

Added

Env / continueOnFailure option.

Changed

Maintenance changes.

Fixed

Address errors when the last plan loaded had a passiveScan-config job with configured rules.

0.40.1 - 2024-05-28

Fixed

Address HTTP authentication failure when the realm is not configured.

0.40.0 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

0.39.0 - 2024-04-23

Added

Allow reports to know the number of Sites tree nodes actively scanned (Issue 7022).

Changed

Allow to run remote plans through the command line.

0.38.0 - 2024-04-11

Fixed

Correctly expose all information in the planProgress API view (Issue 8433). This might break existing clients as the format has changed.

JSON changed to, e.g.:

{
  "warn" : [ ],
  "planId" : 0,
  "started" : "2024-04-08T00:00:00.615Z",
  "finished" : "2024-04-08T00:00:00.702Z",
  "error" : [ ],
  "info" : [ "Job requestor started", "Job requestor finished, time taken: 00:00:00" ]
}

XML changed to, e.g.:

 <planProgress type="set">
   <planId>0</planId>
   <started>2024-04-08T00:00:00.615Z</started>
   <finished>2024-04-08T00:00:00.702Z</finished>
   <info type="list">
     <message>Job requestor started</message>
     <message>Job requestor finished, time taken: 00:00:00</message>
   </info>
   <warn type="list"/>
   <error type="list"/>
 </planProgress>

0.37.0 - 2024-03-28

Changed

Allow to use variables composed of multiple variables.

0.36.0 - 2024-03-25

Added

Support for upstream proxy in environment (Issue 8360).

Changed

Maintenance changes.
Cut down env data when generating min template.

Fixed

Correct parsing of attack strength and alert threshold in some locales.

0.35.0 - 2024-01-16

Added

Video links in help for Automation Framework jobs.

Changed

Allow to include techs in a context.

Fixed

Show method and URL when outputting the status code mismatch of requestor job.

0.34.0 - 2023-11-16

Added

Show column control in the Automation tab to allow to show/hide columns and auto resize them (Pack All Columns).

Fixed

Save context.

0.33.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

0.32.0 - 2023-10-04

Fixed

Correct output of array values set to the jobs.

0.31.0 - 2023-09-07

Added

Add support for max alerts per rule in the Active Scan job (Issue 7784).

Changed

Maintenance changes.
Depend on newer version of Common Library add-on (Related to Issue 7961).
Clarify authentication docs.

Removed

The SnakeYAML Engine dependency was removed.

Fixed

Address error logged when using the Active Scan job.
Do not fail to load plans without jobs.
Support converting Lists to arrays when updating objects.

0.30.0 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Dependency updates.

Fixed

Address exception when creating a new context through the UI.
Allow to test alerts of Directory Browsing (ID 0), previously would report as a missing ID.

0.29.0 - 2023-06-06

Added

Statistic name to test summary.

Fixed

Test taking into account previous statistic values.
Clear Output tab on new plan.

0.28.0 - 2023-05-04

Added

Support for verification type of “autodetect” (post 2.12).

0.27.0 - 2023-04-28

Added

Support for dynamically added auto-detect authentication.
Support for dynamically added auto-detect session management.
Show job time taken in panel and output.

Fixed

Correct file path resolution with environment variables.

0.26.0 - 2023-03-18

Added

Support for dynamically added browser based authentication.

Changed

Environment help page to clarify use of variables.

0.25.1 - 2023-03-03

Fixed

NPE when accessing active scan job.

0.25.0 - 2023-02-28

Added

Support for dynamically added header based session management method.

Fixed

Active scan would fail if threadsPerHost set to zero.

Changed

Maintenance changes.

0.24.0 - 2023-02-09

Added

Support for relative file paths and ones including vars.
Option to disable all of the passive scan rules.

Fixed

NPE when adding a context to an existing plan.

0.23.0 - 2023-02-06

Changed

Maintenance changes.

Fixed

Added workaround for core bug which meant auth header env vars were not being applied.

0.22.0 - 2023-01-06

Added

Method to get running plans - can be used by scripts to interact with the plans.

0.21.0 - 2023-01-03

Changed

Maintenance changes.

Added

Warning if unexpected element under activeScan job (e.g. misplaced rules).
Help details warning against specifying default ports (80/443) (Issue 7649).

0.20.0 - 2022-12-14

Added

Allow to specify the HTTP version for requests in the requestor job.
Support for context technology (Issue 7127).

Changed

Maintenance changes.

Fixed

Prevent exception if no display.

0.19.0 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.

Removed

The spider job was removed, it is provided by the Spider add-on (Issue 3113).

0.18.0 - 2022-10-12

Added

Add support for headers in the requestor job (Issue 6917).

Changed

Maintenance changes.

Fixed

Allow spider to run if no OK response (Issue 7510).
Bug in passive scan reporting code which prevented specified alerts from being read.
NPE when adding users to more than one context.

0.17.0 - 2022-09-09

Added

Add Save As button that allows user to save the automation plan to a different file (Issue 7178).
Support for monitor tests.

Changed

Maintenance changes.
Rely on spider add-on (Issue 3113).
passiveScan-config job resets the state, as scanOnlyInScope is often confusing in the GUI.
Deprecated the addOns job.

Fixed

Correct loading of custom scripts (e.g. Zest).
The activeScan and spider jobs no longer switch tabs when they run.

0.16.0 - 2022-06-22

Changed

Maintenance changes.

Fixed

Show each context URL in its own line when editing in the GUI (Issue 7241).
Correct error messages.
Wrong API end point reference in help
Fix exception when alerts found during active scan no longer exist when creating the data for the report.

0.15.0 - 2022-04-25

Added

Test type to check for presence of a URL.

Changed

Maintenance changes.

Fixed

Use correct authentication verification method for request.
Exceptions when using the GUI.

0.14.0 - 2022-04-05

Added

Import Job profile (Issue 7078).

Changed

The ascan job ‘Scan All Header’ GUI label

Fixed

Register plans run by -autorun to prevent NPEs when editing them
Issue when turning off specific active scan rules

0.13.0 - 2022-02-25

Fixed

Issue when adding or removing add-ons via the UI (Issue 7075)
Issue when creating a script session management with parameters from an existing context

0.12.0 - 2022-02-01

Added

Script authentication support

Fixed

When a Job is loaded via yaml and edited via UI Dialog then the saved changes will be applied on the next job run
DelayJob will be verified on yaml load

Changed

When a Job is edited via UI Dialog then the status will be set to Not started

0.11.0 - 2022-01-19

Added

Support for generating stats
Form and JSON-based authentication support

Changed

Promoted to beta

0.10.1 - 2022-01-05

Fixed

Ensure system environment variables take precedence over configuration variables (Issue 7000).

0.10.0 - 2021-12-13

Changed

Update minimum ZAP version to 2.11.1.

Fixed

Setting delay job parameters from the commandline

0.9.0 - 2021-12-06

Changed

Disabled addOns job updateAddOns option due to problems updating the framework and jobs while they are running

0.8.0 - 2021-11-02

Added

Delay job
Session management support
User and HTTP authentication support
Authentication verification support
Set ZAP exit code when “-cmd” and “-autorun” options used
Requestor, Spider and ActiveScan jobs changed to support an authenticated user
Support for site specific statistics

Changed

Dependency updates.

Fixed

Plans saved without default “.yaml” extension.
Env vars in context names replaced on load, so lost if the plan saved again via the GUI.

0.7.0 - 2021-10-06

Added

API support: runplan action and planprogress view.

Changed

Maintenance changes.
Update minimum ZAP version to 2.11.0.

Fixed

“Unexpected obj object java.lang.String” error shown during initialization

0.6.0 - 2021-09-16

Changed

Maintenance changes.

0.5.0 - 2021-08-23

Fixed

Address errors when running an automation plan with spiders and passive scan config.
Fixed var support in URLs (Issue #6726)
Always enable the Save button on changes and prompt user when opening a plan if the current one has changes.

Changed

Changes to support the Retest add-on.

0.4.1 - 2021-08-07

Added

Missing icons

0.4.0 - 2021-08-05

Added

Support for alert tests
First phase of GUI

Changed

Infrastructure changes to support planned GUI.

0.3.0 - 2021-06-28

Added

Support for using variables in the config.
Support for data jobs.
Support for multiple top level URLs in a context.
Passive scan config enableTags parameter
Support for include/exclude regexes.
Support for param data job
Support for job tests.
A new Requestor job to make specific requests.

Changed

Update links to repository.
Maintenance changes.

Fixed

NPE in pscan config job when rule specified with no id (as per template).

Deprecated

Spider job parameters failIfFoundUrlsLessThan and warnIfFoundUrlsLessThan in favour of the automation.spider.urls.added statistic test.

0.2.0 - 2021-04-12

Added

Support for job result data
Support for passive scan rule configuration

0.1.0 - 2021-03-24

Changed

Added support for enum parameters.
Added a new parameter “handleParameters” for the spider job.

Fixed

A bug where the plan did not stop when it encountered an error or warning and env:parameters:failOnError or env:parameters:failOnWarning was set to true.

0.0.1 - 2021-03-09

First version.

Automation Framework Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework Support

This add-on supports the Automation Framework.

Job: import

The import job allows you to import HAR (HTTP Archive File), ModSecurity2 Logs, ZAP Messages or a file containing URLs locally.

Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework Support

This add-on supports the Automation Framework.

Job: sequence-import

The sequence-import job allows you to create a Sequence from an HAR file.

BeanShell Console Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

7 - 2021-10-07

Added

Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.
Improve permissions and space handling when saving.

6 - 2017-11-27

Minor code changes.

5 - 2015-04-13

Updated for ZAP 2.4

4 - 2014-04-10

Fixed an issue in HTML help page (missing end tag).
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

3 - 2013-09-11

Updated for ZAP 2.2.0

2 - 2013-05-13

Changed to unload some components when uninstalling.

1 - 2013-02-05

First release as an add-on (previously bundled in ZAP).

BOAST Options

Mon, 01 Jan 0001 00:00:00 +0000

BOAST Options

The BOAST Options screen allows you to configure the settings that affect how ZAP interacts with BOAST servers.

Server URI

This address should point to the URI that will be used for registrations and polling.

Browser View Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

6 - 2023-03-13

Added

Add info and repo URLs.

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.
Make missing JavaFX logging less verbose in regular use.
Update help with the requirements to use the add-on.

5 - 2017-07-21

Allow to properly scroll the rendered page.

4 - 2015-04-13

Updated for ZAP 2.4

3 - 2014-09-22

Check if JavaFX is available before trying to add the response view (Issue 1201).
Correctly unload the add-on (Issue 1344).

2 - 2014-04-03

Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

1 - 2014-02-17

First version

Bug Tracker Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

4 - 2022-09-23

Changed

Update minimum ZAP version to 2.11.1.
Dependency updates.
Maintenance changes.
Updated to use PAT not password (https://github.blog/changelog/2021-08-12-git-password-authentication-is-shutting-down/).

3 - 2021-10-07

Added

Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.
Remove broken link from the user guide.

Fixed

Show correct help page for the options panel.
Remove the options panels when the add-on is uninstalled.

Removed

Remove unused resource message.

2 - 2017-05-26

Added help for the add-on

1 - 2016-08-25

First version

Call Graph Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

5 - 2021-10-07

Added

Add help.
Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.

4 - 2017-11-24

Finish internationalisation.

3 - 2015-04-13

Updated for ZAP 2.4

2 - 2014-10-01

Now also graphs requests originating from the Ajax Spider.
Enables “Call Graph” pop up menu when in “Protected” and “Safe” modes (Issue 1278).

1 - 2014-04-25

Call Home Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.20.0 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

0.19.0 - 2025-11-25

Changed

Include the exceptions’s file/line in logger statistics.

0.18.0 - 2025-11-10

Added

Postman stats to telemetry.
Forced browse stats to telemetry.

Changed

Include the exception name in logger statistics.

0.17.0 - 2025-11-04

Added

AJAX Spider stats to telemetry.

0.16.0 - 2025-10-22

Added

Add statistics for the number of fatal/warn/error logged.

0.15.0 - 2025-09-02

Added

LLM, and Value Generator (Form Handler) stats to telemetry.

0.14.0 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.

Added

Network stats to telemetry.
Sequence stats to telemetry.

0.13.0 - 2024-09-02

Added

Tech stats to telemetry.

0.12.0 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

0.11.0 - 2024-03-13

Changed

Add UI stats to telemetry.

0.10.0 - 2023-11-03

Changed

Add error stats to telemetry.

0.9.0 - 2023-10-31

Changed

Add API stats to telemetry.

0.8.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.
Add client stats to telemetry.
Add config stats to telemetry.

0.7.0 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.

0.6.0 - 2022-12-02

Fixed

Include container field for CFUs.

0.5.0 - 2022-10-27

Added

DOM XSS stats to telemetry

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.
Promoted to Release status.

0.4.0 - 2022-07-18

Changed

Show a more user friendly log and Output tab message when Java’s truststore may not contain the CA certificate(s) for intermediate proxy(ies) (Issue 1623).
Maintenance changes.

Fixed

HTTP Sender listeners could modify CFU and telemetry requests.

0.3.0 - 2022-01-21

Added

More stats, in preparation for them being added to the respective add-ons

Fixed

Bugs sending telemetry on shutdown

0.2.0 - 2022-01-14

Added

Automation stats
Fuzz stats

0.1.0 - 2021-12-20

Changed

Update minimum ZAP version to 2.11.1.
Upload stats telemetry data on destroy

0.0.3 - 2021-11-23

Fixed

Bug added in last kali detection change

0.0.2 - 2021-11-23

Fixed

Fixed webswing and kali detection

0.0.1 - 2021-11-23

First version supports Check for Updates and News calls.

Call Home Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Callback Options

Mon, 01 Jan 0001 00:00:00 +0000

Callback Options

The Callback Options screen allows you to configure the address used to detect vulnerabilities that allow an attacker to call remote URLs.

In previous versions the ZAP API was used for this purpose, but from 2.6.0 onwards a separate endpoint is used so that target systems no longer need access to the API.

Client Certificates

Mon, 01 Jan 0001 00:00:00 +0000

Client Certificates

This screen allows you to add a client certificate to use when testing applications protected using mutual SSL.
After adding the certificate it can be set as active in the KeyStore tab.
Unlike other options screens, the changes done to the keystore are not undone if the Options dialogue is cancelled.

Client Side Integration - Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Client Side Integration - Automation Framework Support

This add-on supports the Automation Framework.

Job: spiderClient

The spiderClient job allows you to run the Client Spider, which is designed to explore modern web apps more effectively.

Client Side Integration Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.21.0 - 2026-03-31

Added

Support for other add-ons to piggyback the secure connection established with the ZAP browser extension.
Allow to avoid logout elements with the spider.

Changed

Set the extension order so that it will always be available to unordered extensions.
Maintenance changes.

0.20.0 - 2025-12-15

Changed

Update the automation framework template to include missing field (scopeCheck).
Update minimum ZAP version to 2.17.0.
Updated Chrome and Firefox extensions to v0.1.8.

0.19.0 - 2025-12-03

Changed

Updated Chrome and Firefox extensions to v0.1.7.
Bundle Chrome extension unpacked due changes in Chrome.

0.18.0 - 2025-11-04

Added

Add optional parameters for the Client Spider API action scan:
- numberOfBrowsers - control concurrency (number of browser windows).
- scopeCheck - select Scope Check (Flexible or Strict).
Spider stats.

0.17.0 - 2025-09-02

Added

Edge recorder link to help.
Support for stopping the spiderCient automation job.
Support for configuring the client passive scan rules via the passiveScan-config Automation Framework job. This add-on now depends on the pscan add-on.

Changed

Updated Chrome and Firefox extensions to v0.1.6.
Reduce warnings when passive scanning.

Fixed

Error logs to always include stack trace.
Log Firefox missing at debug instead of error.

0.16.0 - 2025-06-20

Added

Client Spider scope check.
Added optional parameters for Page Load Time and Max Crawl Depth to the Client Spider API.
Recording advice and guidance.

Changed

Updated Chrome and Firefox extensions to v0.1.3.

Fixed

Client Spider to allow all requests while authenticating.
Ensure that the clientSpider API endpoint status returns 100(%) only when finished.

0.15.0 - 2025-03-25

Added

Add API endpoints for the Client Spider.

0.14.0 - 2025-03-04

Added

Added an API action to export the Client Map.

Fixed

Correct Client Passive Scan Queue counter, which could be showing one when none left.
Correctly fill input elements when spidering (Issue 8851).

0.13.0 - 2025-02-04

Added

Added support for Client Script Authentication when installed in conjunction with the Authentication Helper add-on.

0.12.0 - 2025-01-24

Fixed

Extension not enabled when launched from ZAP.
Browser recording not enabled when launched from ZAP recorder.

0.11.0 - 2025-01-17

Fixed

Fix concurrency issue with page components which could lead to exceptions in the GUI.

Changed

Updated Chrome and Firefox extensions to v0.0.11.

Added

A context menu allowing users to Export Client Map.

0.10.0 - 2025-01-10

Changed

Update minimum ZAP version to 2.16.0.
Maintenance changes.
The current passive scan rules now uses a more specific CWE (Issue 8712).
Updated Chrome and Firefox extensions to v0.0.10.

Added

Added support for Browser Based Authentication when installed in conjunction with the Auth Helper add-on.
Client spider, along with Automation Framework support.

0.9.0 - 2024-11-29

Changed

Update minimum ZAP version to 2.15.0.
Updated Chrome and Firefox extensions to v0.0.9.

Added

Support for menu weights (Issue 8369).

Fixed

Address exception with deleted messages while handling client event.

0.8.0 - 2024-01-16

Changed

Updated the Chrome extension to v0.0.8.

0.7.0 - 2023-12-01

Added

Support for base64 decoding in existing scan rules.
Passive scan rule: JWT in Browser Storage.
Additional input field data returned from the extension.

Changed

Updated the Firefox extension to v0.0.8.

0.6.0 - 2023-11-23

Added

Support for passive scanning.
Passive scan rules:
- Information Disclosure - Information in Browser Storage.
- Information Disclosure - Sensitive Information in Browser Storage.

Changed

Dropped “to Clipboard” from ZAP copy menu items (Issue 8179).
Changed to add back ‘#’ nodes.

0.5.0 - 2023-11-07

Added

Client History and Details context menu items.

Changed

Maintenance changes.

Fixed

Do not use white background in Client Details and show Client Map icons properly when using Mac OS X look and feel (Issue 8175).

0.4.0 - 2023-10-31

Added

Note about custom containers in the help.
Client Map context menu items.

Changed

Updated the Chrome extension to v0.0.7.

Fixed

Cases where the Firefox profile was not added successfully via Selenium.
Reworked the Client Map to correctly handle parameters and more edge cases.

0.3.0 - 2023-10-23

Changed

Update minimum ZAP version to 2.14.0.
Updated the Firefox extension to v0.0.7.

Added

AJAX spider enhancement.
More help pages.

Fixed

Do not show ZAP API calls.
Missing ‘Cookies’ translation.

0.2.0 - 2023-09-26

Changed

Updated the Chrome extension to v0.0.6.
Disable client events automatically only for Zest recording.
Create Firefox profile to enable the ZAP extension for all sites.

0.1.0 - 2023-09-19

Changed

Updated the Firefox extension to v0.0.6.
Updated the Chrome extension to v0.0.5.

0.0.1 - 2023-09-11

First version.

Client Side Integration Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Collection: Pentester Pack Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.1.0 - 2022-05-12

Fixed

Corrected fuzz add-on name

0.0.1 - 2022-05-12

First version.

Collection: Scan Rules Pack Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.0.1 - 2022-05-13

First version.

Command Line

Mon, 01 Jan 0001 00:00:00 +0000

Command Line

Quick Start add-on supports the following command line options:


	-quickurl	Specifies the URL of the target application that will be attacked.
	-quickout	Specifies the file to write the report to. The report format will depend on the file extension - supported file extensions are `.html` , `.json` , `.md` , `.xml` . If none of these extensions are used then the format will be XML. If not set in ‘inline’ and daemon modes the report is written to default output stream.
	-quickprogress	Show ascii progress bars, if started with the -cmd flag.
	-zapit	Perform a quick ‘ZAPit’ ‘reconnaissance’ scan of URL specified, the -cmd flag must also be set.

Examples:

Common Library Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Common Library Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Community Scripts Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

19 - 2024-07-01

Added

extender/arpSyndicateSubdomainDiscovery.js - uses the API of ARPSyndicate’s Subdomain Center to find and add subdomains to the Sites Tree.
passive/JavaDisclosure.js - Passive scan for Java error messages leaks
httpsender/RsaEncryptPayloadForZap.py - A script that encrypts requests using RSA
selenium/FillOTPInMFA.js - A script that fills the OTP in MFA
authentication/KratosApiAuthentication.js - A script to authenticate with Kratos using the API flow
authentication/KratosBrowserAuthentication.js - A script to authenticate with Kratos using the browser flow

Changed

Update minimum ZAP version to 2.15.0.
Use Prettier to format all JavaScript scripts.
Update the following scripts to implement the getMetadata() function with revised metadata:
- active/Cross Site WebSocket Hijacking.js
- active/cve-2019-5418.js
- active/gof_lite.js
- active/JWT None Exploit.js
- active/SSTI.js
- passive/clacks.js
- passive/CookieHTTPOnly.js
- passive/detect_csp_notif_and_reportonly.js
- passive/detect_samesite_protection.js
- passive/f5_bigip_cookie_internal_ip.js
- passive/find base64 strings.js
- passive/Find Credit Cards.js
- passive/Find Emails.js
- passive/Find Hashes.js
- passive/Find HTML Comments.js
- passive/Find IBANs.js
- passive/Find Internal IPs.js
- passive/find_reflected_params.py
- passive/HUNT.py
- passive/Mutliple Security Header Check.js
- passive/google_api_keys_finder.js
- passive/JavaDisclosure.js
- passive/Report non static sites.js
- passive/RPO.js
- passive/s3.js
- passive/Server Header Disclosure.js
- passive/SQL injection detection.js
- passive/Telerik Using Poor Crypto.js
- passive/Upload form discovery.js
- passive/X-Powered-By_header_checker.js
httpsender/Alert on Unexpected Content Types.js now checks for common content-types (json, xml, and yaml) more consistently.
targeted/request_to_xml.js no longer uses deprecated method to show the message in the editor dialogue.

18 - 2024-01-29

Added

httpsender/RsaSigningForZap.py - A script that signs requests using RSA

Changed

Update minimum ZAP version to 2.14.0.
Remove checks for CFU initiator in HTTP Sender scripts and docs, no longer needed.
Rename AWS signing script.
Update descriptions/comments in scripts.
standalone/Open Fortune 500 websites in a browser.zst - Fix typo in http://www,pbfenergy.com

17 - 2023-06-28

Added

targeted/SQLMapCommandGenerator.js - it will generate and copy sqlmap command based on the request
encode-decode/JwtDecode.js - Decodes JWTs

Changed

Update minimum ZAP version to 2.12.0:
- Remove compatibility code that provided the singletons (control and model) in JavaScript scripts, they can now be accessed directly always.
- Use provided singletons (control and model) in Python scripts.
- Use non-deprecated HttpSender constructor.
- extender/Simple Reverse Proxy.js - replace usage of deprecated core classes.
Remove statements that return the message in HTTP Sender scripts, the message passed as parameter is used/sent always.

16 - 2023-03-29

Added

httpsender/UpgradeHttp1To2.js - changes all HTTP/1.1 requests to use HTTP/2
standalone/devTools.js - Tools used to explore objects returned by the Java engine and better plug Nashorn objects into it

Changed

encode-decode/double-spacer.js - adapted to the functionality of Encoder 1.0.0.

Removed

standalone/Run report.js - no longer working, the old/deprecated class that it used was removed.

Fixed

active/User defined attacks.js - correctly escape dot character in some evidence strings.
targeted/curl_command_generator.js - prevent and warn on local file inclusion when generating the command. Thanks to James Kettle (@albinowax) for reporting.

15 - 2022-10-02

Added

active/RCE.py
active/SSTI.py
active/SSTI.js - An active scan script to check for SSTI in 14 different template engines.
httpfuzzerprocessor/addCacheBusting.js - Fuzzing with cache busting.
encode-decode
- README.md - Summary of the script type.
- double-spacer.js - A script that inserts a space after every character in a string.
standalone/SecurityCrawlMazeScore.js
scan-hooks/LogMessagesHook.py and httpsender/LogMessages.js to help debugging, especially in docker.

Changed

standalone/enableDebugLogging.js > Updated for more recent logging funtionality.
Update JS scripts to use passed singleton variables (control, model, view) if available (>= ZAP 2.12.0).
passive/Server Header Disclosure.js > Updated to check that the Server Header contains something that looks like a semantic version component.

14 - 2021-11-01

Added

variant/CompoundCookies.js - An input vector script that handles splitting of compound cookies (Issue 6582).
active/corsair.py > An active scan script to check for CORS related issues.)
payloadgenerator/securerandom.js > A fuzzer payload generator script that uses Java’s SecureRandom as it’s source (related to issue 6892).
active/bxss.py > an active scan script for inject blind xss payloads to the parameters

13 - 2021-10-14

Fixed

targeted/cve-2021-41773-apache-path-trav.js - Set path as escaped so that it’s handled properly, set pluginid properly.

12 - 2021-10-07

Added

authentication/OfflineTokenRefresh.js - refresh oauth2 offline tokens
httpsender/AddBearerTokenHeader.js - refresh oauth2 offline tokens
targeted/WordPress Username Enumeration.js - A targeted script to check for WordPress Username Enumeration via author archives
targeted/cve-2021-41773-apache-path-trav.js - an active scan script to test for Apache 2.4.49 CVE-2021-41773 path traversal.

Changed

Update minimum ZAP version to 2.11.0.

11 - 2021-09-07

Added

active/Cross Site WebSocket Hijacking.js > an active scan for Cross-Site WebSocket Hijacking vulnerability
targeted/cve-2021-22214.js > A targeted script to check for Unauthorised SSRF on GitLab - CVE 2021-22214
httpsender/full-session-n-csrf-nashorn.js > full session and csrf token management.
httpfuzzerprocessor/unexpected_responses.js > compare response codes to a (pass/fail) regex and generate alerts
targeted/dns-email-spoofing > Check if DMARC / SPF policies are configured on a domain.
httpsender/add-more-headers.js > Add caller-specified headers to all requests.

Changed

Update links in READMEs.
Update JavaDoc links to latest version.

10 - 2021-06-11

Added

standalone/load_context_from_burp -> import context from burp config file
Passive scan script for finding potential s3 Bucket URLs
payloadprocessor/to-hex.js > string to hex payload script.
selenium and session scripts.
httpfuzzerprocessor/random_x_forwarded_for_ip.js > Set ‘X-Forwarded-For’ to a random IP value.
httpfuzzerprocessor/randomUserAgent.js > Set ‘User-Agent’ to a random user-agent.
Add the following Payload Processor scripts ported from SQLMap:
- apostrophemask
- apostrophenullencode
- chardoubleencode
- charencode
- charunicodeencode
- equaltolike
- lowercase
- percentage
- randomcase
- space2comments
Add Google API keys finder script

Changed

Update minimum ZAP version to 2.10.0.
Rename reliability to confidence.
standalone/enableDebugLogging.js > use new Log4j 2 APIs.
standalone/window_creation_template.js > no longer extend AbstractFrame.
httpsender/Alert on HTTP Response Code Errors.js and Alert on Unexpected Content Types.js:
- Check if messages being analyzed are globally excluded or not;
- Ignore check for update messages;
- Include more expected content types.
httpsender/aws-signing-for-owasp-zap.py > read AWS environment variables for default values.
active/TestInsecureHTTPVerbs.py and passive/HUNT.py > correct links to OWASP site.

Removed

standalone/loadListInGlobalVariable.js > superseded by core functionality, ScriptVars.setGlobalCustomVar(...) and getGlobalCustomVar(...).

Fixed

extender/HTTP Message Logger.js > fix typo in Integer constant.

9 - 2020-01-30

Added

Add repo URL, shown in the marketplace and Manage Add-ons dialogue.
active/cve-2019-5418.js > An active scanner for Ruby on Rails Accept header content disclosure issue.
active/JWT None Exploit.js > Checks if the application’s JWT implementation allows the usage of the ’none’ algorithm.
authentication/DjangoAuthentication.js > Django authentication script.
authentication/GetsWithRedirectThenPost.js > An authentication script that follows GET redirects and then submits a POST with the authentication credentials.
extender/Simple Reverse Proxy.js > Adds a simple reverse proxy.
extender/ZAP onEvent Handler.js > An example for how to listen for internal ZAP events.
httpsender/add-extra-headers.js > Adds encountered ’extra’ headers to all requests.
httpsender/aws-signing-for-owasp-zap.py > Signs requests to AWS.
httpsender/fingerprinter.js > Logs MD5s of responses.
httpsender/greenbone-maintain-auth.js > An auth helper script for OpenVAS Greenbone web interface.
httpsender/inject-xss.js > Injects XSS payloads into JSON responses.
httpsender/juice-shop-maintain-auth.js > An auth helper script for OWASP JuiceShop.
httpsender/keep-cookies-going.js > An auth helper script.
httpsender/maintain-jwt.js > Tracks JWTs and updates Authorization bearer headers.
passive/Find IBANs.js > Finds IBANs in HTTP response bodies.
passive/HUNT.py > Merge of existing HUNT scripts.
proxy/Drop requests by response code.js > Drops requests that have a given response code.
standalone/scan_rule_list.js > Lists details from both active and passive scan rules.
standalone/Split download extract.rb > Concatenates split file downloads.

Changed

Change info URL to link to the online help page.
Updated to target ZAP 2.9

Removed

The following scripts were merged into a new script HUNT.py:
- passive/HUNT - Debug & Logic Parameters.py
- passive/HUNT - File Inclusion.py
- passive/HUNT - IDOR.py
- passive/HUNT - RCE.py
- passive/HUNT - SQLi.py
- passive/HUNT - SSRF.py
- passive/HUNT - SSTI.py

Fixed

Fix links to source files in zaproxy repo.

8 - 2018-06-19

Update from community-scripts repo.

7 - 2018-05-07

Update from community-scripts repo.

6 - 2018-02-06

Update from community-scripts repo.

5 - 2017-11-28

Updated for 2.7.0.

4 - 2017-10-17

Updated with the latest scripts for 2.6.0
Stop the scripts from being registered twice

3 - 2016-06-02

Updated with the latest scripts for 2.5.0

2 - 2016-02-17

Fixed bug which prevents ZAP configs from being saved correctly

1 - 2016-02-12

First packaged version

Configuring Proxies

Mon, 01 Jan 0001 00:00:00 +0000

Configuring Proxies

The best way to use a browser with ZAP is to launch it from ZAP. It will then be automatically configured to proxy through ZAP and to ignore certificate warnings.

If for any reason you are unable or unwilling to do that then you will need to configure your browser to use ZAP as a proxy.

Context Alert Filters

Mon, 01 Jan 0001 00:00:00 +0000

Context Alert Filters

Context Alert Filters allow you to automatically override the risk levels of any alerts raised by the active and passive scan rules within a context. The Alert Filters will be exported and imported with the context - they will not persist over ZAP sessions unless the context is imported again.

Core Language Files Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

15 - 2022-02-14

Changed

Update the languages files from Crowdin.
Update minimum ZAP version to 2.11.1.

14 - 2021-11-02

Changed

Update the languages files from Crowdin.
Update minimum ZAP version to 2.11.0.
Added more people to the credits.

13 - 2018-01-15

Added help file with credits.
Updated the languages files from Crowdin

12 - 2017-11-27

Updated for 2.7.0

11 - 2017-04-06

Fix installation issue.

10 - 2016-06-02

Updated for 2.5.0

9 - 2015-09-07

Updated for 2.4.2

8 - 2015-07-30

Updated for 2.4.1

7 - 2015-05-25

Latest translations from Crowdin, including new Danish translation

6 - 2015-04-13

Latest translations from Crowdin and updated for 2.4.0

5 - 2014-10-28

Latest translations from Crowdin - new Japanese translations and support for Azerbaijani

4 - 2014-08-18

Latest translations from Crowdin - many new Persian translations

3 - 2014-06-05

Updated language files for the 2.3.1 release

1 - 2014-04-10

These are the language files included with the 2.3.0 release

Custom Payloads Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.16.0 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

0.15.0 - 2025-09-02

Added

Added support for adding payloads which are disabled by default.

0.14.0 - 2025-01-15

Changed

Promoted to Release status.
Update minimum ZAP version to 2.16.0.
Maintenance changes.
The superfluous/unused ID element of the custom payloads has been removed from the GUI and config.
Now depends on the Common Library add-on.

Added

Add help button to Options panel and add further detailed Help content.

Fixed

The add-on will no longer attempt to save or load Payloads for which there is no Category.
Ensure file is selected, exists, and is readable when attempting to import multiple payloads.

0.13.0 - 2023-11-10

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.
Promoted to Beta.

Added

Initial API support:
- Actions
  - Enable payloads.
  - Disable payloads.
  - Enable payload.
  - Disable payload.
  - Add payload.
  - Remove payload.
- Views:
  - Payload categories.
  - Payloads (optionally filtered by category).

0.12.0 - 2022-09-23

Changed

Maintenance changes.
Update minimum ZAP version to 2.11.1.
Add help content linking to the Scan Rules which support Custom Payloads.

0.11.0 - 2021-10-07

Changed

Update minimum ZAP version to 2.11.0.

0.10.0 - 2021-06-17

Added

Add info and repo URLs.
Add functionality to add multiple payloads from a file.

Changed

Update minimum ZAP version to 2.10.0.
Maintenance changes.

0.9.0 - 2019-10-31

First version.

Custom Payloads Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Custom Payloads API

Mon, 01 Jan 0001 00:00:00 +0000

Custom Payloads API

The following views are available via the API:

Views

customPayloads(category): Lists all the payloads currently loaded (category, payload, enabled state). Optionally filtered by category.
customPayloadsCategories: Lists all the available categories.

Actions

addCustomPayload (category*, payload): Adds a custom payload (enabled when added).
disableCustomPayloads(category): Disables custom payloads. Optionally limited by category. (No category means all)
enableCustomPayloads(category): Enables custom payloads. Optionally limited by category. (No category means all)
enableCustomPayload (category*, payload): Enables a custom payload.
disableCustomPayload (category*, payload): Disables a custom payload.
removeCustomPayload (category*, payload): Removes a custom payload.

Note: * Required parameter.

Database Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Database Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Dev Add-on Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.10.0 - 2025-05-15

Added

Basic CSRF test app.
Page with input elements that appear after a delay and off the displayed screen.
Auth app which uses multiple (faked) domains.
An auth example where there’s a div that may obscure the login fields.

0.9.0 - 2025-01-31

Added

Link which is only shown if a localStorage item is set, for testing in browser spider authentication.

Changed

Update minimum ZAP version to 2.16.0.

0.8.0 - 2024-11-13

Changed

Sequence performance test to make it actually possible to test it using automation.
CSS and JS responses are now set cache enabled.

0.7.0 - 2024-10-07

Added

Extra protected pages to simple-json-cookie to ensure spidering really works.
Sequence performance test.

Fixed

Issue where folder level pages without a trailing slash did not link correctly to sub pages.

0.6.0 - 2024-07-22

Added

Page protected by auth in order to provide a simple test for authenticated spidering.

Changed

Update minimum ZAP version to 2.15.0.

0.5.0 - 2024-01-10

Added

Auth page which uses header and a cookie set via JavaScript.

0.4.0 - 2023-12-19

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.

Added

Add ZAP API endpoint to get the OpenAPI definition of the ZAP API.
Pages which store a variety of data in localStorage and sessionStorage.

0.3.0 - 2023-09-07

Added

Auth page where the return key does not submit the form
Auth page which uses one request and one cookie
Auth page which uses multiple requests and multiple cookies
OpenAPI auth and unauth pages

Changed

Update minimum ZAP version to 2.13.0.
Added TestAuthDirectory abstract class to reduce duplicated code.

0.2.0 - 2023-05-09

Added

Auth pages where the password field is not accessible until the username is filled in.

0.1.0 - 2023-04-28

Changed

Auth pages to provide a variety of verification responses.

0.0.1 - 2023-04-19

First version.

Dev Add-on Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Diff Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

18 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

17 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.

16 - 2024-10-07

Updated

Add-on help content.

15 - 2024-05-07

Added

Support for menu weights (Issue 8369).

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

14 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.

13 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Maintenance changes.

12 - 2022-10-27

Changed

Maintenance changes.
Update minimum ZAP version to 2.12.0.

11 - 2021-10-06

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.
Updated menu items to use title caps (Issue 2000).

10 - 2020-01-17

Added

Add info and repo URLs.

9 - 2019-06-07

Maintenance changes.
Bundle Diff Utils library instead of relying on core.

8 - 2017-11-27

Updated for 2.7.0.

7 - 2017-04-03

Minor code changes.

6 - 2015-12-04

Do not add line break tags to resultant diff (Issue 1571)
Automatically close the diff dialogue when uninstalling.

5 - 2015-04-13

Added ‘Lock Scrolling’ checkbox so that this can be disabled if required.
Updated for ZAP 2.4

4 - 2014-04-10

Updated to use the latest core changes (Issue 609).
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

3 - 2013-09-11

Support requests, moved to beta and updated to ZAP 2.2.0

2 - 2013-03-04

Changed to clear the panels (text areas) before showing a new diff.
Changed to not enable the option “Diff 2 responses” if the “Sites” tree root node is selected.

1 - 2013-02-26

First version.

Diff Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Directory List v1.0 Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

9 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.

8 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

7 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

6 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.

5 - 2021-10-06

Changed

Update minimum ZAP version to 2.11.0.

4 - 2020-01-17

Added

Add help.
Add repo URL.

Changed

Update minimum ZAP version to 2.5.0.
Change info URL to link to the site.

3 - 2015-12-04

Removed repeated files.
Added strings for version control directories of Git, Mercurial, SVN, CVS, Bazaar.

2 - 2015-04-13

Updated for 2.4.0.

1 - 2014-04-10

First release as an add-on, previously bundled with ZAP core.

Directory List v1.0 Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Directory List v2.3 Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

4 - 2021-10-07

Added

Add help.
Add repo URL.

Changed

Update minimum ZAP version to 2.11.0.
Change info URL to link to the site.

3 - 2015-12-04

Removed repeated files.
Added strings for version control directories of Git, Mercurial, SVN, Bazaar.

2 - 2015-04-13

Updated for 2.4.0.

1 - 2014-04-10

First release as an add-on, previously bundled with ZAP core.

Directory List v2.3 LC Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

4 - 2021-10-07

Added

Add help.
Add repo URL.

Changed

Update minimum ZAP version to 2.11.0.
Change info URL to link to the site.

3 - 2015-12-04

Added strings for version control directories of Git, Mercurial, SVN, Bazaar.

2 - 2015-04-13

Updated for 2.4.0.

1 - 2014-04-10

First release as an add-on, previously bundled with ZAP core.

DOM XSS Active Scan Rule - About

Mon, 01 Jan 0001 00:00:00 +0000

DOM XSS Active Scan Rule - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/domxss

Authors

Aabha Biyani, and the ZAP Dev Team

DOM XSS Active scanner rule Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

23 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

22 - 2025-07-10

Changed

Allow to use Edge.
Depend on newer version of Selenium add-on.
Maintenance changes.

21 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.

Fixed

Handle exceptions while obtaining the XPath of an element.

20 - 2024-12-23

Changed

Address deprecation warnings with newer Selenium version (4.27).
Include the whole HTTP message in the raised alerts.
Include the steps to reproduce the DOM XSS in the other info of the alert.
Do not request URLs explicitly excluded from the context or global excludes
Depend on newer version of Common Library add-on.

Fixed

Address false negatives through query parameters.

Added

Standardized Scan Policy related alert tags on the rule.

19 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

18 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

17 - 2023-09-08

Changed

Depend on newer version of Common Library add-on.
Use vulnerability data directly from Common Library add-on.

16 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Depend on newer version of Selenium add-on.

Fixed

Respect global exclusions (Issue 7746).

15 - 2023-05-23

Changed

Maintenance changes.

Fixed

Disable JSON view in Firefox to prevent hangs when the “Save As” option is invoked.

14 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Promoted to Release status.

13 - 2022-08-02

Added

OWASP Web Security Testing Guide v4.2 mappings.

Changed

Update minimum ZAP version to 2.11.1.
Use Network add-on to proxy browser requests.

Fixed

Stop the proxy when ZAP shuts down.

12 - 2021-12-06

Changed

Dependency updates.

Added

Functionality for example alert handling in order to assist in documentation efforts.

11 - 2021-10-06

Added

OWASP Top Ten 2021/2017 mappings.

Fixed

False Positives caused by un-related alerts or Basic auth prompts (Issue 6484).

Changed

Update links to repository.
Maintenance changes.
Update minimum ZAP version to 2.11.0.

10 - 2020-12-15

Added

Add info and repo URLs.
Add link to the code in the help.
Performance improvements
Support for Chrome

Changed

Update minimum ZAP version to 2.10.0.
Maintenance changes.
Promote to beta
Now clicking on different buttons throughout the page to see if it triggers XSS.

9 - 2019-06-12

Fixed

Use default browser when no browser is specified in the configuration rule.

8 - 2019-06-07

Changed

Run with Firefox headless by default (Issue 3866).
Depend on newer version of Selenium add-on.

7 - 2018-03-07

Issue 2918: Added an option to attack URL parameters.

6 - 2018-01-04

Minor code changes.
Add XSS Polyglot (Issue 2322).

5 - 2017-11-28

Updated for 2.7.0.

4 - 2017-08-18

Allow to use newer versions of Firefox (Issue 3396).
Provide the reason why the scanner was skipped.

3 - 2016-10-24

Skip the scanner if not able to start Firefox.

2 - 2015-12-04

Change (duplicated) scanner ID, now it’s 40026.

1 - 2015-08-24

DOM XSS Active scanner rule Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Encoder Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Encoder Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Eval Villain Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.4.0 - 2024-11-25

Changed

Updated with new version of Eval Villain.
Update minimum ZAP version to 2.15.0.

0.3.0 - 2023-09-26

Changed

Updated with new version of Eval Villain.
Update minimum ZAP version to 2.13.0.

0.2.0 - 2023-04-04

Changed

Updated with new version of Eval Villain.
Update minimum ZAP version to 2.12.0.

0.1.1 - 2022-02-15

Fixed

Fix the downloaded version of the Eval Villain Firefox extension.

0.1.0 - 2022-02-10

Added

Link to the blog post in the help.

Changed

Updated with new version of Eval Villain.
Update minimum ZAP version to 2.11.1.

0.0.1 - 2021-12-01

First version.

Eval Villain Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Forced Browse Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

20 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

19 - 2025-11-10

Added

Statistics.

18 - 2025-08-27

Fixed

Error logs to always include stack trace.
Address performance issue when checking responses.

17 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.

16 - 2024-05-07

Added

Support for menu weights (Issue 8369).

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

Fixed

Help content typos.

15 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.

14 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.

13 - 2023-06-06

Changed

Maintenance changes.
Default number of threads to 2 * processor count.

12 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.

11 - 2021-10-06

Changed

Send HTTP messages with ZAP, making use of all its features (e.g. user authentication, custom user-agent, HTTP Sender scripts) (Issues 173 and 3060).
Now using 2.10 logging infrastructure (Log4j 2.x).
Maintenance changes.
Update minimum ZAP version to 2.11.0.

10 - 2020-12-15

Added

Added option and functionality to find files without extension. (Issue 5883)

Changed

Update minimum ZAP version to 2.10.0.
Ensure requests are counted and progress updated (Issue 5437).
Updated owasp.org references (Issue 5962).

9 - 2020-01-17

Changed

Now targets ZAP 2.8.0.
Fix un-handled exception when base request doesn’t end in a slash (Issue 5435).
Split up the functionality from the desktop UI and provide external access (Issue 2848)
Updated addon to use log4j instead of stdout (Issue 5530)
Log exceptions instead of printing to stderr (Issue 5564).
Address UI hang.

Added

Table export button.
Add info and repo URLs.

8 - 2019-06-07

Two new options are provided as part of issue 173:
- One option allows the user to specify the file extensions to ignore. URIs ending with specified file extensions are ignored from making requests to the server.
- The other option allows the user to specify fail case string.
Inform of running scans (e.g. on session change, add-on uninstall).
Issue 2000 - Updated strings shown in attack menu with title caps.
Enable start button on file selection.

7 - 2017-11-27

Code changes for Java 9 (Issue 2602).
Updated for 2.7.0.

6 - 2017-04-03

Allow to set higher number of threads (Issue 2912).
Fix issue with multiple concurrent scans.

5 - 2015-12-04

Adding request count on Forced browser tab as specified on issue #1873

4 - 2015-09-07

Change active Pause Button to a Play button (Issue 1802).

3 - 2015-08-23

Minor code changes.
Corrected the location from where default files are read (Issue 1700).
Do not access view components when view is not initialised (Issue 1617).

2 - 2015-04-13

Removed DirBuster’s GUI code, it’s controlled with ZAP’s GUI.
Unload all components during uninstallation (Issue 1505).
Updated for ZAP 2.4

1 - 2014-04-10

First release as an add-on, previously bundled with ZAP core.

Forced Browse Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Foxhound ZAP Add-on Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.1.0 - 2025-12-08

Added

First addition of Foxhound files

Foxhound ZAP Add-on Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Fuzz AI Files - Extract Model Information

Mon, 01 Jan 0001 00:00:00 +0000

Fuzz AI Files - Extract Model Information

001 Architecture

This file contains advanced fuzzing payloads designed to extract model architecture information from LLMs. The goal is to determine if the LLM reveals specific details about its architecture, such as the number of layers, transformer types, or parameter counts.

FuzzAI Files Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

[0.0.3] - 2025-11-05

Changed

Update architecture prompts with indirect prompts

[0.0.2] - 2025-09-25

Added

Test files for exploit model memory.

Changed

Re-organized help content and included URL links to the fuzzing file sources.
Update edge cases.

0.0.1 - 2024-09-24

Added

First version
Test files for edge cases.

Changed

Update minimum ZAP version to 2.16.0.

FuzzAI Files Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

FuzzDB Files Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

9 - 2022-09-23

Changed

Updated RAFT lists based on more recent SecLists contributions
Update minimum ZAP version to 2.11.1.

8 - 2021-10-07

Changed

Update minimum ZAP version to 2.11.0.

Fixed

Terminology

7 - 2020-06-30

Removed

Removed ‘attack’ sub-folder and content, all of which is being migrated to the ‘FuzzDB Offensive’ add-on due to AV triggers (Issue 5972).

6 - 2020-04-14

Added

Add help.
Add repo URL.

Changed

Update minimum ZAP version to 2.9.0.
Change info URL to link to the site.
Updated from upstream.

5 - 2019-06-27

Changed

Update minimum ZAP version to 2.8.0.

Removed

Move web-backdoors to a new add-on, FuzzDB Web Backdoors, to avoid causing issues with AVs. #5294

4 - 2016-06-02

Update FuzzDB files.

3 - 2015-04-13

Updated for 2.4.0.

2 - 2013-02-04

Removed a file entry from the ZapAddOn.xml file because it doesn’t exist.

1 - 2013-01-17

First version.

FuzzDB Offensive Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

5 - 2024-01-11

Changed

Update minimum ZAP version to 2.14.0.
Updated help and description to say this may cause problems with anti-virus tools (Issue 8297).

4 - 2021-06-11

Changed

Update minimum ZAP version to 2.10.0.

3 - 2020-06-30

Changed

Do not set the background colour of the help page.
Migrated ‘attack’ directory and components from main FuzzDB add-on, due to anti-virus considerations (Issue 5972).
Updated from upstream.

2 - 2020-01-30

Added

Add repo URL, shown in the marketplace and Manage Add-ons dialogue.

Changed

Change info URL to link to the online help page.
Change minimum ZAP version to 2.9.0.

1 - 2019-06-27

First version.

Fuzzer Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

13.16.0 - 2025-06-20

Changed

Maintenance changes.
Use a scrollbar in the Default Category combo box instead of making the options panel larger (Issue 8923).

13.15.0 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.

13.14.0 - 2024-10-07

Changed

Maintenance changes.
Replace library used for regex payload generation, to address performance and compatibility issues.

13.13.0 - 2024-05-07

Added

Support for menu weights (Issue 8369)

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

13.12.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

13.11.0 - 2023-10-04

Changed

Maintenance changes.

Fixed

Show actual contents of the message after edits (Issue 7947).

13.10.0 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Maintenance changes.
Default number of threads to 2 * processor count.

13.9.0 - 2023-01-03

Changed

Maintenance changes.

Fixed

Prevent exception if no display (Issue 3978).

13.8.0 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.

13.7.0 - 2022-09-23

Changed

Allow circular redirects always.
Maintenance changes.

13.6.0 - 2022-01-14

Added

An option to edit the selected message - note this will clear any defined fuzz locations
Fuzzer statistics

Changed

Update minimum ZAP version to 2.11.1.

13.5.0 - 2021-11-04

Changed

Enhanced the help entry for the Options tab in the main fuzz dialog.

Fixed

Ensure the “Follow Redirects” option is displayed.

13.4.0 - 2021-10-14

Added

A right click (context menu) item to facilitate adding a fuzz message to the Sites Tree and History panel (Issue 1437).

Fixed

The ‘Delay when Fuzzing (in milliseconds)’ value can now also properly be controlled from the main fuzz window, and the options value won’t be overridden (Issue 6651).

13.3.0 - 2021-10-06

Fixed

The Numberzz payload generator should not set the increment to zero when creating subsequent payloads.
Correct spelling mistake in the initial message shown in the Fuzzer tab.

Changed

Maintenance changes.
The ‘Delay when Fuzzing (in milliseconds)’ value can now be up to an hour (3,600,000ms), and the control was changed from a slider to a spinner (Issue 6651).
Updated the fuzzer options documentation (Issue 6791).
Fixed title caps on items in the Fuzzer options panel (Issue 2000).
Update minimum ZAP version to 2.11.0.

13.2.0 - 2021-06-01

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
Maintenance changes.
Update dependency (Issue 4751).

Fixed

Update results panels when Look and Feel changes (Issue 6479).
Correct payload count from file.
Show Add Payload dialogue above the Payloads dialogue.

13.1.0 - 2020-12-15

Changed

Maintenance changes.
Prevent adding null fuzz handlers, which would cause exceptions when selecting the fuzz message.
Update minimum ZAP version to 2.10.0.

13.0.1 - 2020-09-08

Fixed

Fix exception when saving the options with no default category selected (Issue 6136).

13.0.0 - 2020-08-17

Added

Allow to add fuzz specific message components and views to fuzzer dialogue.

Fixed

Correctly handle other HTTP message locations.
Fixed error when missing getRequiredParamsNames and getOptionalParamsNames

Changed

Update minimum ZAP version to 2.9.0.
Use semantic versioning.
Maintenance changes.

12 - 2020-01-17

Added

Add repo URL.

Changed

Change info URL to link to the site.

11 - 2019-06-07

Enable the extensions for all DB types.
Use Monospaced font in payload text areas.
Possibility to enforce a random order in the RegexPayloadGenerator.
Make the default step in the Numberzz generator one.
Add json fuzzer.
Add parameters to Fuzzer HTTP Processor script.

10 - 2017-11-27

Updated for 2.7.0.

9 - 2017-11-24

Code changes for Java 9 (Issue 2602).
Ignore empty payloads when highlighting or detecting reflections.
Contains new number generator payload.
Add null/empty payload generator.
Issue 3557: Backport export changes.
Set fuzzer script types enabled by default (Issue 2997).
Add description to script types.

8 - 2017-04-03

Show help button in fuzzer dialogues.
Correct method name in HTTP processor JavaScript template.
Fix exception when adding file fuzzers with selected empty “Custom Fuzzers”.
Fix typos in the help pages.
Automatically add Anti-CSRF Token Refresher, if available.
Render custom states, always (Issue 3166).

7 - 2016-09-05

Fix exception during the unload of the add-on, when in daemon mode.
Update Content-Length for all request methods, not just POST (Issue 2766).

6 - 2016-07-14

Added Export button to export results as CSV file.
Enable “Limit maximum errors” by default and increase the default number.
Improve error handling when reading/writing files from/to fuzzers directory.
Add SHA-512 Hash payload processor (Issue 2643).
Allow to search the fuzzer file names when selecting them.

5 - 2016-06-02

Fix modification of file and file fuzzers in Windows.
Correctly inform when the fuzzers directory is not writable.

4 - 2015-12-04

Add HTTP processor for tagging fuzz results.
Fix an error that prevented the use of empty strings as payloads (Issue 1948).
Fix exception while closing ZAP with running fuzz processes.
Show the correct Payload Generator script when showing modify dialogue.
Correctly use the number of payloads from script for calculation of progress (Issue 1881).
Show the number of payloads from the script in Fuzzer dialogue (Issue 1887).
Improve memory usage (Issue 2051).
Correct the delay used when sending messages.
Improve stop time.
Fix (potential) thread leak after stopping a paused fuzzer.
Allow to preview payloads generated or from external sources (Issue 1896)
Fix the location where the characters are added in expand payload processor.
Allow to modify the selected Payload Processor script.
Show current payloads when adding/modifying processors (Issue 1898).
Allow to preview processing of payloads (Issue 1931).
Allow to save (to file) String, Regex, File and Script payloads (Issue 1932).
Fix issues in generation of payloads from regular expressions (Issue 1884).
Add support for regex repetitions (Issue 1885).
Allow to modify the payloads of File and File Fuzzers (Issue 1897).
Show the correct Fuzzer HTTP Processor script when showing modify dialogue.

3 - 2015-09-07

Update add-on’s info URL.

2 - 2015-08-23

Fix the help button in the Fuzzer dialogue and broken link in Fuzzer dialogue help page.
Properly load the ‘Fuzzer HTTP Processor’ templates.
Keep focus on results table, even if there’s a payload reflection in the response (Issue 1442).
Update POST request’s Content-Length by default.
Remove status icon when uninstalling.
Fuzzers can’t be expanded on OS X (Issue 1677)
Other code changes.

1 - 2015-04-13

First version.

Fuzzer Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Getting Started with ZAP Guide Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

20 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.
Update Getting Started Guide for 2.17.0.

19 - 2025-01-09

Changed

Update Getting Started Guide for 2.16.0.

18 - 2024-09-24

Changed

Rebrand to ZAP by Checkmarx.

17 - 2024-05-07

Changed

Update Getting Started Guide for 2.15.0.

16 - 2023-10-12

Changed

Update Getting Started Guide.
Updated for 2.14.0.

15 - 2023-07-11

Changed

Maintenance changes.
Update minimum ZAP version to 2.13.0.
Update OWASP description in Getting Started Guide.

Fixed

Fix typo in Getting Started Guide.

14 - 2022-10-27

Changed

Maintenance changes.
Update minimum ZAP version to 2.12.0.
Added note about Firefox’s Enhanced Tracking Protection.

13 - 2021-10-06

Changed

Maintenance changes.
Updated for 2.11.0

12 - 2020-12-15

Changed

Update link to OWASP ZAP homepage.
Update minimum ZAP version to 2.10.0.

11 - 2020-01-17

Added

Add info and repo URLs.

Changed

Updated for 2.9.0

10 - 2019-06-07

Updated for 2.8.0

9 - 2018-02-13

Added the Spanish, Filipino and Indonesian translations

8 - 2017-11-27

Updated for 2.7.0

7 - 2017-11-24

Correct step when importing Root CA cert in Firefox (Issue 3724)

6 - 2017-04-06

Updated for 2.6.0.

5 - 2016-06-02

Updated for the new 2.5 guide

4 - 2015-06-18

Updated to point to GitHub

3 - 2015-04-13

Updated for 2.4 and promoted to release

2 - 2014-06-09

Added (very basic) help and promoted to beta

1 - 2014-05-20

First version

Getting Started with ZAP Guide Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

GraalVM JavaScript Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.14.0 - 2026-03-02

Added

Document script engine lifecycle in the help.

0.13.0 - 2026-01-29

Changed

Update dependencies.

Fixed

Close script engine when no longer in use (Issue 9230).

0.12.0 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

0.11.0 - 2025-11-04

Changed

Update dependencies.
Update the Active script template to contain a scanHost function that is called once per host being scanned.
Update minimum scripts add-on version to 45.15.0.

0.10.0 - 2025-10-07

Changed

Update Graal JavaScript engine to version 25 (Issues 8477 and 9010).
Use example links in Active/Passive Rule templates’ references.
Update scan rule templates to use alertRefOverrides.

0.9.0 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.

0.8.0 - 2024-09-24

Added

Document the engine name in the help page.

Changed

Maintenance changes.
Update script templates:
- authentication/Authentication default template GraalJS.js - remove outdated example code.
- httpsender/AddZapHeader GraalJS.js - fix runtime error (Issue 8611) and update documentation.
- httpsender/HttpSender default template GraalJS.js - update documentation.

0.7.0 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.
Disable warns about the engine being executed in interpreter mode, that’s the expected mode of execution.

0.6.0 - 2024-04-11

Changed

Update Active and Passive Script Templates to include a getMetadata function. This will allow them to be used as regular scan rules.
Depend on the commonlib and scripts add-ons for scan rule scripts.
Maintenance changes.

0.5.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Update Graal JavaScript engine.

0.4.0 - 2023-07-11

Added

Add info URL.

Changed

Update minimum ZAP version to 2.13.0.
Replace usage of singletons with injected variables (e.g. model, control) in scripts.

Fixed

Updated encode-decode script templates to conform to the latest method signatures.
Update the content-length header field after setting the request body in the authentication templates.

0.3.0 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.

Fixed

Declare the engine is single threaded (Issue 6992).

0.2.0 - 2021-10-06

Added

encode-decode Default and rot13 templates.

Changed

Update minimum ZAP version to 2.11.0.
Update links to zaproxy repo.

0.1.0 - 2020-11-17

First version.

GraalVM JavaScript Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

GraphQL Options

Mon, 01 Jan 0001 00:00:00 +0000

GraphQL Options

In this document, a ‘Query’ may refer to a GraphQL query, subscription or mutation.

Query Generator Configuration

The query generator uses the imported schema to generate queries for the target endpoint. If enabled, it may be configured with the following options.

GraphQL Support Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

GraphQL Support Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Groovy Support - About

Mon, 01 Jan 0001 00:00:00 +0000

Groovy Support - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/groovy

Authors

ZAP Dev Team

Groovy Support Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Groovy Support Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

gRPC Support Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.2.0 - 2024-07-02

Added

gRPC WebSocket Support Added

Fixed

Do not try to decode non-gRPC responses when active scanning, which would lead to unnecessary warnings.

0.1.0 - 2024-06-11

Added

gRPC Variant Support Added

0.0.1 - 2024-05-21

Added

Features
- ProtoBuf Message Decoding and Encoding in the message view panels.

gRPC Support Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

gRPC Variant

Mon, 01 Jan 0001 00:00:00 +0000

gRPC Variant

The gRPC variant allow injecting payloads in gRPC values (Active Scan Input Vector support).

Active Scan Input Vectors

Custom Values are injected into all key-value pairs in all gRPC values that are proxied through ZAP.

Highlighter Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

8 - 2021-10-07

Added

Add help.
Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.

7 - 2018-05-30

Fix help related exception in the Highlighter panel.
Correct resizing of Highlighter panel.
Update minimum ZAP version to 2.5.0.

6 - 2015-04-13

Updated for ZAP 2.4

5 - 2014-04-03

Updated for ZAP 2.3.0

4 - 2013-09-11

Updated for ZAP 2.2.0

3 - 2013-05-13

Changed to unload all components when uninstalling.

2 - 2013-01-17

Updated to support new addon format

1 - 2012-11-23

HTTPS Configuration - Active Scan Rule

Mon, 01 Jan 0001 00:00:00 +0000

HTTPS Configuration - Active Scan Rule

This active scan rule runs once per host and performs HTTPS configuration analysis for sites using HTTPS. It skips HTTP sites entirely.

Alerts

The rule raises two types of alerts:

HTTPS Info Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

16 - 2026-03-31

Added

HTTPS Configuration alerts now have tags for OWASP Top 10, WSTG, systemic, and policies.

15 - 2026-03-27

Changed

Update to DeepViolet 6.1.1, no longer requires Java 21+.

14 - 2026-03-19

Added

Active scan rules Info level “HTTPS Configuration” alert and a Low, Medium or High alert if any problems reported.

Changed

Update to DeepViolet 6.1.0 with new API. Requires Java 21+.

13 - 2021-10-07

Added

Add info and repo URLs.
Show usage info in the HTTPS Info panel (Issue 6113).

Changed

Update minimum ZAP version to 2.11.0.
Updated owasp.org references (Issue 5962).
Maintenance changes.

12 - 2019-04-26

New tabbed UI.
Update to DeepViolet 5.1.16.

11 - 2017-11-28

Updated for 2.7.0.

10 - 2017-11-24

Upgrade to use DeepViolet 5.0.3, which provides some minor logging changes.

9 - 2017-06-01

Switch from SSLServer to OWASP DeepViolet.

8 - 2017-05-26

Warn the user if results may be inaccurate due to ZAP being configured to use an outbound proxy.

7 - 2016-06-02

Allow to update/uninstall the add-on without restarting ZAP.
Issue 758 - General re-working of the extension.

6 - 2015-12-04

Issue 1978 Uncaught NPE - Fixed.

5 - 2015-04-13

Updated for ZAP 2.4

4 - 2014-04-03

Updated add-on dir structure (Issue 1113).

3 - 2013-10-02

Added threading, updated the UI and introduced ordering of ciphersuites by server preference

2 - 2013-09-11

Updated for ZAP 2.2.0

1 - 2013-08-05

HTTPS Info Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

HUD - Heads Up Display Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Image Location and Privacy Scanner - About

Mon, 01 Jan 0001 00:00:00 +0000

Image Location and Privacy Scanner - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/imagelocationscanner
https://github.com/veggiespam/ImageLocationScanner

Authors

Veggiespam and the ZAP Dev Team

Image Location and Privacy Scanner Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

7 - 2025-09-18

Changed

Update alert reference and help link to latest location.

6 - 2025-06-19

Added

Updated to Image Location and Privacy Scanner version 1.2; merged from source
- Updated dependency Metadata Extractor to 2.19.0
- Added support for scanning HEIF image format used by modern iPhone images
- Added support for Samsung, more Reconyxs, & Sony camera proprietary privacy leakage
- Added detection for a few new information leakage tags in currently supported cameras.
- Added GPS elevation detection
The rule has been tagged of interest to Penetration Testers and QA.

Changed

Depends on an updated version of the Common Library add-on.
Update minimum ZAP version to 2.16.0.

Removed

No longer support XMP as it was too unreliable.

5 - 2024-04-11

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.

Added

Website alert links (Issue 8189).

4 - 2022-09-23

Changed

Update minimum ZAP version to 2.11.1.
Maintenance changes.

Added

OWASP Web Security Testing Guide v4.2 mappings.

3 - 2021-10-07

Added

OWASP Top Ten 2021/2017 mappings.
Example alert to support documentation efforts.

Changed

Update link to repository.
Update minimum ZAP version to 2.11.0.
Maintenance changes.

2 - 2020-07-03

Added

Add info and repo URLs.
Updated to Image Location and Privacy Scanner version 1.1; merged from source

Changed

Update minimum ZAP version to 2.9.0.
Maintenance changes.
Correct repository URL in about help page.

1 - 2018-02-27

Promoted to beta and separated from the passive scan alpha add-on.

Image Location and Privacy Scanner Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Import/Export Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.18.0 - 2026-03-31

Added

Support for plugable exporters and importers.

0.17.0 - 2026-03-02

Changed

Use the context when exporting the Sites Tree through the Automation Framework job.

0.16.0 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.
Update dependencies.
Depend on newer version of Common Library add-on.

0.15.0 - 2025-09-02

Changed

Update dependency.
Use always the same newlines (LF) when exporting HAR files.

0.14.0 - 2025-03-25

Changed

Caps fix in Import menu (Issue 2000).

Fixed

Sites Tree export now correctly handles node names with newlines and special characters (Issue 8858).

0.13.0 - 2025-01-09

Added

Add Automation Framework job to export data (e.g. HAR, URLs).
Support for Sites Tree export and prune.

Changed

Update minimum ZAP version to 2.16.0.
Update dependency.
Maintenance changes.

Fixed

Import HAR entry sent and elapsed time.
Duplicate or missing “Save URLs…” entries in the Export menu.
The “Save All URLs…” export option was saving only the selected URLs.
Correct bundled dependencies to avoid conflicts with core logging libraries.

0.12.0 - 2024-10-07

Changed

Improved HTTP 1.1 traffic detection in PCAP files

Fixed

Count invalid messages as tasks done toward progress when importing HARs.

0.11.0 - 2024-09-24

Changed

Leverage Jackson library from the Common Library add-on.
Depend on newer version of Common Library add-on.
Leverage aboutsip’s pkts.io library for parsing pcap files and organizing tcp streams
PCAP importing for simple HTTP/1.1 traffic, works for traces with: No duplicates or missing TCP segments, with no missing HTTP responses to HTTP requests, and for HTTP 1.1 only

Fixed

Correctly load Automation Framework template plans.
Base64 decode the response body when importing HARs.

0.10.0 - 2024-07-22

Changed

HAR importing now uses Sebastian Stöhr’s har-reader library. It should be much more tolerant of ‘weird’ HAR things, and thus be able to import more samples. (If you come across HAR that won’t import please open an issue and provide a sample so we can work on further improvements!)

0.9.0 - 2024-05-07

Added

Initial PCAP import support (Issue 4812).
Support for menu weights (Issue 8369)

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

0.8.0 - 2023-11-10

Changed

Keep the Export menu items sorted alphabetically.
Dropped “to Clipboard” from ZAP copy menu items (Issue 8179).

0.7.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Depend on newer versions of Automation Framework and Common Library add-ons (Related to Issue 7961).

0.6.0 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.

0.5.0 - 2023-04-04

Changed

Log cause of error when failed to import the HAR file.

Fixed

Ensure the ‘ZAP messages’ Export delimiters are consistent with the Import expectation.

0.4.0 - 2023-02-09

Added

Support for relative file paths and ones including vars in the Automation Framework job.

Changed

Maintenance changes.

Fixed

Show missing API endpoints’ descriptions.

0.3.0 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.
When importing a file of URLs the output tab and log will now be more informative about failures.

Added

HAR related API endpoints being migrated from core (Issue 6579).

0.2.0 - 2022-07-20

Fixed

Tweaked import functionality to mark import progress components completed when an exception occurs during import (thus allowing them to be cleared properly).
HAR imports will now use an indeterminate progress bar if the count of entries cannot be determined.
Correct import of HAR responses to allow them to be passively scanned.

Added

Copy URLs, Export Context URLs, Export Selected URLs, Export Messages, and Export Responses functionality similar to what was previously offered via core functionality.
Stats for migrated core components.

Changed

Save RAW functionality now includes an All option which saves the entire HTTP message.

0.1.0 - 2022-03-07

Changed

Reduce logging and display a warning dialog when unable to read files being imported (Issue 7081).
Promoted to Beta.

Added

Importing a file of URLs or HAR is now displayed in the progress panel provided via commonlib.
Automation Framework (Issue 7078).

0.0.1 - 2021-12-22

First release.

Import/Export Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Insights Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.3.0 - 2026-03-31

Fixed

Correct check of memory usage.

0.2.0 - 2026-03-02

Fixed

Do not attempt to prompt when exiting on high insight and headless.

0.1.0 - 2025-12-31

Fixed

Address concurrency issue while generating report with insights.

0.0.1 - 2025-12-15

First version.

Insights Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Insights Fields

Mon, 01 Jan 0001 00:00:00 +0000

Insights Fields

Level

An indication of how significant an Insight is.

The following Levels are supported:

Info: An informational Insight which gives you more information about the target
Low: An Insight which is potentially a problem, depending on how your application works
Medium: A more significant Insight which should be investigated ASAP. It potentially means that the scan is not working as expected
High: A very significant Insight which is highly likely to impact the scan effectiveness

We recommend terminating a scan early and investigating if any Medium or High level Insights are reported.

Interactsh Options

Mon, 01 Jan 0001 00:00:00 +0000

Interactsh Options

The Interactsh Options screen allows you to configure the settings that affect how ZAP interacts with Interactsh.

Server URL

This address (provided by the user) should point to the URL that will be used for registrations and polling.

Invoke Applications Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

17 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

16 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.

15 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

Added

Support for menu weights (Issue 8369)

14 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.

13 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Maintenance changes.

12 - 2022-10-27

Changed

Maintenance changes.
Update minimum ZAP version to 2.12.0.

11 - 2021-10-06

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.

10 - 2020-01-17

Added

Add info and repo URLs.

Changed

Maintenance changes.

9 - 2018-02-19

Added additional parameter replacements of %msgid% and %header-*%

8 - 2017-11-27

Updated for 2.7.0.

7 - 2017-10-19

Report/log when the application fails to start (related to Issue 3960).

6 - 2017-04-03

Properly split application arguments.

5 - 2017-01-10

Consume all output of the applications in all cases (Issue 3074).
Show error/std output in the order it is received (Issue 3078).
Fix typos in the help pages.

4 - 2016-08-03

Allow to invoke the applications in all UI components that show HTTP messages.
Allow to manually specify the application path and working directory (Issue 2708).

3 - 2015-07-30

Minor code changes.
Show applications immediately after ZAP re/start (Issue 1709).

2 - 2015-04-13

Updated for ZAP 2.4

1 - 2014-04-10

First release as an add-on, previously bundled with ZAP core.

Invoke Applications Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

JSON View Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

3 - 2023-09-07

Changed

Maintenance changes.
Update minimum ZAP version to 2.13.0.
Depend on Common Library add-on to reuse libraries (Issue 7961).

Fixed

Use other library to format the JSON bodies (Issue 7798).

2 - 2021-10-07

Added

Add help.
Add the main context menu to the JSON view.
Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.
Capitalize the view dropdown menu entry (related to Issue 2000).

1 - 2018-02-08

Initial release

Kotlin Support Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Levo.ai Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Linux WebDrivers Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

macOS WebDrivers Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Manual Request Editor dialog

Mon, 01 Jan 0001 00:00:00 +0000

Manual Request Editor dialog

This dialog allows you to create a HTTP request from scratch which will be submitted to the specified target, or resend an existing HTTP request after making any changes to it that you want to.

Request tab

This shows the request header and data, either in one or two panels depending on the options chosen.

MCP Integration Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

MCP Integration Options

Mon, 01 Jan 0001 00:00:00 +0000

MCP Integration Options

This screen allows you to configure the MCP Integration add-on.

Port

The port on which the MCP HTTP server listens for connections.

Neonmarker Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

1.8.0 - 2025-02-14

Changed

Adjust initialization of the Tags list

1.7.0 - 2025-02-12

Changed

Maintenance changes.
Updates to work appropriately with ZAP 2.16 and the Passive Scan Add-on.

1.6.0 - 2023-08-17

Changed

Maintenance changes.
The script example in the Help content was updated to use the injected core variables instead of using the fully qualified class name.

Fixed

An NPE which could happen when removing an entry that didn’t yet have a tag assigned.

1.5.0 - 2022-07-11

Added

A right-click context menu is now available in the History tab in order to Select/Set a color for arbitrary messages.

1.4.0 - 2021-08-26

Changed

Add red/green icon to Enable/Disable toggle button.
Maintenance changes.
Now targeting ZAP 2.10.
Ensure added color mappings are unique (Issue 11). Only applies when mappings are added programmatically, a user can still define the same mapping multiple times via the GUI (hopefully they’ll recognize the inefficiency of doing so).

1.3.0 - 2020-09-29

Fixed

Fixed an exception which was occurring when the tab was shown during install.
Fixed an exception when ZAP is used in CLI mode.

1.2.0 - 2020-04-14

Changed

The panel is now shown when the addon is installed.
Improvements to integrate more nicely with ZAP’s dark mode.

1.1.0 - 2020-01-02

Changed

Migrated from https://github.com/juhakivekas/zap-extensions/tree/neonmarker/ to https://github.com/kingthorin/neonmarker.
Adapted to Gradle build.
Mapping ‘rules’ now display all available Tags not just those currently mapped to a history item.
Allow selection of custom colors with a Color Chooser.

Added

Basic help entry.
Color Mappings can be added in scripts.
Add enable/disable toggle in toolbar.

1 - 2018-07-18

Initial laser version.

Network Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Network Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Network API

Mon, 01 Jan 0001 00:00:00 +0000

Network API

The following operations are added to the API:

Actions

addAlias (name* enabled): Adds an alias for the local servers/proxies.
- name: The name of the alias.
- enabled: The enabled state, true or false.
addHttpProxyExclusion (host* enabled): Adds a host to be excluded from the HTTP proxy.
- host: The value of the host, a regular expression.
- enabled: The enabled state, true or false.
addLocalServer (address* port* api proxy behindNat decodeResponse removeAcceptEncoding): Adds a local server/proxy.
- address: The address of the local server/proxy.
- port: The port of the local server/proxy.
- api: If the ZAP API is available, true or false.
- proxy: If the local server should proxy, true or false.
- behindNat: If the local server is behind NAT, true or false.
- decodeResponse: If the response should be decoded, true or false.
- removeAcceptEncoding: If the request header Accept-Encoding should be removed, true or false.
addPassThrough (authority* enabled): Adds an authority to pass-through the local proxies.
- authority: The value of the authority, can be a regular expression.
- enabled: The enabled state, true or false.
addPkcs12ClientCertificate (filePath* password* index): Adds a client certificate contained in a PKCS#12 file, the certificate is automatically set as active and used.
- filePath: The file path.
- password: The password for the file.
- index: The index of the certificate in the file, defaults to 0.
addRateLimitRule (description* enabled* matchRegex matchString requestsPerSecond* groupBy*): Adds a rule to the rate limiter.
- description: A description that allows you to identify the rule. Each rule must have a unique description.
- enabled: The enabled state, true or false.
- matchRegex: Determines if matchString is a regular expression or a plain string: true or false.
- matchString: A plain string match is handled based on DNS conventions. If the string has one or two components. If matchRegex is true, this is a regular expression.
- requestsPerSecond: The maximum number of requests per second.
- groupBy: How to group hosts when applying rate limiting: rule or host
generateRootCaCert: Generates a new Root CA certificate, used to issue server certificates.
importRootCaCert (filePath*): Imports a Root CA certificate to be used to issue server certificates.
- filePath: The file system path to the PEM file, containing the certificate and private key.
removeAlias (name*): Removes an alias.
- name: The name of the alias.
removeHttpProxyExclusion (host*): Removes an HTTP proxy exclusion.
- host: The value of the host.
removeLocalServer (address* port*): Removes a local server/proxy.
- address: The address of the local server/proxy.
- port: The port of the local server/proxy.
removePassThrough (authority*): Removes a pass-through.
- authority: The value of the authority.
removeRateLimitRule (description*): Removes a rule from the rate limiter.
- description: The description of the rule.
setAliasEnabled (name* enabled): Sets whether or not an alias is enabled.
- name: The name of the alias.
- enabled: The enabled state, true or false.
setConnectionTimeout (timeout*): Sets the timeout, for reads and connects.
- timeout: The timeout, in seconds.
setDefaultUserAgent (userAgent*): Sets the default user-agent.
- userAgent: The default user-agent.
setDnsTtlSuccessfulQueries (ttl*): Sets the TTL of successful DNS queries.
- ttl: The TTL, in seconds. Negative number, cache forever. Zero, disables caching. Positive number, the number of seconds the successful DNS queries will be cached.
setHttpProxy (host* port* realm username password): Sets the HTTP proxy configuration.
- host: The host, name or address.
- port: The port.
- realm: The authentication realm.
- username: The user name.
- password: The password.
setHttpProxyAuthEnabled (enabled*): Sets whether or not the HTTP proxy authentication is enabled.
- enabled: The enabled state, true or false.
setHttpProxyEnabled (enabled*): Sets whether or not the HTTP proxy is enabled.
- enabled: The enabled state, true or false.
setHttpProxyExclusionEnabled (host* enabled*): Sets whether or not an HTTP proxy exclusion is enabled.
- host: The value of the host.
- enabled: The enabled state, true or false.
setPassThroughEnabled (authority* enabled): Sets whether or not a pass-through is enabled.
- authority: The value of the authority.
- enabled: The enabled state, true or false.
setRateLimitRuleEnabled (description*, enabled*): Set enabled state for a rate limit rule.
- description: The description of the rule.
- enabled: The enabled state, true or false.
setRootCaCertValidity (validity*): Sets the Root CA certificate validity. Used when generating a new Root CA certificate.
- validity: The number of days that the generated Root CA certificate will be valid for.
setServerCertValidity (validity*): Sets the server certificate validity. Used when generating server certificates.
- validity: The number of days that the generated server certificates will be valid for.
setSocksProxy (host* port* version useDns username password): Sets the SOCKS proxy configuration.
- host: The host, name or address.
- port: The port.
- version: The SOCKS version.
- useDns: If the names should be resolved by the SOCKS proxy, true or false.
- username: The user name.
- password: The password.
setSocksProxyEnabled (enabled*): Sets whether or not the SOCKS proxy is enabled.
- enabled: The enabled state, true or false.
setUseClientCertificate (use*): Sets whether or not to use the active client certificate.
- use: The use state, true or false.
setUseGlobalHttpState (use*): Sets whether or not to use the global HTTP state.
- use: The use state, true or false.

Views

getAliases: Gets the aliases used to identify the local servers/proxies.
getConnectionTimeout: Gets the connection timeout, in seconds.
getDefaultUserAgent: Gets the default user-agent.
getDnsTtlSuccessfulQueries: Gets the TTL (in seconds) of successful DNS queries.
getHttpProxy: Gets the HTTP proxy.
getHttpProxyExclusions: Gets the HTTP proxy exclusions.
getLocalServers: Gets the local servers/proxies.
getPassThroughs: Gets the authorities that will pass-through the local proxies.
getRateLimitRules: Gets the rate limit rules.
getRootCaCertValidity: Gets the Root CA certificate validity, in days. Used when generating a new Root CA certificate.
getServerCertValidity: Gets the server certificate validity, in days. Used when generating server certificates.
getSocksProxy: Gets the SOCKS proxy.
isHttpProxyAuthEnabled: Tells whether or not the HTTP proxy authentication is enabled.
isHttpProxyEnabled: Tells whether or not the HTTP proxy is enabled.
isSocksProxyEnabled: Tells whether or not the SOCKS proxy is enabled.
isUseGlobalHttpState: Tells whether or not to use global HTTP state.

Other

proxy.pac: Provides a PAC file, proxying through the main proxy.
rootCaCert: Gets the Root CA certificate used to issue server certificates. Suitable to import into client applications (e.g. browsers).
setProxy (proxy*): Sets the HTTP proxy configuration.
- proxy: The JSON object containing the HTTP proxy configuration.

Shortcuts

proxy.pac: Provides a PAC file, proxying through the main proxy.
setproxy: Sets the HTTP proxy configuration.
- Request body: The JSON object containing the HTTP proxy configuration.


	Network	the introduction to Network add-on

OAST Support Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

OAST Support Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

OAST Tab

Mon, 01 Jan 0001 00:00:00 +0000

OAST Tab

This tab shows a summary of the out-of-band messages discovered by ZAP.

Messages

For each message, you can see:

Online menus Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

15 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

14 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.

13 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

12 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

11 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.

10 - 2022-10-27

Changed

Maintenance changes.
Update minimum ZAP version to 2.12.0.

9 - 2021-10-06

Changed

Maintenance changes.
Update minimum ZAP version to 2.11.0.

8 - 2020-12-15

Added

Video page link.

Changed

Update minimum ZAP version to 2.10.0.
ZAP Homepage to ZAP Website.
ZAP Extensions to ZAP Marketplace

Removed

Newsletter link.
Wiki link.

7 - 2020-01-17

Added

Add repo URL.

Changed

Maintenance changes.
Updated to point to the new ZAP website

6 - 2017-11-27

Updated for 2.7.0.

5 - 2017-04-06

Minor code changes.

4 - 2015-12-04

Issue 1999 - Fix Title Caps
Issue 2009 - Add Online links to the FAQ and Newsletter pages

3 - 2015-06-08

Updated links to point to GitHub

2 - 2015-04-13

Promoted to beta, updated for ZAP 2.4

Online menus Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

OpenAPI Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

OpenAPI Automation Framework Support

This add-on supports the Automation Framework.

The add-on will add OpenAPI definitions if they are found while spidering but adding them explicitly via a URL or local file is recommended if they are available.

The targetUrl parameter works in the same way per ‘Target URL Format’.

OpenAPI Support Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

53 - 2026-03-19

Changed

Dependency update.

Fixed

Issue with data generation for arrays in OpenAPI 3.1 definitions (Issue 9261).

52 - 2026-02-11

Changed

Enable Swagger Secret Detector Script Scan Rule, the JS Engine memory leak has been addressed (Issue 9230).

51 - 2026-01-28

Changed

Disable Swagger Secret Detector Script Scan Rule by default due to JS Engine memory leak (Issue 9230).

50 - 2026-01-21

Added

Swagger Secret Detector Script Scan Rule.

49 - 2026-01-12

Added

Added an optional LLM extension for importing OpenAPI definitions.
Initial support for OpenAPI 3.1 definitions.

Changed

Dependency update.

48 - 2025-12-15

Changed

Dependency updates.
Update minimum ZAP version to 2.17.0.

47 - 2025-11-04

Changed

Dependency updates.

Fixed

Include URLs from context verbatim.

46 - 2025-09-10

Fixed

Warn logs to always include stack trace.
Correct generation of empty object.

45 - 2025-03-24

Fixed

Correct definition detection while spidering.

Changed

Clarified an error message which occurs in automation if there’s a problem importing.

44 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.
Depend on newer version of Common Library add-on (Issue 8016).
Fields with default or missing values are omitted for the openapi job in saved Automation Framework plans.

43 - 2024-09-23

Added

Allow to import the OpenAPI definitions with a user (Issue 7739).
Honour context exclusions when importing (Issue 8021).

Fixed

Allow to select the contexts of the Automation Framework plan when configuring the job.
Correctly handle empty context name in the Automation Framework job.

42 - 2024-07-04

Changed

Workaround issue loading fully resolved definitions that are too large by trying to use the original definition only (Issue 8193).

41 - 2024-05-10

Changed

Rely on Common Library add-on for use of Jackson library.

40 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.
Dependency updates.

39 - 2024-01-26

Added

Video link in help for Automation Framework job.

Changed

Dependency updates.

38 - 2023-10-23

Changed

Dependency updates.

Fixed

An issue in the headers generator which might lead to content-type header being incorrectly set.

37 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

36 - 2023-09-07

Changed

Dependency updates.
The “Import an OpenAPI definition from the local file system” and “Import an OpenAPI definition from a URL” menu items were merged into one, “Import an OpenAPI Definition”.
Depend on newer versions of Automation Framework and Common Library add-ons (Related to Issue 7961).
Use Common Library add-on to obtain the Value Generator (Issue 8016).

Fixed

Importing empty or invalid OpenAPI definitions failed silently in some cases (Issue 7949).

35 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Dependency updates.

34 - 2023-06-27

Changed

Dependency updates.

Fixed

Fix exception when generating data for parameters without schema.
An exception which might occur on large definition imports (Issue 7876).

33 - 2023-04-04

Changed

Dependency updates.

Fixed

Fix null pointer exception when importing a definition with requestBody content set as an empty dictionary (Issue 7808).

32 - 2023-02-09

Added

Support for relative file paths and ones including vars in the Automation Framework job.

Changed

Maintenance changes.

31 - 2023-01-03

Changed

Maintenance changes.

Fixed

When a definition doesn’t define a response then an appropriate warning bubbles up, no longer resulting in a NullPointerException (Issue 7115).

30 - 2022-11-15

Changed

Dependency updates.
Each imported endpoint is included in the selected context, unless its URL matches an already existing Include in Context regex entry.

29 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Remove parser used for core spider (Related to Issue 3113).
Maintenance changes.

28 - 2022-09-21

Added

Imported specs are now persisted to the session database. They are used by the new variant to mark path parameters as Data Driven Nodes.

Fixed

JSON body examples specified under schema were being enclosed in quotes.
Error message when apiFile field is not accessible was outputting the targetUrl and not the incorrect filename (Issue 7370).

Changed

Maintenance changes.
Use Spider add-on (Issue 3113).
Use Form Handler add-on directly.
DDNs added as Structural Modifiers have been superseded by a custom variant. The variant supports nested DDNs and leaf DDNs, prevents non-parameter URL paths from being merged with DDNs, and treats paths with different HTTP methods uniquely. DDNs are named with the parameter name from the spec.

27 - 2022-03-29

Added

Support content field (JSON) in parameters (Issue 6166).

Changed

Now depends on commonlib for display of import progress (Issue 6783).
Dependency updates.

Fixed

Properly generate Content-Type header when in presence of more than one supported content (Issue 7082).
Quote provided string values in JSON content (Issue 7128).
Properly handle empty default values in server variables.

26 - 2022-02-01

Fixed

Do not report “Unrecognised parameter” for valid parameters.

25 - 2022-01-18

Changed

Update minimum ZAP version to 2.11.1.
Dependency updates.
When the automation Job is edited via UI Dialog then the status will be set to Not started

Fixed

Parameter examples specified as part of the schema were not being used.

24 - 2021-12-06

Changed

Use examples defined in parameters (Issue #6870).
Tweak error message shown when content type is not supported.
Dependency updates.

Fixed

Fixed ClassCastException when using nested map properties with mixed definition styles.

23 - 2021-10-06

Fixed

Fixed StackOverflow in the Body/DataGenerator when an invalid property type is specified. (Issue #6591)

Added

Use path and operation servers (Issue #6754).

Changed

Warn when request has content type application/xml, not supported (Related to Issue #6767).
Maintenance changes.
Update minimum ZAP version to 2.11.0.

22 - 2021-09-16

Changed

Maintenance changes.

21 - 2021-09-01

Added

The import progress is now displayed using a Progress Panel.

Fixed

Fixed var support in URLs (Issue #6726)
Import file definition even if it has issues (Issue #6758).

Changed

Use application/json media type examples when available.

20 - 2021-08-05

Added

Automation Framework GUI

Changed

Maintenance changes.

Fixed

Fix RequestMethod enum name for OPTIONS (Issue 6666)

19 - 2021-06-29

Added

Added support for Multipart form-data (Issue 6418).

Changed

Always use enum values when defined (Issue 6489).
Now using 2.10 logging infrastructure (Log4j 2.x).
Automation parameters are now in camelCase. This is a breaking change, and older automation configurations containing all-lowercase openapi parameters will stop working.
The import dialogs now show the values used in the previous import when reopened.
Maintenance changes.

Fixed

NPE if form has no schema element.

18 - 2021-03-09

Added

Support for the Automation Framework
Support for statistics (number of URLs added)

Changed

Maintenance changes.

17 - 2020-12-15

Added

Handle cookie parameters (Issue 6045).
Use default values in x-www-form-urlencoded and json bodies (Issue 6095).

Changed

Show import exceptions in the Output tab (Issue 6042).
Maintenance changes.
Update minimum ZAP version to 2.10.0.

Fixed

Add imported messages synchronously to the Sites tree (Issue 5936).
Correct parent dialogue when choosing the file to import (Issue 6041).
Properly handle no schema when generating the request body (Issue 6042).
Return API error illegal_parameter (instead of internal_error) when unable to get the OpenAPI definition from the provided URL.

16 - 2020-06-09

Added

Map Structure support for OpenAPI v3.0 (Issue 5863).
Using OpenAPI Example values for value generation in request bodies and urls (Issue 5168).

Changed

Improve content checks when spidering for specifications (Issue 5725).
Update minimum ZAP version to 2.9.0.
Maintenance changes.

Fixed

Notify all redirects followed for proper passive scanning.

15 - 2020-01-17

Added

Add info and repo URLs.

Changed

Promote addon to Beta.

14 - 2019-12-02

Added

Support OpenAPI v3.0 (Issue 4549).
Allow to specify the target URL (scheme, authority, and path) when importing through the command line.

Changed

Do not consume spider resource if not parsed as OpenAPI definition.
Allow to specify the target URL when importing from file through the API and GUI.
Allow to override also the scheme and path when importing from URL through the API.

13 - 2019-07-18

Added Accept header for importing an OpenAPI definition from an URL, in the proper format.
Correct import of v1.2 definitions (Issue 5262).
Fix exception when reporting errors.
Update minimum ZAP version to 2.8.0.
Add import menu to (new) top level Import menu instead of Tools menu.
Add support for primitive values (standalone and within arrays) in a request body (Issue 5250).

12 - 2018-05-18

Ignore BOM when parsing and don’t rely on default character encoding (Issue 4676).

11 - 2018-05-15

Include exception message in warning dialog when a parse error occurs (Issue 4667).
Open previously chosen directory when importing local file.

10 - 2018-01-17

Fallback to host of request URI (Issue 4271).

9 - 2017-12-13

Update Swagger/OpenAPI parser (Issue 3479).
Fix exception with ref parameters.

8 - 2017-11-24

Fix NPE in BodyGenerator.
Fix NPEs when a parameter is null.

7 - 2017-09-28

Correct validations when importing a file through the API.

6 - 2017-06-02

Support optional host override.
Detect and warn on potential loops.
Allow add-on to be unloaded dynamically.
Support user specified values when importing (Issue 3344).
Support older swagger formats (Issue 3598).

5 - 2017-05-05

Run synchronously and return any warnings when importing via API or cmdline.

4 - 2017-04-21

Fallback to scheme of request URI (Issue 3433).

3 - 2017-04-20

Added cmdline support.

2 - 2017-04-18

Configure Swagger library logging.

1 - 2017-03-30

First Version

OpenAPI Support Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Options Active Scan screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Active Scan screen

This screen allows you to configure the active scan options:

Number of Hosts Scanned Concurrently

The maximum number of hosts that will be scanned at the same time.

Options Applications screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Applications screen

This screen allows you to configure the applications that can be invoked.
By default there are no applications available, you need to add all of the applications that you want to use.

Display Name

The name that will be used for this application in ZAP.

Options Encode/Decode screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Encode/Decode screen

This screen allows you to configure the Encode/Decode/Hash options:

Base64 - Charset

Allows the user to select which character set should be used for Base64 conversions.

Options Forced Browse screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Forced Browse screen

This screen allows you to configure the Forced Browse options:

Concurrent scanning threads per host

The number of threads the scanner will use per host.
Increasing the number of threads will speed up the scan but may put extra strain on the computer ZAP is running on and the target host.

Options Fuzz screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Fuzzer screen

This screen allows you to configure the fuzzing options:

Default Category

The category that will initially be selected when the Fuzz dialog is displayed.

Options HUD screen

Mon, 01 Jan 0001 00:00:00 +0000

Options HUD screen

Enable when using the ZAP Desktop

When set the HUD will be injected into HTML responses when the ZAP Desktop is used. This defaults to true.

Options Jython screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Jython screen

This screen allows you to configure the Python Scripting add-on.

Configuration Options

Field	Details	Default	Config File
Additional Python modules path	The path to the directory with additional modules/libraries for Python scripting.	(none)	Key: `jython.modulepath` Values: file system path to the directory

Options Port Scan screen

Mon, 01 Jan 0001 00:00:00 +0000

This add-on has been retired and is no longer available.

Options Selenium screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Selenium screen

This screen allows you to manage the browsers which can be launched from ZAP.

Configuration Options

Browsers

This section allows you to configure all browsers, including the built-in browsers (Chrome, Edge, Firefox) and any custom browsers you add. The table displays the following information for each browser:

Options Token Generator Screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Token Generator screen

This screen allows you to configure the Token Generator.

Configuration Options

Field	Details	Default	Config File
Number of Threads	The number of threads used during the token generation.	5	Key: `tokengen.threadsPerScan` Value: a non-negative integer.
Request Delay (in milliseconds)	The time to wait before sending each request, to avoid overloading the target server. Note: Given the high number of requests sent during the Token Generation increasing the delay might have a high impact on the time that the generation will take to complete.	0	Key: `tokengen.requestDelayInMs` Value: a non-negative integer.

OWASP PTK Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.3.0

Added

Added mapping to and from ZAP alert ids and PTK module names
Example alerts
Raising ZAP alerts from PTK alerts

0.2.0

Added

Updated OWASP Penetration Testing Kit browser extension to 9.5.0

0.1.0

Added

Integration with OWASP Penetration Testing Kit browser extension

OWASP PTK Options

Mon, 01 Jan 0001 00:00:00 +0000

OWASP PTK Options

Enable Automated Scanning

When checked, PTK will automatically run its configured scan rules during browser sessions. When unchecked, PTK will still be active in the browser but no automated scanning will take place.

Parameter Digger - About

Mon, 01 Jan 0001 00:00:00 +0000

Param Digger - About

Authors

ZAP Dev Team
Arkaprabha Chakraborty

Parameter Digger Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.3.0 - 2024-07-15

Added

Support for menu weights (Issue 8369)

Changed

Maintenance changes.
Update minimum ZAP version to 2.15.0.
The output panel is now properly reset on ZAP session change (part of Issue 7694).

0.2.0 - 2023-06-06

Fixed

NullPointerException which could occur with header guesser.

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.
Default number of threads to 2 * processor count.
Change panel designs to allow message selection.

0.1.0 - 2022-08-22

Changed

Rename multiple options in GUI and documentation.

0.0.1 - 2022-08-17

First version.

Parameter Digger Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scanner

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scanner

This screen allows you to configure the passive scanner.

Configuration Options

Field	Details	Default	Config File
Only scan messages in scope	Sets whether or not the passive scan should be performed only on messages that are in scope.	Deselected	Key: `pscans.scanOnlyInScope` Values: `true` or `false`
Include traffic from the Fuzzer when passive scanning	Sets whether or not the passive scanning should be performed on messages generated by the Fuzzer.	Deselected	Key: `pscans.scanFuzzerMessages` Values: `true` or `false`
Max alerts any rule can raise	Sets the maximum number of alerts a passive scan rule should raise. This may be slightly exceeded due to threading. This setting is typically only useful for automated scanning. Scan rules that exceed this value will be disabled and will need to be manually enabled if a new session is started.	0 (unset)	Key: `pscans.maxAlertsPerRule` Values: `0`: unset or the maximum number of alerts
Max body size in bytes to scan	Sets the maximum size request or response body size in bytes that the passive scanner will scan. This can be used if passive scan rules take too long scanning very large requests or responses. If set the number of ignored requests and responses are recorded in the stats using the keys `stats.pscan.reqBodyTooBig` and `stats.pscan.respBodyTooBig` respectively.	0 (unset)	Key: `pscans.maxBodySizeInBytes` Values: `0`: unset or the maximum body size in bytes
Clear Queue	Empties the passive scan queue without passively scanning the messages. Currently running rules will run to completion but new rules will only be run when new messages are added to the queue.


	Passive Scanner	the introduction to Passive Scanner add-on

Passive Scanner Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Passive Scanner Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scanner API

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scanner API

The following operations are added to the API:

Actions

clearQueue: Clears the passive scan queue.
disableAllScanners: Disables all passive scan rules.
disableAllTags: Disables all passive scan tags.
disableScanners (ids*): Disables passive scan rules.
- ids: A comma separated list of scan rule IDs.
enableAllScanners: Enables all passive scan rules.
enableAllTags: Enables all passive scan tags.
enableScanners (ids*): Enables passive scan rules.
- ids: A comma separated list of scan rule IDs.
setEnabled (enabled*): Sets whether or not the passive scanning is enabled (Note: the enabled state is not persisted).
- enabled: The enabled state, true or false.
setMaxAlertsPerRule (maxAlerts*): Sets the maximum number of alerts a passive scan rule can raise.
- maxAlerts: The maximum number of alerts.
setMaxBodySizeInBytes (maxSize*): Sets the maximum body size in bytes that the passive scanner will scan.
- maxSize: The maximum size in bytes, 0 to unset.
setScanOnlyInScope (onlyInScope*): Sets whether or not the passive scan should be performed only on messages that are in scope.
- onlyInScope: The scan state, true or false.
setScannerAlertThreshold (id* alertThreshold*): Sets the alert threshold of a passive scan rule.
- id: The ID of the scan rule.
- alertThreshold: The alert threshold: OFF, DEFAULT, LOW, MEDIUM and HIGH

Views

currentTasks: Shows information about the passive scan tasks currently being run (if any).
maxAlertsPerRule: Gets the maximum number of alerts a passive scan rule should raise.
maxBodySizeInBytes: Gets the maximum body size in bytes that the passive scanner will scan.
recordsToScan: The number of records the passive scanner still has to scan.
scanOnlyInScope: Tells whether or not the passive scan should be performed only on messages that are in scope.
scanners: Lists all passive scan rules with their ID, name, enabled state, and alert threshold.


	Passive Scanner	the introduction to Passive Scanner add-on

Passive Scanner Automation Framework - passiveScan-config Job

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scanner Automation Framework - passiveScan-config Job

This job allows you to manage the passive scan configuration.

It is covered in the video: ZAP Chat 08 Automation Framework Part 2 - Environment.

The passive scanner runs against all requests and responses that are generated by ZAP or are proxied through it. If you want to configure the passive scan configuration then you should typically do so before running any other jobs. However you can run this job later, or multiple times, if you want different jobs to use different passive scan configurations.

Passive scanner rules (alpha) Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

48 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

47 - 2025-11-04

Added

SYSTEMIC tag to selected rules.

Changed

Depends on an updated version of the Common Library add-on.

Removed

The two example passive scan rules were removed from this add-on and are now part of: https://github.com/zaproxy/addon-java

46 - 2025-09-18

Changed

Update alert references to latest locations to fix 404s and resolve redirections.

45 - 2025-06-20

Added

All rules have been tagged of interest to Penetration Testers, as well as adding tags associated with DEV or QA applicability.

Changed

Depends on an updated version of the Common Library add-on.

44 - 2025-03-04

Changed

Update minimum ZAP version to 2.16.0.
Maintenance changes.
Replace usage of CWE-200 for the Base64 Disclosure scan rule (Issue 8730).

43 - 2024-09-02

Changed

Update minimum ZAP version to 2.15.0.

Fixed

Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.

42 - 2024-01-16

Changed

Update minimum ZAP version to 2.14.0.

Added

Website alert links (Issue 8189).
Full Path Disclosure vulnerability passive scanner (Issue 413).

41 - 2023-09-08

Changed

Maintenance changes.
Use HTTPS and resolve redirections in the alert references.
The alerts ASP.NET ViewState Disclosure and ASP.NET ViewState Integrity no longer have the evidence duplicated in the Other Info field.
Depend on newer version of Common Library add-on.
Use vulnerability data directly from Common Library add-on.

40 - 2023-07-20

Added

Fetch Metadata Request Headers scan rule (Issue 6955).

Changed

Update minimum ZAP version to 2.13.0.

Removed

The following scan rules were removed, having been promoted to Beta:
- Insufficient Site Isolation Against Spectre Vulnerability
- Source Code Disclosure

39 - 2023-05-03

Added

Base64, Example, Site Isolation, and Source Code Disclosure scan rules now all provide example alerts for documentation purposes. As well as Alert Refs where applicable (Issues 6119 & 7100).

38 - 2023-03-03

Fixed

Use case insensitive HTTP field name check in Insufficient Site Isolation Against Spectre Vulnerability scan rule.

Changed

Maintenance changes.

37 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.

Removed

The following scan rules were removed, having been promoted to Beta:
- Content Cacheable
- In Page Banner Info Leak
- JS Function
- JSO
- Permissions Policy
- Sub Resource Integrity Attribute

36 - 2022-09-16

Changed

Update minimum ZAP version to 2.11.1.
Maintenance changes.
Sub Resource Integrity Attribute Missing scan rule now supports Trusted Domains.
The Base64 Disclosure scan rule will now ignore headers which are known to contain irrelevant Base64 like strings or are covered by other rules (ETag, Authorization, X-ChromeLogger-Data, X-ChromePhp-Data) (Issue 6619).
Added new Custom Payloads alert tag to the example alerts of the Dangerous JS Function scan rule.
Permissions Policy scan rule updated for consistency and documentation purposes (Issue 7458).

Fixed

False positive condition from Sub Resource Integrity Attribute Missing scan rule when rel=canonical is used (Issue 7040).
Threading issue in Dangerous JS Functions rule - only reproducible with currently unreleased core changes.

35 - 2021-12-01

Changed

Maintenance changes.

Added

OWASP Web Security Testing Guide v4.2 mappings where applicable.
Sub Resource Integrity Attribute Missing scan rule will now include the suggested integrity hash (Base64 encoded SHA384 hash) as part of the relevant Alert’s Other Info details if the referenced script can be found in the Sites Tree (Issue 5894).

34 - 2021-10-07

Added

OWASP Top Ten 2021/2017 mappings.

Changed

Ignore CSS, JavaScript, images, or font files when scanning for source code disclosures (Issues: 6595, 6795, & 6820).
Update minimum ZAP version to 2.11.0.

33 - 2021-07-07

Fixed

Correct dependency declaration on Common Library add-on (Issue 6674).

32 - 2021-07-06

Changed

Maintenance changes.

Fixed

Correct dependency requirements.

31 - 2021-06-17

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
Discontinued use of CWE-16 and switched to more specific weaknesses in the following scan rules:
- Feature Policy
- Site Isolation
- Sub Resource Integrity
Maintenance changes.
Rename of Feature-Policy header to Permissions-Policy to follow spec change.
Update links to repository.

Fixed

Dangerous JS Function scan rule, use word boundaries to reduce false positives (Issue 6594).

30 - 2021-02-08

Changed

Now targeting ZAP 2.10.
The In Page Banner Information Leak scan rule and Site Isolation scan rule now support Custom Page definitions.
Update links to zaproxy repo.

29 - 2020-11-16

Added

Add rule for Site Isolation (CORP/COEP/COOP).

Changed

Maintenance changes.

28 - 2020-08-13

Changed

Maintenance changes.

Fixed

Fixed bug where Sub Resource Integrity Attribute Missing scan rule alerts even when HTML asset is inline (Issue 6047).

27 - 2020-06-01

Added

Added links to the code in the help.
Add info and repo URLs.
Add JS Function Scanner

Changed

Update minimum ZAP version to 2.9.0.
Update ZAP blog links.
Updated owasp.org references (Issue 5962).

Fixed

Fixed NullPointerException in Sub Resource Integrity Attribute Missing scan rule (Issue 5789).
Minor spacing issue in help content.
Base64 Disclosure do not keep looping after identifying a disclosure (Issue 5856), unless the Threshold is set to Low.

Removed

‘Insecure Component’ was deprecated and removed (Issue 5788).
‘Modern Web Application’ scan rule was removed in being promoted to Beta.

26 - 2019-12-16

Added

Add Java Serialized Object (JSO) Scanner.
Add Sub Resource Integrity Attribute Missing Scanner.

Changed

Fixed false positive when redirect destination is the same domain (Issue 5289).
CSP Missing and Feature Policy scan rule: Ignore missing headers on redirects unless Low threshold used.

Removed

The following scan rules were removed in being promoted to Beta:
- Big Redirect Detected (Potential Sensitive Information Leak)
- Content Security Policy (CSP) Header Not Set
- Cookie Poisoning
- Directory Browsing
- Hash Disclosure
- Heartbleed OpenSSL Vulnerability (Indicative)
- HTTP Server Response Header Scanner
- HTTP to HTTPS Insecure Transition in Form Post
- HTTPS to HTTP Insecure Transition in Form Post
- Open Redirect
- PII Scanner
- Retrieved from Cache
- Reverse Tabnabbing
- Strict-Transport-Security Header Scanner
- User Controllable Charset
- User Controllable HTML Element Attribute (Potential XSS)
- User Controllable JavaScript Event (XSS)
- X-Backend-Server Header Information Leak
- X-ChromeLogger-Data (XCOLD) Header Information Leak

25 - 2019-07-11

Added Modern App Detection Scanner

24 - 2019-06-07

PiiScanner add word boundary checks to reduce false positives.
HashDisclosureScanner prevent false positives on obvious jsessionid values (Issue 5215).
Remove Cookie Same Site Scanner (promoted to beta Issue 4464).
Remove Cross Domain Misconfiguration Scanner (promoted to beta Issue 4465).
Remove Timestamp Scanner (promoted to beta Issue 4466).
Remove Username IDOR Scanner (promoted to beta Issue 4467).
Remove X AspNet Version Scanner (promoted to beta Issue 4468).
Remove X Debug Token Scanner (promoted to beta Issue 4469).
Remove X PoweredBy Scanner (promoted to beta Issue 4470).
Add scanner for missing Feature Policy header.
Report source code disclosure alerts at Medium instead of High

23 - 2019-02-08

Fix a stack overflow with PII Scanner.
Fix a DateParseException in Cacheable Scanner (Issue 4969).
Fix Open Redirect (10028) “Attack” should be Desc.
Fix false positive due to RxJS Observable method being mistaken for ASP source disclosure.
Tweak User Controllable Charset and Cookie Poisoning to use Description/Other Info field instead of Attack (Issue 5149).
Only report missing STS header on redirects to HTTPS URLs on the same domain at Low threshold.
Hash Disclosure (10097): Add threshold filtering and fix hash confidence levels.

22 - 2018-08-15

Help documentation improvements and cleanup.
Prevent User Controlled HTML Attribute scanner from sometimes raising duplicate alerts.
User Controlled HTML Attribute scanner now properly reports the parameter name in alerts.
Add In Page Banner Info Leak scanner (Issue 178).
CacheableScanner: Handle max-age with comma but no space in directive (Issue 4924).
Make the title for the “Reverse Tabnabbing” alert titlecaps.

21 - 2018-02-27

Renamed blank link target to reverse tabnabbing scanner and fixed implementation.
Remove Image Location Scanner, it’s been separated into it’s own addon and promoted to beta.

20 - 2018-02-19

Change Image Location and Privacy Scanner to escape HTML inside of embedded image comments.
Bump jar version of Image Location and Privacy Scanner dependancy xmpcore.
Update Image Location and Privacy Scanner to version 1.0.
Fix exception in blank link target scanner.
Fix exception in Username Hash Found scanner.

19 - 2018-02-13

Minor code changes to comply with deprecations.
Added passive PII Scanner (which currently looks for Credit Card # patterns).
Change Image Location and Privacy Scanner to scan hidden images.
Added blank link target scanner.

18 - 2017-11-24

Correct typo in XCOLD alert description (Issue 3997).
Do not set a value in the attack fields.
Do not rely on system’s charset to create request/response bodies.

17 - 2017-11-06

Code changes for Java 9 (Issue 2602).
Bug fix - Added Strict-Transport-Security to the ignored header on Timestamp Disclosure scanner.
Add X-AspNet-Version Header scanner - detecting information disclosure via HTTP headers.

16 - 2017-10-05

HTTP “Server” response header, report any “Server” header if Threshold is LOW.
Update Image Location Scanner (passive rule) to leverage 0.4 of the code and 2.10.1 of the library it depends on.

15 - 2017-07-07

Added scanner that looks for simple hashes of usernames based on context user configuration details.

14 - 2017-05-25

Report missing CSP header as LOW even if CSP Report header present.
Added X-Debug-Token Scanner (Issue 2452).

13 - 2017-01-18

Issue 3148: Only report HSTS on plain HTTP issue at Low threshold.

12 - 2016-10-24

Refactoring the x-powered-by scanner to raise one alert if it finds repetitive headers.
Update the CSP scanner to handle the Content-Security-Policy-Report-Only header.

11 - 2016-07-28

Issue 2538: Strict-Transport-Security Header Scanner additional variants.
Issue 2716: Implement a passive check for cookies without SameSite set.

10 - 2016-06-22

XPoweredByHeaderInfoLeakScanner modify evidence (Issue 2575)
ContentSecurityPolicyMissingScanner to only check for older CSP headers at Low threshold
CacheableScanner: Add other information in attack and remove evidence (Issue 2573)

9 - 2016-06-02

Add CWE and WASC IDs to passive scanners which may have been lacking those details.
Fix exception when scanning with “User Controllable Charset” scanner.
Fix exception when scanning with “Image Location Scanner” scanner.
Strict-Transport-Security Header Scanner added support for max-age=0 per rfc6797.

8 - 2016-01-04

Add passive scanner to identify info leaks via X-ChromeLogger-Data or X-ChromePhp-Data.

7 - 2015-12-04

ImageLocationScanner detects more GPS tag varieties, scans png & tiff files, adds i18n.
Fix exception when scanning with “Base64 Disclosure” (Issue 2037).

6 - 2015-09-07

Minor code changes.

5 - 2015-04-13

Tweaked “Source Code Disclosure” scanner to reduce false positives
Added “Insecure Component” scanner
Addressed issue 1262 (Risk & Confidence for ‘User controllable HTML element attribute (potential XSS)’ and ‘Timestamp Disclosure’)
Add Big Redirect scanner (Issue 1257)
Fixed an issue in detecting SHA-512 Crypt hashes, and other hashes beginning with “$”
Detect Node.js source code
Report Apache vulnerabilities on Red Hat and CentOS as False Positives
Detect Directory Browsing / Listings on Microsoft IIS
Added Cacheable Content scanner
Added Retrieved From Cache scanner
Updated Insecure Component scanner to support Squid
Added Image Location Scanner passive scanner
Updated Insecure Component scanner vulnerability database for all products
Updated for ZAP 2.4

4 - 2014-06-14

Added various checks per Issue 1169;
Added “Heartbleed OpenSSL Vulnerability (Indicative)” scanner;
Added “Directory Browsing” scanner;
Added “Cross-Domain Misconfiguration” scanner;
Improved “Source Code Disclosure” scanner;
Improved “Base64 Disclosure” scanner;
Improved “Hash Disclosure” scanner;
Fixed duplicated plug-in IDs.

3 - 2014-04-03

Changed help file structure to support internationalisation (Issue 981).
Changed passive scanners to expose its IDs (Issue Issue 1101).
Updated add-on dir structure (Issue 1113).
Added example rules.

2 - 2013-09-11

Updated for ZAP 2.2.0

1 - 2013-03-26

v.1
Added an alpha version of User Controlled Open Redirect passive rule ported from
Watcher rule https://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-redirect
v.2
Added an alpha version of User Controlled Cookie passive rule ported from
Watcher rule https://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-cookie
Added an alpha version of User Controlled Charset passive rule ported from
Watcher rule https://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-charset
v.3
Updated User Controlled Open Redirect, Cookie and Charset rules after testing with
http://www.testcases.org/watcher/ test pages.

Passive scanner rules (alpha) Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Passive scanner rules (beta) Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

49 - 2026-02-17

Changed

Insufficient Site Isolation Against Spectre Vulnerability alerts to have unique alert names.

48 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

Removed

The following scan rules were removed, having been promoted to Beta:
- In Page Banner Information Leak
- Java Serialization Object
- Sub Resource Integrity Attribute Missing

47 - 2025-11-04

Added

SYSTEMIC tag to selected rules.

Changed

Depends on an updated version of the Common Library add-on.
Reduced usage of error level logging.

46 - 2025-09-18

Changed

Update alert references to latest locations to fix 404s and resolve redirections.

45 - 2025-09-10

Changed

Add alert references to Content Cacheability scan rule alerts (Issue 7100).

44 - 2025-06-20

Changed

Dropped period from extension name used in the GUI.
Depends on an updated version of the Common Library add-on.

Fixed

A false positive with the Sub Resource Integrity Attribute Missing scan rule with regard to which link tags it raises alerts on (Issue 8938).

Added

All rules have been tagged of interest to Penetration Testers, as well as adding tags associated with DEV or QA applicability.

43 - 2025-03-04

Changed

Replace usage of CWE-200 for the In Page Banner Information Leak scan rule (Issue 8731).
Add support for ‘credentialless’ COEP value in the Insufficient Site Isolation Against Spectre Vulnerability scan rule (Issue 8840).

42 - 2025-01-15

Changed

Update minimum ZAP version to 2.16.0.
Updated help with specific Category identifier for use with the Custom Payloads add-on for the “Dangerous JS Functions” rule.

Fixed

Fix typo in log message.
Fix Insufficient Site Isolation scan rule check that filters responses based on whether a response is a success or not.

Changed

Maintenance changes.

41 - 2024-09-02

Fixed

A possible false positive condition with the Dangerous JS Functions scan rule with substrings in certain circumstances (Issue 8553).

40 - 2024-07-24

Removed

Polyfill scan rule, promoted to release.

39 - 2024-06-28

Added

More ‘polyfill’ related domains.

38 - 2024-06-27

Added

Polyfill.io script detection.

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

Fixed

Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.

37 - 2024-02-12

Added

Website alert links (Issue 8189).

Changed

Maintenance changes.

36 - 2024-01-16

Changed

Update minimum ZAP version to 2.14.0.
The Source Code Disclosure rule no longer considers responses that contain ISO control characters (those which are likely to be binary file types) (Issue 8191).

35 - 2023-09-08

Changed

Use HTTPS and resolve redirections in the alert references.
The alerts of the Source Code Disclosure scan rule no longer have the evidence duplicated in the Other Info field.

34 - 2023-07-20

Added

The following scan rules were added, having been promoted from Alpha:
- Insufficient Site Isolation Against Spectre Vulnerability
- Source Code Disclosure

Changed

Update minimum ZAP version to 2.13.0.
Maintenance changes.

33 - 2023-05-03

Changed

The following scan rules now have functionality to generate example alerts for documentation purposes (Issue 6119).
- In Page Banner Information Leak
- Java Serialization Object
- HTTP Parameter Override
- Sub Resource Integrity Attribute Missing

32 - 2023-03-03

Changed

Maintenance changes.

Fixed

The Cacheable scan rule should now be more tolerant when parsing s-max-age values.

31 - 2022-10-27

Added

The following scan rules were added, having been promoted from Alpha:
- Content Cacheable
- In Page Banner Info Leak
- JS Function
- JSO
- Permissions Policy
- Sub Resource Integrity Attribute

Changed

Update minimum ZAP version to 2.12.0.
Content Cacheability scan rule now has functionality to generate example alerts for documentation purposes (Issue 7502).

Removed

The following scan rules were removed, having been promoted to Release:
- Big Redirects
- Directory Browsing
- Hash Disclosure
- HeartBleed
- Insecure Form Load
- Insecure Form Post
- Link Target
- Modern App Detection
- PII
- Retrieved From Cache
- Server Header Info Leak
- Strict Transport Security
- User Controlled Charset
- User Controlled Cookie
- User Controlled HTML Attributes
- User Controlled Javascript Event
- User Controlled Open Redirect
- X-Backend-Server Information Leak
- X-ChromeLogger-Data Info Leak

30 - 2022-09-15

Changed

Maintenance changes.
Reverse Tabnabbing scan rule now leverages the Common Library Trusted Domains implementation.

29 - 2022-04-05

Changed

Update minimum ZAP version to 2.11.1.
Maintenance changes.

Removed

Content Security Policy (CSP) Header Not Set scan rule promoted to release.

28 - 2021-12-01

Fixed

Fixed false positive in Reverse Tabnabbing scan rule.

Changed

Maintenance changes.

Added

OWASP Web Security Testing Guide v4.2 mappings where applicable.

27 - 2021-10-07

Added

OWASP Top Ten 2021/2017 mappings.

Changed

Reverse Tabnabbing Scan Rule will now alert when the ‘opener’ keyword is present.
Maintenance changes.
Update minimum ZAP version to 2.11.0.

26 - 2021-07-29

Fixed

PII Disclosure scan rule now ignores images (Issue 6697).
PII Disclosure scan rule will now ignore seeming decimal numbers unless at Low threshold (Issue 6639).

25 - 2021-06-17

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
Update RE2/J library to latest version (1.6).
PII Scan Rule will now ignore CSS and style information (Issue 6288).
Discontinued use of CWE-16 and switched to more specific weaknesses in the following scan rules:
- CSP Missing
- Insecure Form Load
- Insecure Form Post
- Strict-Transport-Security
Hash Disclosure scan rule will now only evaluate JavaScript responses at Low threshold (Issue 6071).
Added/updated the details of some alerts (some changes might break Alert Filters)
- Insecure Form Load
  - Added evidence
- Insecure Form Post
  - Added evidence
Maintenance changes.
Update links to repository.

24 - 2020-12-15

Changed

Now targeting ZAP 2.10.
The following scan rules now support Custom Page definitions:
- Insecure Form Load
- Insecure Form Post
- User Controlled Charset
- User Controlled HTML Attribute
- User Controlled JavaScript Event

23 - 2020-11-18

Changed

Update RE2/J library to latest version (1.5).
Maintenance changes.
Content Security Policy header missing scan rule changed to Medium risk in order to align with other CSP findings, and confidence to High (Issue 6301).

22 - 2020-06-01

Added

Added links to the code in the help.
Add info and repo URLs.
‘Modern Web Application’ scan rule was added, being promoted to Beta.

Changed

Update minimum ZAP version to 2.9.0.
‘PII Disclosure scanner’ alerts and help entry renamed ‘PII Disclosure’ for clarity and proper title caps.
‘PII Disclosure’ added further false positive handling with regard to exponential numbers such as 2.4670000000000001E-2 or 2.4670000000000001E2.
Maintenance changes.
‘Servlet Parameter Pollution’ scan rule will now only scan responses for in Context URLs for which the Technology JSP/Servlet is applicable.
Updated owasp.org references (Issue 5962).
‘PII Disclosure’ added support for looking up evidence against an Open Source Bank Identification Number List. Confidence is now modified based on whether the lookup is successful or not. Additional details are added to ‘Other Info’ if available (Issue 5842).
Changed to set Risk Info and Confidence Low for the following passive scan rules: User Controlled Cookie, User Controlled JavaScript Event, and User Controlled Charset.

21 - 2019-12-16

Added

The following scan rules were added being promoted from Alpha to Beta:
- Big Redirect Detected (Potential Sensitive Information Leak)
- Content Security Policy (CSP) Header Not Set
- Cookie Poisoning
- Directory Browsing
- Hash Disclosure
- Heartbleed OpenSSL Vulnerability (Indicative)
- HTTP Server Response Header Scanner
- HTTP to HTTPS Insecure Transition in Form Post
- HTTPS to HTTP Insecure Transition in Form Post
- Open Redirect
- PII Scanner
- Retrieved from Cache
- Reverse Tabnabbing
- Strict-Transport-Security Header Scanner
- User Controllable Charset
- User Controllable HTML Element Attribute (Potential XSS)
- User Controllable JavaScript Event (XSS)
- X-Backend-Server Header Information Leak
- X-ChromeLogger-Data (XCOLD) Header Information Leak

Removed

The following scan rules were removed in being promoted Beta to Release:
- Cookie Without SameSite Attribute
- Cross Domain Misconfiguration
- Information Disclosure: In URL
- Information Disclosure: Referrer
- Information Disclosure: Suspicious Comments
- Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
- Timestamp Disclosure
- Username Hash Found
- X-AspNet-Version Response Header Scanner
- X-Debug-Token Information Leak

20 - 2019-11-19

Changed

Tweak Information Disclosure - Suspicious Comments scanner to ignore whitespace before/after suspicious comments terms in the suspicious-comments.txt config file.
Only scan for Servlet Parameter Pollution at LOW threshold (part of Issue 4454).
Username IDOR scan rule now supports use of the Custom Payload addon.

19 - 2019-06-07

Fix typo and correct term in help page.
Fix typo in scanner name.
Tweak alert Authentication Credentials Captured to use Description field instead of Attack.
Remove Charset Mismatch Scanner (promoted to release Issue 4460).
Remove ViewState Scanner (promoted to release Issue 4453).
Remove Insecure JSF ViewState Scanner (promoted to release Issue 4455).
Remove Insecure Authentication Scanner (promoted to release Issue 4456).
Remove Information Disclosure Debug Errors Scanner (promoted to release Issue 4457).
Remove CSRF Countermeasures Scanner (promoted to release Issue 4458).
Remove Cookie Loosely Scoped Scanner (promoted to release Issue 4459).
Promote Cookie Same Site Scanner to Beta (Issue 4464).
Promote Cross Domain Misconfiguration Scanner to Beta (Issue 4465).
Promote Timestamp Scanner to Beta (Issue 4466).
Promote Username IDOR Scanner to Beta (Issue 4467).
Promote X AspNet Version Scanner to Beta (Issue 4468).
Promote X Debug Token Scanner to Beta (Issue 4469).
Promote X PoweredBy Scanner to Beta (Issue 4470).

18 - 2018-01-19

Minor code changes to address deprecation.
At HIGH threshold only perform CSRF checks for in scope messages (Issue 1354).
Exclude JavaScript response types from the InformationDisclosureDebugErrors scanner unless threshold is Low (Issue 4210).

17 - 2017-11-24

Minor changes to InsecureJFSViewStatePassiveScanner (check response contains JSF viewstate or if it’s server stored).
Improve the domain matching in CookieLooselyScopedScanner.
Issue 3449: CSRFcountermeasures passive scanner now raises alerts on a per-form basis on pages with multiple forms.
Issue 3937: Update ServletParameterPollutionScanner reference.

16 - 2017-04-25

Added some keywords to the list of suspicious comments.

15 - 2017-01-18

Support security annotations for forms that dont need anti-CSRF tokens.

14 - 2016-10-24

Issue 2576: CSRFCountermeasures, remove unneeded Attack and Evidence messages.
Issue 2574: CookieLooselyScopedScanner, remove attack field and update description.
Support ignoring specified forms when checking for CSRF vulnerabilities.
Correct the plugin ID of Absence of Anti-CSRF Tokens from 40014 to 10202.
Issue 2860: Add further reference links.

13 - 2016-06-02

Issue 1966: Charset Mismatch passive scanner now handles HTML5 meta charset, and multiple conditions.
Issue 316: ‘Information Disclosure - Debug Error’ added mysql and ASP.Net messages.
Issue 823: i18n (internationalise) beta passive scan rules.
Issue 2230: Weak Auth Passive Scanner - Evidence vs Attack.
Add CWE and WASC IDs to passive scanners which may have been lacking those details.
Create help for scanners which were missing entries.

12 - 2015-12-04

Change (duplicated) scanner ID of Weak Authentication Method, now it’s 10105.

11 - 2015-09-07

Minor code changes.

10 - 2015-04-13

Updated for ZAP 2.4

9 - 2014-04-10

Fixed the plug-in ID of Viewstate scanner.
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Changed all plug-ins to expose its IDs (Issue 1101).
Updated add-on dir structure (Issue 1113).

7 - 2013-12-16

Restored the name of “Loosely Scoped Cookie” alert/scanner (Issue 850).
Restored the name of “Charset Mismatch” alert/scanner (Issue 851).
Cope with ZAP running from dir other than the one its installed in (Issue 933)

6 - 2013-09-11

Updated to be compatible with 2.2.0

3 - 2013-05-27

Added new passive scanners: “CharsetMismatchScanner” and “CookieLooselyScopedScanner”;
Updated language files;
Updated for ZAP 2.1.0.

2 - 2013-01-17

Updated to support new addon format

Passive scanner rules (beta) Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Passive scanner rules Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

72 - 2026-03-31

Added

Loosely scoped cookie rule to include evidence.

Changed

Loosely scoped cookie rule to just include cookie names in the “Other Info”.

71 - 2026-03-02

Changed

Information Disclosure - Suspicious Comments scan rule:
- Attempts to collect comments from JavaScript content using the ANTLR library, which should be more accurate.
- Provides more context in the evidence (Issue 9185).
The Content Security Policy scan rule leverages an updated version of the htmlunit-csp library that includes support for the trusted-types and require-trusted-types-for directives.

70 - 2025-12-15

Added

The following scan rules were added, having been promoted from Beta:
- In Page Banner Information Leak
- Java Serialization Object
- Sub Resource Integrity Attribute Missing

Changed

Update minimum ZAP version to 2.17.0.
Address redirection in a reference.
Update dependency.

69 - 2025-11-04

Changed

Update dependency.
Reduced usage of error level logging.
The Charset Mismatch scan rule now includes example alert functionality for documentation generation purposes (Issue 6119) and alert references (Issue 7100).

Removed

The Charset Mismatch scan rule no longer produces an alert with regard to META content-type and older clients.

68 - 2025-10-21

Added

SYSTEMIC tag to selected rules.

Changed

Update dependency.
The PII Disclosure scan rule now only evaluates visible text and script blocks in HTML responses at Medium or High alert threshold, while the entire response body is considered at Low alert threshold. To further prevent false positives at Medium or High alert threshold candidate strings with underscore are excluded.
Depends on an updated version of the Common Library add-on.

Fixed

ZAP is Out of Date rule to not trigger a CFU request in silent mode (Issue 9096).

67 - 2025-09-18

Changed

Add alert references to HTTP Server Response Header scan rule alerts (Issue 7100, 9050).
Update alert references to latest locations to fix 404s and resolve redirections.

66 - 2025-07-25

Added

The Reverse Tabnabbing and Retrieved from Cache scan rules now have CWE references.
A ZAP is Out of Date rule.

65 - 2025-06-20

Added

All rules have been tagged of interest to Penetration Testers, as well as adding tags associated with DEV or QA applicability.

Changed

Depends on an updated version of the Common Library add-on.
Clarified details of the Viewstate scan rule alerts, in some instances they were misleading (containing colons suggesting further data).
The Open Redirect scan rule (ID: 10028) and its alerts have been renamed “Off-site Redirect” as this is a passive rule which compares the authority of the origin and destination and there is no assurance of a truly “open” redirect.

64 - 2025-03-25

Changed

The CSP scan rule now treats Wildcard directives separately from those which are undefined but have no fallback (Issue 8700).

63 - 2025-03-04

Fixed

Refactored Loosely Scoped Cookie to comply with the latest RFC standards and streamline the loosely scoped cookie check (Issue 8863).
The Absence of Anti-CSRF Tokens scan rule now only considers forms with GET method at Low Threshold. (Forms submitted via GET, not forms delivered via GET.)
The Information Disclosure - Suspicious Comments scan rule:
- Should now be less false positive prone on JavaScript findings (Issues 6622 & 6736).
- Now skips obvious font requests even if their content type is text/html or text related.
Updated Timestamp Disclosure Scan Rule to skip JavaScript files when Alert Threshold is set to High (Issue 8380).

Changed

Replace usage of CWE-200 for the following rules (Issue 8712):
- Application Error Disclosure (Issue 8716)
- HTTP Server Response Header
- Hash Disclosure
- Information Disclosure - Debug Error Messages
- Information Disclosure - Sensitive Information in HTTP Referrer Header
- Information Disclosure - Sensitive Information in URL
- Information Disclosure - Suspicious Comments
- Private IP Disclosure
- Server Leaks Information via “X-Powered-By” HTTP Response Header
- Session ID in URL Rewrite
- Timestamp Disclosure
- X-Backend-Server Header Information Leak
- X-ChromeLogger-Data (XCOLD) Header Information Leak
- X-Debug-Token Information Leak
Removed lack of “report-uri” or “plugin-types” from “CSP: Wildcard Directive” alerts when missing. plugin-types is deprecated and report-uri has no impact for this issue. (Issue 8700)

62 - 2025-01-10

Changed

Update minimum ZAP version to 2.16.0.
Updated help with specific Category identifiers for use with the Custom Payloads add-on for rules:
- Application Error Disclosure
- Information Disclosure - Suspicious Comments
- Username Hash Found

61 - 2024-09-24

Changed

Maintenance changes.
Rename Mac OSX salted SHA-1 in the Hash Disclosure scan rule to “Salted SHA-1”, reduce the associated alerts to Low risk and Low confidence, to align with other SHA related patterns it will only be evaluated a Low Threshold. (Note such matches may indicate leaks related but not limited to: MacOS X, Oracle, Tiger-192, Haval-192) (Issue 8624).
The Insecure JSF ViewState now includes example alert functionality for documentation generation purposes (Issue 6119).
The Absence of Anti-CSRF Tokens scan rule now only considers GET requests at Low Threshold (Issue 7741).

60 - 2024-09-02

Changed

Clarified Missing Anti-clickjacking Header description.
Depend on Passive Scanner add-on to include it by default (Issue 7959).
Re-examine Cache-control Directives scan rule now ignores cache-control for POST method requests (Issue 8592).

Fixed

Polyfill scan rule running slowly.
Only scan text responses for:
- Hash Disclosure
- Private IP Disclosure
- Username Hash Found
Performance improvements for:
- Cross-Domain JavaScript Source File Inclusion.
- Cross-Domain Misconfiguration.

59 - 2024-07-24

Added

Polyfill scan rule, promoted from beta.

Changed

Maintenance changes.

Fixed

Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.
Typo in Polyfill.io script detection alert description.

58 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.
The library (htmlunit-csp) used by the Content Security Policy scan rule was updated to v4.0.0, which includes support for the wasm-unsafe-eval source expression.

Fixed

A typo in the Other Info of one of the Retrieved from Cache Alerts.

57 - 2024-03-28

Changed

Use of HTTP for example URLs in the descriptions or other info details for the following rules have been updated to HTTPS (Issue 8262):
- Cookie Poisoning
- Open Redirect
- X-Debug-Token Information Leak

56 - 2024-02-16

Added

Website alert links for Passive Scan Rules (Issue 8189).

Changed

Maintenance changes.
The following rules now include example alert functionality for documentation generation purposes (Issue 6119):
- Timestamp Disclosure - Unix
- Hash Disclosure
- Cross-Domain Misconfiguration
- Weak Authentication Method
- Reverse Tabnabbing
- CSRF Countermeasures
The following scan rules now have alert references (Issue 7100):
- Weak Authentication Method
The references for Alerts from the following rules were also updated (Issue 8262):
- Timestamp Disclosure - Unix
- Hash Disclosure
- View State Scan Rule
- Weak Authentication Method

55 - 2024-01-26

Changed

The Salvation2 library used by the CSP scan rule has been replaced by htmlunit-csp.
The following rules now include example alert functionality for documentation generation purposes (Issue 6119):
- HTTPS to HTTP Insecure Transition in Form Post
- HTTP to HTTPS Insecure Transition in Form Post
- Secure Pages Include Mixed Content
- User Controllable JavaScript Event (XSS)
- Cookie without SameSite Attribute
- X-Debug-Token Information Leak
- Retrieved from Cache
The following scan rules now have alert references (Issue 7100):
- Cookie without SameSite Attribute
- Retrieved from Cache (raw text was also trimmed from one Alert reference (Issue 8262))

Fixed

An issue where Other Info on alerts for the following rules may have been hard to read (missing spaces or new lines):
- HTTPS to HTTP Insecure Transition in Form Post
- HTTP to HTTPS Insecure Transition in Form Post
- User Controllable JavaScript Event (XSS)

54 - 2024-01-16

Changed

The Big Redirect scan rule will now also alert on responses that have multiple HREFs (idea from xnl-h4ck3r).
The references for the following scan rules are now all HTTPS (Issue 8262) and in some cases updated:
- Loosely Scoped Cookie
- Charset Mismatch
- Strict-Transport-Security Header
- Content Security Policy (CSP) Header Not Set
- CSP
- Session ID in URL Rewrite
- HTTP Server Response Header
- Cookie Poisoning
- User Controllable HTML Element Attribute (Potential XSS)
- X-Content-Type-Options Header Missing
- Content-Type Header Missing
- Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
- Retrieved from Cache
The Absence of Anti-CSRF Tokens scan rule now takes into account the Partial Match settings from the Anti-CSRF Options (Issue 8280).
On Non-LOW threshold, PII Scan rule only evaluates HTML, JSON and XML responses (Issue 8264).
Maintenance changes.
The following rules now include example alert functionality for documentation generation and cross linking purposes (Issues 6119, and 8189).
- Big Redirect
- Information Disclosure: Debug Errors
- Information Disclosure: In URL
- Information Disclosure: Referrer
- Cookie Poisoning
- User Controllable Charset
- Open Redirect
- User Controllable HTML Element Attribute (Potential XSS)
- Heartbleed OpenSSL Vulnerability (Indicative)
- Strict-Transport-Security Header
- Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
- X-Content-Type-Options Header Missing
- Content-Type Header Missing
The CWE for the Cookie Poisoning scan rule was updated to a more specific one.
The Strict-Transport-Security Header and Big Redirect scan rules now use alert references for their different types of alerts (Issue 7100).

53 - 2023-11-30

Changed

The Application Error Disclosure rule no longer considers responses that contain ISO control characters (those which are likely to be binary file types).
The Time Stamp Disclosure rule now includes the header field name as Parameter in alerts when a time stamp is identified in a header value (Issue 8160).
Maintenance changes.

52 - 2023-10-12

Fixed

The CSRF Countermeasures scan rule now skips responses that are not HTML (Issue 7890).
A potential NullPointerException when a CSP declared via META tag was invalid.

Changed

Update minimum ZAP version to 2.14.0.
CSP scan rule: Add deprecation warning for inclusion of prefetch-src (Issue 8077).

51 - 2023-09-08

Added

The following now include example alert functionality for documentation generation purposes (Issue 6119):
- Loosely Scoped Cookie scan rule.

Changed

Dependency updates.
Maintenance changes.
The alerts of the Hash Disclosure scan rule no longer have the evidence duplicated in the Other Info field.
Depend on newer version of Common Library add-on.
Use vulnerability data directly from Common Library add-on.

50 - 2023-07-11

Added

The following now include example alert functionality for documentation generation purposes (Issue 6119):
- Re-examine Cache-control Directives Scan Rule
- X-Backend-Server Scan Rule
- X-ChromeLogger-Data Header Information Leak Scan Rule

Changed

Update minimum ZAP version to 2.13.0.

49 - 2023-06-06

Changed

The X-AspNet-Version Response Header Scan Rule now includes example alert functionality for documentation generation purposes (Issue 6119).
The Information Disclosure Suspicious Comments scan rule:
- Now includes example alert functionality for documentation generation purposes (Issue 6119).
- Now has a Alert Tag with a OWASP WSTG reference.
- Added ‘DEBUG’ to list of suspicious comments.
- Added custom payload support (via Custom Payloads add-on).
- Removed suspicious-comments.txt file in favor of payload editing via Custom Payloads add-on.

Fixed

Ensure Custom Payloads support can be properly unloaded.

48 - 2023-05-03

Added

Added alert examples to Directory Browsing (Issue 6119).
Added Trusted Domains in Cross-Domain JavaScript Source File Inclusion (Issue 7775).

Changed

Application Error Scan Rule no longer checks JavaScript or CSS responses unless threshold is Low (Issue 7724).
The Cross-Domain JavaScript Source File Inclusion scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).
Adjust alert details of Directory Browsing, use same name and description, and use the other info field for the name of the web server identified.

47 - 2023-04-04

Fixed

Correct required version of Common Library add-on.
Prevent error with the CSP scan rule when scanning meta elements with missing http-equiv attribute.

46 - 2023-03-03

Changed

The PII Disclosure scan rule:
- Now includes a solution statement.
- Now more specifically portrays alert Evidence.
- Now includes example alert functionality for documentation generation purposes (Issue 6119).
- Will now only consider PDFs at Low threshold.
Maintenance changes.
The HeartBleed scan rule alert now includes a CVE tag.
Timestamp Disclosure scan rule now excludes values in “RateLimit-Reset”, “X-RateLimit-Reset”, and “X-Rate-Limit-Reset” headers (Issue 7747).

Fixed

The CSP Missing scan rule now alerts when the Content-Security-Policy header is missing, and when the obsolete X-Content-Security-Policy or X-WebKit-CSP are found (Issue 7653).

45 - 2023-01-03

Changed

The Private Address Disclosure and Session ID in URL Rewrite scan rules now include example alert functionality for documentation generation purposes (Issue 6119 and 7100).
The Content Security Policy scan rule will now alert when “unsafe-eval” is allowed.
Maintenance changes.
The Salvation2 library used by the CSP scan rule was upgraded to v3.0.1. Alerts may now have an alert condition if the policy contains characters outside the accepted set.
The CSP scan rule now includes handling for policies defined in META tags, as well as two new alerts pertaining to those policies (Issue 7303).

Fixed

The Modern App Detection scan rule now ignores non-HTML files (Issue 7617).

44 - 2022-10-27

Added

The following scan rules were added, having been promoted from Beta:
- Big Redirects
- Directory Browsing
- Hash Disclosure
- HeartBleed
- Insecure Form Load
- Insecure Form Post
- Link Target
- Modern App Detection
- PII
- Retrieved From Cache
- Server Header Info Leak
- Strict Transport Security
- User Controlled Charset
- User Controlled Cookie
- User Controlled HTML Attributes
- User Controlled Javascript Event
- User Controlled Open Redirect
- X-Backend-Server Information Leak
- X-ChromeLogger-Data Info Leak

Changed

Update minimum ZAP version to 2.12.0.
The Server Header Information Leak scan rule now has functionality to generate example alerts for documentation purposes (Issue 6119).
Maintenance changes.

43 - 2022-09-15

Changed

Reduce Cache Control scan rule confidence to Low, and add new reference (Issue 6446).
Added new Custom Payloads alert tag to the example alerts of the Username IDOR and Application Error scan rules.
Maintenance changes.
The Timestamp Disclosure scan rule is now scoped to a 10 year range with a cap at the Y2038 rollover point (Issue 6741).
The Content Security Policy Header Not Set scan rule will no longer alert if CSP is specified via META tag (Issue 7303).

42 - 2022-07-15

Changed

The Content Security Policy scan rule will now raise alerts at High confidence, all alerts now include the appropriate header as the “parameter” value, and has functionality to generate example alerts for documentation purposes.
The Content Security Policy scan rule will now raise an alert when the assessed policy contains non-ASCII characters (Issue 7379).

41 - 2022-06-24

Changed

Maintenance changes.
The “Viewstate without MAC Signature (Unsure)” alert will now only be raised at Low Alert Threshold (Issue 7230).
The Content Security Policy scan rule will now alert when “unsafe-hashes” are allowed.

Fixed

Correct parameter and evidence for Cookie without SameSite Attribute when SAMESITE was set to None (Issue 7358).

40 - 2022-04-05

Changed

Clarify the alert solution for the Cache Control scan rule.

Added

Content Security Policy (CSP) Header Not Set scan rule promoted to release.

39 - 2022-03-07

Added

Alert refs for the alerts which use them (10020 and 10032).

Changed

Moved the detail information in Content Security Policy Rule to the otherInfo field and added alertRef ids.
Address false positive condition for Timestamp Disclosure scan rule when values are percentages (Issue 7057).
Update Cache-control scan rule name, description, and solution to make it more clear that there are cases in which caching is reasonable. Reduced risk to Info (Issue 6462).
Maintenance changes.
The CSRF Token scan rule will now raise alerts as Medium risk and Low confidence (Issue 7021).

Fixed

CSP scan rule will now alert in situations where default-src contains ‘unsafe-inline’ or is not defined (Issue 7120). In certain situations this may mean a marked increase in CSP related Alerts.
A typo was corrected in the CSP scan rule which was causing invalid assessment of “connect-src” directives.

38 - 2022-01-07

Changed

Update minimum ZAP version to 2.11.1.
Renamed ‘X-Frame-Options Header Not Set’ alert to ‘Missing Anti-clickjacking Header’, and associated scan rule ‘X-Frame-Options Header’ to ‘Anti-clickjacking Header’. The rule already considered Content-Security-Policy ‘frame-ancestors’ which is a more modern solution to the same concern. Updated associated solution text. (Issue 6937)
Content Security Policy scan rule will no longer classify “require-trusted-types-for” or “trusted-types” directives as unknown (Issue 6602).

37 - 2021-12-01

Added

OWASP Top Ten 2021/2017 mappings for Insecure Authentication scan rule.
OWASP Web Security Testing Guide v4.2 mappings where applicable.

Changed

Timestamp Disclosure scan rule now excludes values in “Expect-CT” headers (Issue 6725), as well as zero strings (Issue 6761).
Dependency updates.
Maintenance changes.

36 - 2021-10-06

Added

OWASP Top Ten 2021/2017 mappings.

Changed

Update minimum ZAP version to 2.11.0.

Fixed

Fixed reference URL on CORS misconfiguration.
Reduce false positives from Private IP Disclosure scan rule (Issue 6749).

35 - 2021-07-06

Changed

Maintenance changes.

Fixed

Correct dependency requirements.

34 - 2021-06-17

Changed

Cache-control scan rule no longer checks if Pragma is set or not.
Maintenance changes.
The Timestamp Disclosure scan rule now excludes values in “Report-To” or “NEL” headers (Issue 6493).
The Timestamp Disclosure scan rule no longer considers font type requests or responses when looking for possible timestamps (Issue 6274).
X-Frame-Options scan rule CWE ID changed from 16 to 1021.
Discontinued use of CWE-16 and switched to more specific weaknesses in the following scan rules:
- Character Set Mismatch
- Content Security Policy
- Cookie HttpOnly
- Cookie SameSite
- JSF ViewState
- MS ViewState
- X-Content-Type-Options
Cache-control scan rule no longer checks CSS messages unless threshold is Low (Issue 6596).
Cookie SameSite Attribute scan rule now handles the value “none” (Issue 6482).
Content Security Policy rule has been upgraded to use version 3 of the Salvation library.
- Messages with multiple CSPs are no longer merged/intersected instead the policies are analyzed individually.
Update links to repository.

33 - 2021-01-29

Added

Added Express error string pattern (Issue 6412).
Added sort to form field names that are displayed in Anti-CSRF alert other info field, duplicate names (arrays) are combined and not repeated.

Changed

X-Frame-Options (XFO) scan rule no longer suggests the use of “ALLOW-FROM”, and also includes CSP “frame-ancestors” as an alternative.
- XFO headers implementing “ALLOW-FROM” will now be considered malformed.
The Suspicious Comments scan rule will raise one alert per pattern per page and use more suitable evidence.

32 - 2021-01-20

Changed

The Suspicious Comments scan rule will include the offending line as evidence.
The Suspicious Comments scan rule will raise one alert per finding, instead of one aggregated alert per HTTP message.

31 - 2020-12-15

Changed

Now targeting ZAP 2.10.
The following scan rules now support Custom Page definitions:
- Application Error
- Cache Control
- X-Content-Type-Options
- X-Frame-Options

30 - 2020-11-26

Changed

The CSP scan rule now checks if the form-action directive allows wildcards.
The CSP scan rule now includes further information in the description of allowed wildcard directives alerts when the impacted directive is one (or more) which doesn’t fallback to default-src.
Maintenance changes.
Changed ViewState and XFrameOption rules to return example alerts for the docs.
Handle an IllegalArgumentException that could occur in the CSP scan rule if multiple CSP headers were present and one (or more) had a report-uri directive when trying to merge them.
Allow to ignore cookies in same site and loosely scoped scan rules.
The Application Error scan rule will not alert on web assembly responses.

29 - 2020-06-01

Changed

Updated owasp.org references (Issue 5962).
Correct spelling of “frame-ancestors” in the alert details of the CSP scan rule wildcard directive check (Issue 6014).

28 - 2020-04-08

Changed

‘CSP Scanner’ rule upgrade salvation library to v2.7.2.
‘CSP Scanner’ rule now merges (intersects) multiple CSP header fields to more accurately evaluate policies and prevent parsing issues (Issue 5931).
‘X-Frame-Options Header Scanner’ replace now invalid MSDN reference link with MDN link on X-Frame-Options (Issue 5867).
‘Information Disclosure Referrer’ scan rule added support for looking up evidence against an Open Source Bank Identification Number List. Confidence is now modified based on whether the lookup is successful or not. Additional details are added to ‘Other Info’ if available (Issue 5842).

27 - 2020-02-11

Changed

Minimum ZAP version is now 2.9.0. (Various scan rules adjusted to address core deprecations.)
‘Username Hash Found’ scan rule now uses updated core functionality to retrieve configured users.
Tweak help for ‘Cookie HttpOnly’ scan rule.
‘Information Disclosure: Suspicious Comments’ if matched within script block or JS response raise Alert with Low confidence.
Migrate an input file from Beta to Release that were missed during previous promotions.
- This addresses errors such as [ZAP-PassiveScanner] ERROR org.zaproxy.zap.extension.pscanrules.InformationDisclosureInURL - No such file: .... /xml/URL-information-disclosure-messages.txt
‘Application Error’ scan rule now supports custom payloads when used in conjunction with the Custom Payloads addon.
Timestamp Disclosure scan rule now only considers potential timestamps within plus or minus one year when used at High threshold (Issue 5837).
‘Application Error’ scan rule’s patterns file application_errors.xml is now copied to ZAP’s home directory, which means it is editable by the user. As well as being more consistent with other similar input files.
‘Information Disclosure - Sensitive Information in URL’ correct evidence field for some alerts, and enhance other info details (Issue 5832).
Maintenance changes.

Removed

‘Header XSS Protection’ was deprecated and removed (Issue 5849).

Fixed

Fix typo in the help page.

26 - 2020-01-17

Changed

“Cookie HttpOnly”, “Cookie Secure Flag”, and “Cookie Without SameSite Attribute” scan rules no longer alert on expired (deleted) cookies (Issue 5295).

Added

Added links to the code in the help.
Add info and repo URLs.

25 - 2019-12-16

Changed

Content Security Policy scan rule: Update to Salvation 2.7.0, add handling for script-src-elem, script-src-attr, style-src-elem, and style-src-attr (Issue 5459).
Minimum ZAP version is now 2.8.0.

Added

The following scan rules were added, promoted from Beta to Release:
- Cookie Without SameSite Attribute
- Cross Domain Misconfiguration
- Information Disclosure: In URL
- Information Disclosure: Referrer
- Information Disclosure: Suspicious Comments
- Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
- Timestamp Disclosure
- Username Hash Found
- X-AspNet-Version Response Header Scanner
- X-Debug-Token Information Leak

24 - 2019-06-07

Maintenance changes.
Migrate CSP Scanner into the main passive scan release package (promoting it to Release). Upgrade Salvation (dependency) to 2.6.0.
Application Error scanner change for HTTP 500. Alert changed to low risk for HTTP 500, and not raised at all when Threshold is High.
Updated the reference link for the alert: Web Browser XSS Protection Not Enabled.
Promote Charset Mismatch Scanner to release (Issue 4460).
Promote ViewState Scanner to release (Issue 4453).
Promote Insecure JSF ViewState Scanner to release (Issue 4455).
Promote Insecure Authentication Scanner to release (Issue 4456).
Promote Information Disclosure Debug Errors Scanner to release (Issue 4457).
Promote CSRF Countermeasures Scanner to release (Issue 4458).
Promote Cookie Loosely Scoped Scanner to release (Issue 4459).

23 - 2018-08-15

Fix a typo in the description of Referer Exposes Session ID.
Address false negative on jsessionid in URL Rewrite when preceded by a semi-colon and potentially followed by parameters (Issue 3008).
Address potential false positive in Cross Domain Script Inclusion Scanner by ensuring that only HTML responses are analyzed.

22 - 2018-01-19

Retired the password auto-complete passive scan rule (Issue 4215).

21 - 2017-11-27

Update for 2.7.0, Minor code changes to address deprecation.

20 - 2017-11-24

Fix false positive with Secure Pages Include Mixed Content and JavaScript files (Issue 3581).
Fix false positive with Private IP Disclosure when target is a private IP on a non-standard port (Issue 3549).
Fix false positive with X-Content-Type-Options Header Missing with certain system locales.
Fix X-Content-Type-Options help content (Issue 3986).
Remove N/A value from parameter of alert Session ID in URL Rewrite.

19 - 2017-04-06

Correct evidence of alerts raised by scanner “Application Error Disclosure”.
Fixed some false positives caused by scanner “Private Address Disclosure”.
Add support for cookie ignore rule.

18 - 2016-08-09

Only report issues on errors and redirects at LOW threshold.
Only report X-Frame-Options issues at LOW threshold if CSP ‘frame-ancestors’ element present.
Issue 2732: False positives for security headers missing due to redirections.

17 - 2016-07-15

Correctly check that the cookie being set has the Secure and HttpOnly attributes.
Do not set the attack field for Private IP Disclosure and Secure Pages Include Mixed Content.
Remove “N/A” parameter from the alert of Application Error Disclosure.
Issue 2539 - X-Frame-Options passive scanner, add compliance variants.
Corrected Password Autocomplete parameter in alert

16 - 2016-06-02

Issue 823 - i18n (internationalise) release passive scan rules.
Add CWE and WASC IDs to passive scanners which may have been lacking those details.
Issue 2405 - Accommodate responses with multiple Cache-Control headers.
Issue 395 - Add handling for allowed cross domain hosts (via context definition at HIGH threshold).

15 - 2015-12-04

Issue 1594 - TestInfoSessionIdURL overhaul matching mechanism.

14 - 2015-09-07

Issue 1600 - XFrameOptionScanner, add handling to prevent alerts on error responses at High threshold.
Issue 760 - XContentTypeOptionsScanner, add handling to prevent alerts on error responses at High threshold.

13 - 2015-08-23

Minor code changes.

12 - 2015-04-13

Minor fixes to XFrameOptionsScanner (Issue 1256).
XContentTypeOptionsScanner Internationalization (Issue 1343).
XContentTypeOptionsScanner default/error page updates (Issue 760).
TestInfoSessionIdURL added value length check to reduce false positives (Issue 1396).
Application Error Disclosure shows evidence in attack (Issue 1487).
Updated to ZAP 2.4.
Issue 823: i18n active/passive scan rules.

11 - 2014-06-14

Improved scanner “Web Browser XSS Protection Not Enabled” (former “IE8’s XSS protection filter not disabled”);
Fixed duplicated plug-in ID.

10 - 2014-05-21

Fixed an issue with search of strings that affected “Application Error disclosure” scanner (Issue 1186).

9 - 2014-04-10

Added reference for X-Content-Type-Options header missing.
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Changed passive scanners to expose its IDs (Issue Issue 1101).
Updated add-on dir structure (Issue 1113).

8 - 2013-10-21

Refactored new plugins for information disclosure detection

7 - 2013-09-11

Updated to be compatible with 2.2.0

4 - 2013-04-18

Updated for ZAP 2.1.0

3 - 2013-01-17

Updated to support new addon format

1 - 2012-12-10

Passive scanner rules Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Plug-n-Hack Clients tab

Mon, 01 Jan 0001 00:00:00 +0000

Plug-n-Hack Clients tab

Plug-n-Hack allows you to monitor client (browser) events in order to help test HTML5 applications.
In order to support as wide a range of modern browsers as possible this is implemented by injecting javascript into the response returned to the browser.
As it means changing the response this functionality has to be manually enabled.

Plug-n-Hack Configuration Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

13 - 2022-10-27

Changed

Maintenance changes.
Update minimum ZAP version to 2.12.0.
Use Network add-on to obtain main proxy address/port.

12 - 2021-10-07

Added

Add repo URL.

Changed

Update minimum ZAP version to 2.11.0.
Issue 2000 - Updated strings shown in context menu with title caps.
Change info URL to link to the site.
Maintenance changes.

11 - 2017-11-27

Code changes for Java 9 (Issue 2602).

10 - 2017-06-20

Make breakpoint dialogues modal.
Changed to use api nonces and include new fx_pnh.xpi (still unsigned).

9 - 2015-08-23

Require API key before returning it (Issue 1714)
Restrict use of CORS header in pnh (Issue 1716)
Auto-scroll when new client events are available (Issue 1664)

8 - 2015-04-13

Fixed uninstallation issue (Issue 1261), updated for ZAP 2.4

7 - 2014-07-10

Updated to latest version of Ringleader

6 - 2014-05-02

Updated to latest version of PnH / Ringleader - 0.4

5 - 2014-04-10

Phase 2 support - intercepting, resending and fuzzing postMessages and other browser events
Updated to use the latest core changes (Issues 609 and 503).
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

4 - 2013-09-11

Moved to beta

Postman Support Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.9.0 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

0.8.0 - 2025-11-10

Added

Statistics.

0.7.0 - 2025-09-02

Changed

Enable API functionality for imports.

0.6.0 - 2025-02-03

Fixed

Correct deserialization of headers.

0.5.0 - 2025-01-10

Changed

Update minimum ZAP version to 2.16.0.
Fields with default or missing values are omitted for the postman job in saved Automation Framework plans.

0.4.0 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

0.3.0 - 2024-04-02

Added

Automation support.

Fixed

Correct deserialization of item groups (Issue 8400).

0.2.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

0.1.0 - 2023-10-04

Added

Support collection JSON variables.

0.0.1 - 2023-09-25

First version.

Postman Support Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Python Scripting Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

15 - 2024-04-11

Changed

Maintenance changes.
Update Active and Passive Script Templates to include a getMetadata function. This will allow them to be used as regular scan rules.
Depend on the commonlib add-on for scan rule scripts.
Update minimum scripts add-on version to 45.1.0.

14 - 2023-12-19

Changed

Update minimum ZAP version to 2.14.0.
Move “Jython” under “Scripts > Engine” in the Options panel list.

Fixed

Remove the script engine when the add-on is uninstalled.

13 - 2023-09-07

Changed

Update minimum ZAP version to 2.13.0.
Replace usage of singletons with injected variables (e.g. model, control) in scripts.

Fixed

Updated encode-decode script templates to conform to the latest method signatures.
Update the content-length header field after setting the request body in the authentication template.

12 - 2021-10-07

Added

encode-decode default and rot13 templates.

Changed

Update links to zaproxy repo.
Rename reliability to confidence in active/passive templates.
Maintenance changes.
Update minimum ZAP version to 2.11.0.

11 - 2020-12-15

Added

Add info and repo URLs.

Changed

Update minimum ZAP version to 2.10.0.
Update Jython from 2.7.1 to 2.7.2.
Update the help to mention the bundled Jython version.
Jython templates now includes an extender script (getInputsFromuser.py) for setting global script variables based on user input.

Fixed

Fix link in a script template.

10 - 2018-05-08

Correctly set path module defined in the options and address UI hang (Issue 4651).
Minor tweak in extender template.
Add default template for Script Input Vector.
Add help page for the options.

9 - 2018-01-19

Update Passive Rule template to include new function.

8 - 2017-11-27

Updated for 2.7.0.

7 - 2017-10-27

Do not initialise java.awt.Toolkit when in daemon.
Update HTTP Sender template with initiator ID of AJAX Spider.
Added extender template and example.

6 - 2017-09-20

Update Jython from 2.5.3 to 2.7.1

5 - 2017-01-10

add the python module path interface

4 - 2015-04-13

Updated for ZAP 2.4

3 - 2014-04-10

Moved to beta
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

2 - 2013-10-01

Added help and extra templates

1 - 2013-09-30

Python Scripting Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Quick Start Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

55 - 2026-03-09

Fixed

Attacking domain level URLs with a trailing slash.

54 - 2026-03-02

Fixed

Address exception when using configurations in the Automation Framework plan in command line mode.

53 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

52 - 2025-07-10

Added

Add icon for Edge browser.

51 - 2025-01-10

Added

Stats counter to the main toolbar button (Issue 8375).

Changed

Update minimum ZAP version to 2.16.0.
Depend on Passive Scanner add-on (Issue 7959).

Fixed

An exception that prevented the look and feel from changing completely.
Issues setting the AJAX Spider options.

50 - 2024-09-24

Changed

Rebrand to ZAP by Checkmarx.

49 - 2024-09-02

Fixed

Do not change the URL field of the Manual Explore panel when the Mode changes (Issue 8591).

48 - 2024-07-08

Changed

News display tweak.
Updated messages from “wappalyzer” to “Technology Detection”.
Changed the Crash Override logo.

47 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

Fixed

Sub panel names.

46 - 2024-04-23

Changed

Maintenance changes.
AJAX spider selection to include “if modern” option.

Fixed

Help content typos.

45 - 2024-03-25

Changed

Tweaked OSF sponsorship links.

44 - 2024-03-13

Added

Support panel.

Changed

Maintenance changes.
Dropped “to Clipboard” from ZAP copy menu items and buttons (Issue 8179).
Panels to include OSF image and link.

43 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

42 - 2023-10-04

Changed

ZAPit: carry on even if non success code returned.
ZAPit: scan HTTP and HTTPS if protocol not specified.

41 - 2023-09-28

Added

ZAPit: report summary of all requests and responses made.
ZAPit: report technology version if available.

Fixed

ZAPit: Support cookies in redirects.

40 - 2023-09-26

Fixed

ZAPit help links.
Scan could incorrectly select leaf node for active scanning.

39 - 2023-09-22

Added

ZAPit recon scan.

Changed

Update names of the default cert and report.

38 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.

37 - 2023-03-13

Changed

Maintenance changes.

Fixed

Show correct error message when unable to access the provided URL, also, add the scheme if none provided.
Ensure the add-on is not in use before uninstalling.

36 - 2023-01-03

Fixed

Correctly unload the add-on.
Prevent exception if no display (Issue 3978).

35 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Remove core spider usage (Related to Issue 3113).
Maintenance changes.
Record news stats.

34 - 2022-09-23

Changed

Spider checkboxes in Automated Scan will be disabled when scan is running. (Issue 7072)
Use Network add-on to obtain main proxy address/port.
Maintenance changes.
Use Spider add-on (Issue 3113).

Fixed

Accept any 2xx result code instead of just 200.

33 - 2021-12-13

Changed

Update minimum ZAP version to 2.11.1.
Browser Launch/Manual Explore will now display a warning dialog if the selected browser executable cannot be found (Issue 6963).

32 - 2021-12-06

Changed

Use the Network add-on to export the Root CA certificate.

31 - 2021-11-23

Changed

Use callhome add-on for getting the news

30 - 2021-10-06

Added

Automation link

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
Maintenance changes.
Generate quickout reports using the reports add-on instead of the core
Update minimum ZAP version to 2.11.0.
Disable browser launch in containers unless override option enabled
Video link to point to ZAP website

29 - 2020-12-15

Changed

Update minimum ZAP version to 2.10.0.
Maintenance changes.
Use appropriate colour in dark mode (Issue 5542).

Fixed

Use AJAX Spider options in Automated Scan (Issue 5981).

28 - 2020-02-04

Added

Warning when HUD is enabled only in scope

27 - 2020-01-17

Added

Add info and repo URLs.
Added online link to ZAP in Ten videos

Changed

Maintenance changes.
Link to newer Getting Started Guide.
Improve permissions and space handling when saving.
Updated for the new site

26 - 2019-06-07

Improve outgoing proxy failure error message (Issue 5304).
Introduce News panel and use default quick start page
Dont make news request if -silent option used
Allow to use headless browsers in automated scans, use Firefox headless by default (Issue 3866).
Depend on newer version of Selenium add-on.

25 - 2018-12-11

Inform when quick attack is disabled by the current mode (Issue 5069).
Notify when quick attack starts.
Include expected status code in the error message.
Removed PnH code (Issue 5136).

24 - 2018-08-03

Enable the extensions for all DB types.
Use default user agent when creating seeds for the spider.

23 - 2018-01-19

Update for 2.7.0.
Stop the quick scan if the session is changed.
Added toolbar button to launch the latest browser chosen.

22 - 2017-11-27

Code changes for Java 9 (Issue 2602).
Updated to use new icon.
Updated for the new default browser launch URL.

21 - 2017-08-18

Add option to launch a browser via selenium (v20).
Fix to the default launch page url for 2.6.0.

20 - 2017-08-18

Add option to launch a browser via selenium.

19 - 2017-04-06

Validate the provided URL as a request-uri.

18 - 2016-06-02

Issue 1271: Quickstart PnH panel components should mirror the enabled state of the API (i.e.: If API disabled, disable PnH components).

17 - 2015-12-04

Add progress indications for quick scan launched from the command line (Issue 1891)
Improve Quick Attack error messages (Issue 2032)

16 - 2015-07-30

Include API key in PNH URL (Issue 1714).

15 - 2015-04-13

Generate the report (arg -quickout) even if view is initialised (Issue 1281).
Updated for ZAP 2.4

14 - 2014-04-10

Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

13 - 2013-09-11

Updated for 2.2.0.

12 - 2013-06-24

Link to mitmconf add-on URL if present.

11 - 2013-05-27

Updated language files.

10 - 2013-04-18

Updated for ZAP 2.1.0

8 - 2013-02-11

Added scroll pane for small resolutions and dark icon when used in dev

7 - 2013-02-05

Added support for modes

6 - 2013-01-28

Promoted to release status, re-added missing help files

4 - 2013-01-21

Added context sensitive help

3 - 2013-01-17

Updated to support new addon format

2 - 2012-12-06

Quick Start Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Regular Expression Tester Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

2 - 2021-10-07

Added

Add help.
Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.

Fixed

Close dialogues when the add-on is uninstalled.

1 - 2019-06-19

Initial Release.

Release 2.17.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.17.0

This is a bug fix and enhancement release.

Alert De-duplication

Changes have been made in order to reduce the number of alerts which ZAP may raise that are duplicates or highly similar, more closely being aligned with the Sites Tree representation. See the Alert De-duplication blog for further details.

Replacer Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

22 - 2026-03-19

Added

Method parameter matcher to allow rules to apply to specific HTTP methods (Issue 9016).

Changed

Support multiline replacements in GUI.

Fixed

Correct error message which was shown as missing.

21 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.
Maintenance changes.

20 - 2025-01-10

Fixed

Typo in automation job help.
Address misleading warning Unrecognised parameter for deleteAllRules (Issue 8764).

Changed

Update minimum ZAP version to 2.16.0.
Fields with default or missing values are omitted for the replacer job in saved Automation Framework plans.

19 - 2024-10-07

Changed

Update ZAP API endpoint description.

18 - 2024-05-08

Added

Rules to disable Caching (Issue 8437).

17 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

Added

Video link in help for Automation Framework job.
A rule to disable CSP reporting (Issue 740).

16 - 2023-11-30

Changed

Allow to replace (change or remove) the Host header (Issue 5475).

15 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

14 - 2023-09-07

Added

Support for the Automation Framework (Issue 7686).

Changed

Document that Token Processing applies just to string match types and disable the field in the dialogue when other match types are selected.

13 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Maintenance changes.

12 - 2023-01-03

Added

Added special replacement string processing for:
- Random Integer
- UUID
- Epoch Milliseconds

Changed

Maintenance changes.

11 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.

Added

Allow the rules to apply to specific URLs (Issue 4793).

10 - 2022-09-23

Fixed

Allow the replacement type to be changed in existing rules (Issue 3840).

Added

Allow to manage the replacer rules programmatically, for example, through ZAP scripts.

Changed

Update minimum ZAP version to 2.11.1.
Maintenance changes.
Promoted to Release status.

9 - 2021-10-06

Changed

Update minimum ZAP version to 2.11.0.
Update links to zaproxy repo.
Maintenance changes.

8 - 2020-01-17

Added

Add info and repo URLs.
Allow byte replacement using hexadecimal escapes (Issue 5328).

Fixed

Fix link in API endpoint description.

7 - 2018-10-26

Maintenance changes.
API, Replacement String should not be mandatory (Issue 5080).

6 - 2018-06-12

Tweak help page.
Ignore CFU HTTP messages.
Allow to (explicitly) select Token Generator messages.

5 - 2018-01-19

Fix exception during ZAP start up.

4 - 2017-11-27

Updated for 2.7.0.

3 - 2017-06-23

Added API support

2 - 2017-04-03

Promoted to beta

1 - 2017-02-01

First version

Replacer Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Replacer Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Replacer Automation Framework Support

This add-on supports the Automation Framework.

Job: replacer

The replacer job allows you to add replacer rules.

Report Generation Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.44.0 - 2026-03-19

Added

“Other Info” to the modern HTML report

Changed

Maintenance changes.
“Other Info” sections of the HTML reports to split the text on newlines.

0.43.0 - 2025-12-15

Added

Insights to the reports.

Changed

Update the automation framework outputSummary template to include missing field (rules).
Update minimum ZAP version to 2.17.0.

0.42.0 - 2025-11-07

Changed

Update dependencies.
All relevant reports to support nodeName and systemic counts.
Do not try to validate the AF report file in the GUI as the plan may run on another system.

0.41.0 - 2025-09-04

Changed

Corrected a minor typo and image alt tags in the help.

Added

An ISO 8601 date and time field (ex: “created”: “2025-09-03T12:49:35.236211400Z”) has been added to the Traditional JSON, Traditional JSON with Requests and Responses, Traditional XML, Traditional XML with Requests and Responses.

0.40.0 - 2025-09-02

Changed

Provide/log details on report errors through the Automation Framework job.
Allow to include Automation Framework errors and warnings in the Traditional JSON Report with Requests and Responses report.

0.39.0 - 2025-06-20

Changed

Caps fixed for Section Selections of the Risk and Confidence HTML report (Issue 2000).

Added

The Automation Framework progress to the report data when run via an AF job.
Statistics to the traditional extended JSON and XML reports.

Fixed

Correct error messages of the Automation Framework job.

0.38.0 - 2025-03-04

Fixed

Themes are once again properly taken into account when generating reports (Issue 8854).

Added

Allow report data to be cleaned up after the report generation.
Allow reports to read HTTP messages through the report helper.

0.37.0 - 2025-02-21

Fixed

Include correct alert instances in Traditional JSON Report with requests and responses (Issue 8861).
Bug where false positives were included in Sarif reports with their original alert level.

0.36.0 - 2025-02-12

Changed

Allow multiple add-ons to provide report data.

0.35.0 - 2025-01-10

Added

Stats counter to the main toolbar button (Issue 8375).
Sequence data to JSON & HTML reports.

Changed

Update minimum ZAP version to 2.16.0.
Update automation job help.
Fields with default or missing values are omitted for the report job in saved Automation Framework plans.

Fixed

Do not log an error when the statistics do not have a resource message (Issue 8788).

0.34.0 - 2024-10-07

Changed

Checkmarx rebrand.

Fixed

An issue where alert details were missing from some Risk and Confidence HTML reports (Issue 8460).

0.33.0 - 2024-09-02

Changed

Maintenance changes related to Passive Scanner add-on (Issue 7959).

0.32.0 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.
The following reports now include the number of Sites tree nodes actively scanned:
- Traditional HTML with Requests and Responses

0.31.0 - 2024-03-25

Changed

Tweaked OSF sponsorship links.

Fixed

Handle alerts without HTTP message gracefully (Issue 6880).
More issues with illegal XML characters in pdf reports (Issue 8330).

0.30.0 - 2024-03-13

Changed

Added OSF sponsorship line to reports.

0.29.0 - 2024-02-12

Fixed

Error message to give report name.
Issues with illegal XML characters in pdf reports (Issue 8330).
Corrected pdf report href from #olugin to #plugin.
Deprecated syntax in risk-confidence report.

0.28.0 - 2024-01-16

Changed

Default to same dir as plan if none specified.

Fixed

Ensure the Sections’ options are fully shown always in Generate Report Dialog (Issue 8259).
Replace env vars in URL when used for report file name.

0.27.0 - 2023-12-19

Changed

Dependency updates.

Fixed

Addressed warnings caused by Risk and Confidence HTML template.

0.26.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

0.25.0 - 2023-10-04

Changed

Depend on newer versions of Automation Framework and Common Library add-ons (Related to Issue 7961).
Update JavaDoc links to always link to latest version of ZAP.

Fixed

Fix error when generating the High Level Report Sample with an alert that has an empty description (Issue 8071).

0.24.0 - 2023-08-17

Changed

Maintenance changes.
The following reports now include “Other Info” for alerts:
- Traditional HTML Report
- Traditional HTML Report with requests and responses
- Traditional Markdown Report
- Traditional PDF Report
Depend on Common Library add-on to reuse libraries (Issue 7961).
Update program name in reports.

0.23.0 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Reduce add-on size.
Dependency updates.

0.22.0 - 2023-06-12

Added

Automation job: support for sites (Issue 7858).

Fixed

Change SARIF’s Base64 encoder to not rely on the default character encoding.

0.21.0 - 2023-06-06

Added

Add ZAP version to HTML and PDF reports.

Fixed

Validate that outputSummary’s job field summaryFile has a parent directory.

0.20.0 - 2023-04-04

Added

The Traditional JSON report, Traditional JSON Report with requests and responses, Traditional XML Report and Traditional XML Report with requests and responses now has “otherinfo” field per alert instance (Issue 7260).

Changed

Include templates available when reporting invalid template in the automation job.

Deprecated

The “otherinfo” field in the alert will be removed and replaced by the “otherinfo” field in the alert instances.

Fixed

Correct ID of Markdown template listed in the help page.

0.19.0 - 2023-02-09

Added

A description of riskdesc fields in the relevant report templates’ help (Issue 7445).
Support for relative report file and directory names in the Automation Framework job.

Changed

Maintenance changes.

0.18.0 - 2023-01-03

Changed

Maintenance changes.

Fixed

Prevent exception if no display (Issue 3978).

0.17.0 - 2022-11-22

Added

SARIF reporting

Changed

The XML and JSON reports now include programName metadata elements (Issue 6640).

0.16.0 - 2022-10-27

Added

“XML Plus” report format for XML with requests and responses
Tags to “JSON Plus” report.

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.

Fixed

Correct the ID of reports’ sections in the help.

0.15.0 - 2022-07-20

Fixed

API problems:
- Mixed case sections could not be referenced
- Risk-confidence-html report failed if no context specified
- No theme is used if one was not specified, breaking theme links

0.14.0 - 2022-06-22

Changed

Maintenance changes.

Fixed

Exceptions when generating some reports without the Automation add-on being installed.

0.13.0 - 2022-04-05

Changed

Dependency updates.
Replace variables present in reportDir and reportFile when running the automation job.

0.12.0 - 2022-02-11

Changed

Maintenance changes.

Fixed

Problem generating ‘Risk and Confidence HTML’ report with Java 17 (Issue 7026)

0.11.0 - 2022-02-08

Added

Traditional-json-plus report
Template specific help pages
Report generation statistics

Changed

Update minimum ZAP version to 2.11.1.
Dependency updates.
When the automation Job is edited via UI Dialog then the status will be set to Not started

0.10.0 - 2021-12-06

Changed

Dependency updates.
Maintenance changes.

0.9.1 - 2021-10-14

Fixed

Made ReportHelper methods more defensive

0.9.0 - 2021-10-14

Fixed

Incorrect alert instances associated with alerts which have the same IDs (Issue 6873)

0.8.0 - 2021-10-07

Added

Default report title and description to new report jobs.

Fixed

risk-confidence-html template: guard against scanJobResultData being null; fix handling of empty paragraphs and nulls; and do not include description section if description is null or empty.

0.7.0 - 2021-10-06

Added

Support for custom messages in outputSummary job.
Alert tags to the modern and traditional-plus reports.
risk-confidence-html template.

Changed

Promoted to release.
Minimum ZAP version 2.11.0

Fixed

Ignore false positives when listing messages in the outputSummary job.
Bug in report job add-on which prevented the right theme from being used
Added missing Modern template i18n messages

0.6.0 - 2021-09-16

Fixed

Address errors when running the OutputSummary job with Automation Framework.
Alert counts to ignore false positives.

Changed

Maintenance changes.

0.5.0 - 2021-08-05

Added

Automation Framework ’theme’ parameter.
Automation Framework GUI

Changed

Maintenance changes.

0.4.0 - 2021-06-28

Added

Wappalyzer data to the traditional-html-plus report, if it is available.
Traditional JSON report
Automation job: outputSummary, aimed at mimicking the output of the packaged scans.
Modern template - submitted via the ZAP Reporting Competition
Parameter data to the traditional-html-plus report
Methods to make it easier to generate reports from other add-ons

Changed

Maintenance changes.
Handle multiple context URLs in automation.
Traditional plus report - link to zaproxy.org pages for passing scan rules.
Update links to repository.

Fixed

Include all relevant alerts in XML report templates (Issue 6627).
Made XML reports more backwards compatible and fixed issue with generating it via the API.
Issue with reports for sites with trailing slashes

0.3.0 - 2021-05-06

Added

API Support.
Support for statistics

Changed

Maintenance Changes.
Promote to beta

Fixed

Correct logging of dependency.
Inconsistencies between traditional reports and the ‘old’ core ones
Do not rely on default encoding when creating the reports, use UTF-8 always (Issue 6561).

0.2.0 - 2021-04-12

Added

Support for template sections
Automation job: support risk, confidence and section configuration
Passing rules to traditional plus HTML report

Changed

Format HTML and XML templates as part of the build

0.1.0 - 2021-03-19

Added

Support for resources such as JavaScript and images
Support for template specific i18n property files
Reload templates on dir change and handle no reports

0.0.1 - 2021-03-09

First version.

Report Generation Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Report Templates

Mon, 01 Jan 0001 00:00:00 +0000

Report Templates

The following templates are available:

Name / Link to Details, Screenshot/Sample	ID	Format	Sections	Themes
High Level Report Sample	high-level-report	HTML	Yes
Modern HTML Report with themes and options	modern	HTML	Yes	Yes
Risk and Confidence HTML	risk-confidence-html	HTML	Yes
Traditional HTML Report	traditional-html	HTML	Yes
Traditional HTML Report with Requests and Responses	traditional-html-plus	HTML	Yes	Yes
Traditional JSON Report	traditional-json	JSON
Traditional JSON Report with Requests and Responses	traditional-json-plus	JSON	Yes
SARIF JSON Report	sarif-json	JSON
Traditional Markdown Report	traditional-md	Markdown	Yes
Traditional PDF Report	traditional-pdf	PDF	Yes
Traditional XML Report	traditional-xml	XML
Traditional XML Report with Requests and Responses	traditional-xml-plus	XML

Requester Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Requester Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Retest - About

Mon, 01 Jan 0001 00:00:00 +0000

Retest - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/retest

Authors

ZAP Dev Team

Retest Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Retest Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Retire.js Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.55.0 - 2026-03-31

Changed

Updated with upstream retire.js pattern changes.

0.54.0 - 2026-02-24

Changed

Updated with upstream retire.js pattern changes.
Now only loads the data once (Issue 9103).

0.53.0 - 2026-01-08

Changed

Updated with upstream retire.js pattern changes.
Update minimum ZAP version to 2.17.0.

0.52.0 - 2025-12-04

Changed

Updated with upstream retire.js pattern changes.

0.51.0 - 2025-12-03

Changed

Updated with upstream retire.js pattern changes.

0.50.0 - 2025-11-04

Changed

Updated with upstream retire.js pattern changes.
Reduced usage of error level logging.

0.49.0 - 2025-09-18

Changed

Updated with upstream retire.js pattern changes.

0.48.0 - 2025-07-29

Changed

Updated with upstream retire.js pattern changes.

0.47.0 - 2025-06-20

Changed

Updated with upstream retire.js pattern changes.
Depends on an updated version of the Common Library add-on.
Maintenance changes.

Added

The scan rule as been tagged of interest to Penetration Testers, as well as adding tags associated with DEV or QA applicability.

0.46.0 - 2025-03-13

Changed

Updated with upstream retire.js pattern changes.

0.45.0 - 2025-03-04

Changed

Updated with upstream retire.js pattern changes.
Make Alert’s Description, Solution, and References generic, and provide finding specific details via Other Info.

0.44.0 - 2025-01-10

Changed

Updated with upstream retire.js pattern changes.
Update minimum ZAP version to 2.16.0.

0.43.0 - 2024-12-23

Fixed

An issue that was resulting in False Positives.

Changed

Updated with upstream retire.js pattern changes.
The scan rule now uses a more specific CWE (Issue 8732).

0.42.0 - 2024-11-25

Changed

Updated with upstream retire.js pattern changes.
The Risk level associated with Alerts raised by this scan rule are mapped to the severity ratings provided in the Retire.js data. If no severity is matched then a default of Medium Risk is used (Issue 7926).
Maintenance changes.

0.41.0 - 2024-10-07

Changed

Performance improvements (Issue 8659).
Updated with upstream retire.js pattern changes.

0.40.0 - 2024-09-24

Changed

Updated with upstream retire.js pattern changes.

0.39.0 - 2024-08-28

Changed

Updated with upstream retire.js pattern changes.

Added

A helpful description for the add-on.

0.38.0 - 2024-08-05

Changed

Updated with upstream retire.js pattern changes.

0.37.0 - 2024-07-04

Changed

Updated with upstream retire.js pattern changes.

0.36.0 - 2024-06-03

Changed

Updated with upstream retire.js pattern changes.

0.35.0 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.
Updated with upstream retire.js pattern changes.

0.34.0 - 2024-04-02

Changed

Updated with upstream retire.js pattern changes.

0.33.0 - 2024-03-21

Changed

Updated with upstream retire.js pattern changes.

Fixed

Version matching was improved to address some false positives (Issue 8384 & 8398).

0.32.0 - 2024-03-04

Changed

Updated with upstream retire.js pattern changes.

0.31.0 - 2024-02-12

Changed

Updated with upstream retire.js pattern changes.

Added

Website alert links (Issue 8189).

0.30.0 - 2024-01-29

Changed

Updated with upstream retire.js pattern changes.
Now only targets relevant responses (HTML and JS).

0.29.0 - 2024-01-03

Changed

Updated with upstream retire.js pattern changes.

0.28.0 - 2023-12-04

Changed

Updated with upstream retire.js pattern changes.

0.27.0 - 2023-11-03

Changed

Updated with upstream retire.js pattern changes.

0.26.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Updated with upstream retire.js pattern changes.

0.25.0 - 2023-08-14

Changed

Updated with upstream retire.js pattern changes.
Maintenance changes.

0.24.0 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Updated with upstream retire.js pattern changes.

0.23.0 - 2023-06-02

Changed

Updated with upstream retire.js pattern changes.

0.22.0 - 2023-05-03

Changed

Updated with upstream retire.js pattern changes.

0.21.0 - 2023-04-04

Changed

Updated with upstream retire.js pattern changes.

0.20.0 - 2023-03-03

Changed

Updated with upstream retire.js pattern changes.
Alert Tags for CVEs now include standardized links.

0.19.0 - 2023-01-10

Changed

Updated with upstream retire.js pattern changes.
Maintenance changes.

0.18.0 - 2022-12-02

Changed

Updated with upstream retire.js pattern changes.

0.17.0 - 2022-11-14

Changed

Updated with upstream retire.js pattern changes.

0.16.0 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.

Fixed

NPE in example alert generation.

0.15.0 - 2022-09-22

Changed

Updated with upstream retire.js pattern changes.

0.14.0 - 2022-08-15

Changed

Updated with upstream retire.js pattern changes.

0.13.0 - 2022-08-02

Changed

Updated with upstream retire.js pattern changes.
Performance improvements (Issue 6959).
Add Retire.js reference to the Rule name to make it more obvious in the options panel.

0.12.0 - 2022-05-26

Changed

Updated with upstream retire.js pattern changes.
Relevant CVEs will now be added as Alert Tags when available.

0.11.0 - 2022-05-03

Changed

Updated with upstream retire.js pattern changes.

0.10.0 - 2022-02-02

Changed

Updated with upstream retire.js pattern changes.
Update minimum ZAP version to 2.11.1.
Maintenance changes.

0.9.0 - 2021-10-06

Added

OWASP Top Ten 2021/2017 mappings.

Fixed

Version extraction pattern was fixed to reduce false positives (Issue 6818).

Changed

Maintenance changes.
Update minimum ZAP version to 2.11.0.
Dependency updates.

0.8.0 - 2021-08-25

Changed

Updated with upstream retire.js pattern changes.
Update link to repository.
Maintenance changes.

0.7.0 - 2021-03-24

Changed

Updated with upstream retire.js pattern changes.
Maintenance changes.

0.6.0 - 2020-12-15

Changed

Updated with upstream retire.js pattern changes.
Update minimum ZAP version to 2.10.0.

0.5.0 - 2020-10-29

Changed

Updated with upstream retire.js pattern changes.
Add-on promoted to Release.
Added example alert.

0.4.0 - 2020-08-04

Changed

Updated with upstream retire.js pattern changes.

[0.3.1] - 2020-06-18

Changed

Updated from upstream with new identifications, including: CVE-2020-7676 for angular < 1.8.0

0.3.0 - 2020-06-15

Changed

Add-on promoted to Beta.

0.2.0 - 2020-06-01

Changed

URLs which were previously included as ‘other info’ are now properly included as alert ‘references’.
CVE numbers are now included as part of ‘other info’.

0.1.0 - 2020-05-20

Changed

First release.

Retire.js Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Reveal Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

10 - 2025-06-20

Fixed

The content length is now properly set on responses which have been modified (Issue 8947).

Changed

Maintenance changes.

9 - 2025-01-10

Changed

Update minimum ZAP version to 2.16.0.

8 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

7 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

6 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Maintenance changes.

5 - 2022-10-27

Changed

Maintenance changes.
Update minimum ZAP version to 2.12.0.

4 - 2021-10-06

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.

3 - 2020-01-17

Added

Add info and repo URLs.

Changed

Maintenance changes.

2 - 2015-04-13

Code changes and API documentation.

1 - 2014-04-10

First release as an add-on, previously bundled with ZAP core.

Reveal Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Revisit Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

6 - 2025-06-20

Changed

Update minimum ZAP version to 2.16.0.
Maintenance changes.
Minor fix in help content.

5 - 2023-10-23

Changed

Maintenance changes.
Update minimum ZAP version to 2.14.0.

Fixed

Prevent exception when processing history after deleting messages.

4 - 2021-10-07

Added

Add info and repo URLs.
Maintenance changes.

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.

3 - 2017-11-28

Code changes for Java 9 (Issue 2602).
Updated for 2.7.0.

2 - 2016-06-02

Allow to update/uninstall the add-on without restarting ZAP.

1 - 2015-09-24

First version

Revisit Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Ruby Scripting Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

8 - 2021-10-07

Changed

Update links to zaproxy repo.
Rename reliability to confidence in active/passive templates.
Maintenance changes.
Update minimum ZAP version to 2.11.0.

7 - 2020-12-15

Added

Add info and repo URLs.

Changed

Update the help to mention the bundled JRuby version.
Update minimum ZAP version to 2.10.0.

Fixed

Fix link in a script template.
Fix exception while uninstalling the add-on with newer Java versions.
Fix passive template.

6 - 2017-11-27

Updated for 2.7.0.

5 - 2017-09-28

Add template for HTTP Sender script.
Dynamically unload the add-on.

4 - 2015-04-13

Updated for ZAP 2.4

3 - 2014-04-10

Moved to beta
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

2 - 2013-10-10

Fixed bug where non ruby scripts were treated as ruby scripts (issue 810)

1 - 2013-10-02

First version

SAML Support Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

11 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.
Update dependency.
Maintenance changes.

Fixed

Error logs to always include stack trace.

10 - 2022-10-28

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.

9 - 2021-10-07

Added

Add help.
Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.

8 - 2019-08-30

Update minimum ZAP version to 2.5.0.
Compressed SAMLMessage is not required
Possibility to disable compression when sending
Added SAML Passive Scanner
Dynamically unload the add-on.
Fix exception with Java 9+ (Issue 5032).
Replaced joda.time.datetime with java.time.localtime (Java8).

7 - 2017-11-24

Minor code change to work with ZAP 2.5.0.

6 - 2016-06-02

Use ZAP’s home directory for SAML configuration file.

5 - 2016-02-05

Internationalise and show ‘SAML Actions’ menu.
Security fixes, to be detailed later.

4 - 2015-09-07

Updated add-on’s info URL.

3 - 2015-04-13

Updated for ZAP 2.4

2 - 2014-04-03

Updated to latest core changes and other minor code changes (Issue 609).
Updated add-on dir structure (Issue 1113).

1 - 2013-10-08

First version

SAML Support Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Scan Policies Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

0.8.0 - 2026-03-31

Changed

Updated based on Rules’ Policy Tag assignments.

0.7.0 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.
Allow to override the default alert threshold of the bundled policies.
Updated based on Rules’ Policy Tag assignments.

0.6.0 - 2025-11-04

Changed

Updated based on Rules’ Policy Tag assignments.

Added

Document in the help the programmatic name of the policies.
Stats ID and readonly to the polices.

0.5.0 - 2025-09-18

Changed

Updated based on Rules’ Policy Tag assignments.

Added

QA CI/CD scan policy help.

0.4.0 - 2025-09-02

Changed

Updated based on Rules’ Policy Tag assignments.

0.3.0 - 2025-06-20

Changed

Updated based on Rules’ Policy Tag assignments.
Updated help to cover the PENTEST Policy Tag.

0.2.0 - 2025-01-10

Changed

Update minimum ZAP version to 2.16.0.

Fixed

Fix link in the help page.

0.1.0 - 2024-11-27

Added

A set of standardized active scan policies:
- Default Policy
- Developer CI/CD
- Developer Standard
- Developer Full
- QA Standard
- QA Full
- API

Scan Policies Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Scan Policy Dialog

Mon, 01 Jan 0001 00:00:00 +0000

Scan Policy Dialog

This allows you to enable and disable the rules that are run when performing an active scan.

The first screen allows you to define the default levels as well as the levels for all of the rules in a specific category.

The category screens allow you to define the levels for every individual rule.

Script Console Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

45.18.0 - 2026-03-31

Changed

Update dependency.

Added

The Script Job Run action now supports:
- Passing authentication details (context and user) for standalone Zest client script execution.
- Executing a chain of one or more Zest standalone scripts using the chain parameter.

45.17.0 - 2025-12-15

Changed

Update the automation framework template to include missing field (inline).
Do not display scripts added through the Automation Framework.
Update minimum ZAP version to 2.17.0.

45.16.0 - 2025-12-03

Fixed

Script scan rules were not using the attack strength and alert threshold from active scan policies.

Changed

Update dependency.

45.15.0 - 2025-11-04

Added

scanHost method to the active script scan rule interface that is called once per host being scanned.

Changed

Update dependency.

45.14.0 - 2025-10-07

Added

Support for alert reference overrides in script scan rule metadata.

Changed

Do not report authentication script errors as warnings in the Automation Framework for consistent behavior with all authentication methods, which handle errors as authentication failures.

45.13.0 - 2025-09-02

Changed

Update help with newer JavaScript engine and links.

Fixed

Error logs to always include stack trace.

45.12.0 - 2025-06-20

Changed

Maintenance changes.

Fixed

Loop when trying to extract an underlying script exception.

45.11.0 - 2025-04-11

Fixed

NPE when using scripts with no UI.

45.10.0 - 2025-04-09

Fixed

NPE when using some scripts after re-installing the scripts add-on.
Correct error message of the Automation Framework job.
Templates and Zest scripts were not being shown in the editor (Issue 8922).

Added

Standardized Policy Tags to the base Scripts Passive Scanner.

Changed

Depends on an updated version of the Common Library add-on.

45.9.0 - 2025-03-25

Fixed

Remove unnecessary custom parameter handling.

Changed

Use the main Output panel for script output.

45.8.0 - 2025-01-10

Added

Report indirect script errors while the Automation Framework plans are running (Issue 8586).
Standardized Policy Tags to the base Scripts Active Scanner.

Changed

Update minimum ZAP version to 2.16.0.
Fields with default or missing values are omitted for the script job in saved Automation Framework plans.
Depends on an updated version of the Common Library add-on.
Depend on Passive Scanner add-on (Issue 7959).

Fixed

Correct auto-complete suggestions for parameters of Passive Rules.
Some script errors were not being propagated to the output correctly.

45.7.0 - 2024-10-07

Fixed

Reuse script cache for all passive scan threads to avoid recompilation of Passive Rules scripts.
Address a concurrency issue when using Graal.js Passive Rules scripts as first-class scan rules.
Handle gracefully the inability to force stop the running standalone script in newer Java versions.

45.6.0 - 2024-09-02

Removed

Remove the active and passive script templates, superseded by the ones provided by the GraalVM JavaScript add-on.

45.5.0 - 2024-07-22

Added

Provide the script API on newer ZAP versions.

Fixed

Handle missing “references” field in the script metadata correctly.

45.4.0 - 2024-05-16

Added

Support for Automation Framework loaddir action, which loads all of the scripts under the specified directory.

Changed

File parameter to source, file will still work.

45.3.0 - 2024-05-07

Added

Support for code and help links for script scan rules.

Changed

Update minimum ZAP version to 2.15.0.
Allow to set raw parameter values from Active Rules, by calling as.setEscapedParam(HttpMessage msg, String param, String value).

45.2.0 - 2024-04-11

Added

Active and Passive Scripts with a getMetadata() function are now treated as first-class scan rules (Issue 7105).

Fixed

Error when trying to run an unsupported script type through the Automation Framework.
The “Scripts Passive Scanner” scan rule was being loaded twice.

45.1.0 - 2024-03-25

Added

Support for menu weights (Issue 8369)

Fixed

Propagate script errors to the Automation Framework when running them.

45.0.0 - 2024-02-12

Added

The scan rule functionality of scripts was moved from the ZAP core to this add-on (Related to Issue 7105).

Changed

Maintenance changes.

Fixed

The save button was not enabled for new scripts upon creation.

44 - 2023-12-19

Changed

Rename “Script Console” in the Options panel list to “Console”.

Fixed

Prevent GUI initialization in daemon mode when installing the add-on.

43 - 2023-11-13

Added

Allow setting the tab size and whether to use tabs or spaces for indentation in the console. The old defaults were to use the tab character with a tab size of 5. The new defaults are to use spaces with a tab size of 4.
A gear button to the console toolbar to open the Script Console options screen.
An enable / disable script button to the console toolbar to toggle enabling the open script.
Options to allow editing the font name and size used in the console (Issue 8065).
The shortcut ctrl+S (cmd+S on macOS) to save the script in the console.

Changed

The “Save Script” button was moved to the console toolbar.

Fixed

Saving the script was causing the “Keep or Replace” dialog to show, even when no external changes were made to the script.

42 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

41 - 2023-10-04

Added

Allow selecting a default behaviour when a script in the console changes on disk (Issues 5463, 7582). The allowed options are “Ask Each Time”, “Keep Script”, and “Replace Script”.

Changed

Update extender template scripts to also work with Graal.js engine.

40 - 2023-09-11

Changed

Allow to select a script node without focusing on it.
Allow to display script without focusing on it.
Maintenance changes.
Depend on newer version of Automation Framework add-on (Related to Issue 7961).

39 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.

38 - 2023-03-29

Fixed

extender/Copy as curl command menu.js - prevent and warn on local file inclusion when generating the command. Thanks to James Kettle (@albinowax) for reporting.

37 - 2023-03-18

Fixed

Do not require a name if file provided when adding script with automation job.

36 - 2023-03-17

Added

Support for inline scripts in the Automation Framework.

Changed

Maintenance changes.

35 - 2023-02-09

Added

Help explaining how to interact with Automation Framework plans.
Support for relative file paths and ones including vars in the Automation Framework job.

Changed

Maintenance changes.

34 - 2023-01-03

Fixed

Prevent exception if no display (Issue 3978).

Changed

Maintenance changes.

33 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.

32 - 2022-10-12

Changed

Maintenance changes.

Fixed

Don’t print twice to std out when running without view and executing scripts (Issue 7455).

31 - 2022-09-23

Added

Automation ScriptJob - Enable or Disable any script and run a targeted script (Issue 7025).
Promoted to Release status.

Changed

‘Copy as curl command menu.js’ added change that prevents curl from adding User-Agent when no User-Agent should be present.
Maintenance changes.

30 - 2022-02-25

Added

Automation ScriptJob - Add or remove any script and run a standalone script

Changed

Update minimum ZAP version to 2.11.1.
Maintenance changes.

29 - 2021-10-06

Added

Allow to choose Kotlin for syntax highlighting.

Changed

Do not show Null script engine in Edit Script dialogue.
Now using 2.10 logging infrastructure (Log4j 2.x).
Update links to zaproxy and community-scripts repo.
Maintenance Changes.
‘Copy as curl command menu.js’ is now preceded by a separator, and the Title Caps of the menu item were fixed (Issue 2000).
‘Copy as curl command menu.js’ is now available in safe mode.
Update minimum ZAP version to 2.11.0.

28 - 2020-12-18

Fixed

GUI could hang when lots of print statements are used.

27 - 2020-12-15

Changed

Update minimum ZAP version to 2.10.0.
Tweak help content.
Show script engine when editing the script.
Fixed case where script print statements could deadlock ZAP.
Maintenance changes.
Support dark mode and dynamic Look and Feel switching

Fixed

Terminology
Do not show the Enable/Disable Script menu item if the script can’t be enabled/disabled, in some look and feels it could show an empty menu item (Issue 6256).

26 - 2020-01-17

Added

Add repo URL.

Changed

Update minimum ZAP version to 2.8.0.
Update help to mention custom script/global variables (Issue 3402).
Move empty template entry to the top, for consistency with other fields in New Script dialogue.
Save cursor position when switching between scripts.
Change info URL to link to the site.
Provide information on how to create scripts from templates (Issue 5746).

Fixed

Fix links in script templates.

25 - 2019-06-07

Fix typo in help page.
Execute Targeted scripts in other thread than GUI thread.
Clear highlighting syntax when a non-script node is selected.
Warn of script changed by another program (post 2.7.0).
Script console is disabled if script size > 1MB and highlight behavior is disabled if script size > 0.5MB.
Allow to select the file path in the Edit Script dialogue.
Allow to add selection listener to Scripts tree.

24 - 2018-01-25

Fix GUI freeze on script addition/removal through the API (Issue 4302).
Prompt for a charset when failed to read the script file (Issue 3383).

23 - 2018-01-19

Correct extender script, Add history record menu.js, to show the info dialogue.
Invoke script on selected message(s) (Issue 4085).
Update extender scripts to use just Nashorn (Java 8).
Do not show empty choice when the script engine requires a template.
Confirm overwrite of existing script file.
Support ’external’ scripts.

22 - 2017-11-27

Updated for 2.7.0.

21 - 2017-11-24

Show script types in alphabetical order in dialogues New and Load Script.
Fix an exception when installing extender scripts with errors.
Correct state of Enabled checkbox when creating a script from templates.
Allow to enable code folding in script text area.

20 - 2017-10-27

Added extender script type and examples.

19 - 2017-10-13

Code changes for Java 9 (Issue 2602).
Inform when the script contains invalid char sequences (related to Issue 3377).
Invoke Scripts tree context menu once.
Title caps adjustments (related to Issue 2000).
Allow to configure the enabled state of new/loaded scripts (Issue 2996).
Use selected font in script text area.
Fix UI hang when installing/uninstalling script engines (Issue 3945).
Support basic auto-completion

18 - 2017-04-03

Remove unused resource messages (Issue 2386).
Update help page to mention HTTP Sender scripts.
Allow to save scripts through the context menu.
Reset Console Output panel on session changes.
If there is only one script engine available, make it the default when creating a new script.

17 - 2016-09-07

Discard undoable edits after setting a script (Issue 2675).

16 - 2016-06-02

Fix exceptions when installing/uninstalling script engines, with no script selected.

15 - 2015-08-23

Issue 1653: Support context menu key for trees.
Updated add-on’s info URL.

14 - 2015-04-13

Make sure all script engines are shown when creating a script from type (Issue 1503).
Warn about missing script engines (Issue 1504).
Unload all components when uninstalling (Issue 1507).
Updated for ZAP 2.4

13 - 2014-09-10

Issue 1327: Support drag and drop in the scripts tree.
Issue 1330: Add menu for duplicating a script.
Issue 1278: Safe menu items not available in protected and safe modes.

12 - 2014-05-21

Disabled “Word Wrap” by default to avoid scrolling performance degradation due to long lines (Issue 1160).

11 - 2014-04-10

Updated to use the latest core changes, other minor code changes (Issues 609, 1085, 1104 and 1105).
Fixed an InvalidParameterException during add-on uninstallation (Issue 967).
Changed help file structure to support internationalisation (Issue 981).
Fixed inconsistencies in run/stop buttons (Issue 1023).
Fixed a NullPointerException (Issue 1025).
Added content-type to help pages (Issue 1080).
Changed to allow to clear the output panel even if “clear on run” is enabled (Issue 1103).
Updated add-on dir structure (Issue 1113).

10 - 2013-12-17

Changed to add an output console toolbar, depend on core ExtensionScript to avoid NullPointerException (Issue 847)

9 - 2013-09-11

Moved script support into the core and added targeted scripts

7 - 2013-05-27

Updated language files.

6 - 2013-05-13

Changed to unload all components when uninstalling.
Changed to use the new version of the RSyntaxTextArea library.

5 - 2013-01-21

Updated language files

4 - 2013-01-17

Updated to support new addon format

3 - 2012-11-23

Script Console Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Scripts Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Scripts Automation Framework Support

This add-on supports the Automation Framework.

Job: script

The script job allows you to execute various actions with scripts:

Selenium Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Selenium Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Sequence Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

9 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.
Allow to override the default alert threshold of the bundled policy.
Maintenance changes.

8 - 2025-01-10

Added

Add Automation Framework jobs:
- sequence-import to import HARs as sequences.
- sequence-activeScan to active scan sequences.
Data for reporting.
Stats for import automation and active scan.
Sequence active scan policy which will be used if neither a policy nor policyDefinition are set.
Add Import top level menu item to import HAR as sequence.
Active Scan Sequence dialog.

Changed

Depend on Import/Export add-on to allow to import HARs as sequences.
Update minimum ZAP version to 2.16.0.
Maintenance changes.
Sequence scan implementation.
Promoted to beta.

Removed

Sequence panel from the Active Scan dialog.

7 - 2023-10-23

Changed

Maintenance changes.
Update minimum ZAP version to 2.14.0.

Fixed

Prevent exception if no display (Issue 3978).

6 - 2021-10-07

Added

Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.
Issue 2000 - Updated strings shown in active scan dialog with title caps.
Enable help button in Sequence tab of Active Scan dialog.
Maintenance changes.

5 - 2017-11-28

Updated for 2.7.0.

4 - 2017-05-25

Correct error message to include the script name.
Add help content (Issue 2191).
Depend on Zest extension, since it is currently the only script option for Sequence scripts.

3 - 2016-06-02

Allow to dynamically unload the add-on.
Other code changes.

2 - 2015-09-07

Updated to latest core changes.

1 - 2015-04-13

Sequence Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Server-Sent Events Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

13 - 2024-05-21

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

Fixed

More gracefully handle missing value for “id” field (Issue 8320)

12 - 2022-10-28

Changed

Update minimum ZAP version to 2.12.0.

11 - 2022-09-23

Changed

Maintenance changes.
Update minimum ZAP version to 2.11.1.

Fixed

Properly close the server side connection when no longer in use (Issue 6424).
Increase the size of the URL column (Issue 7354).

10 - 2021-10-07

Added

Add info and repo URLs.

Fixed

Terminology

Changed

Update minimum ZAP version to 2.11.0.
Adjust log levels to be less verbose.
Maintenance changes.

9 - 2016-06-02

8 - 2015-04-13

Updated for ZAP 2.4

7 - 2014-04-03

Minor code changes (Issues 503, 1104 and 1105).
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).

6 - 2013-09-11

Updated for ZAP 2.2.0

5 - 2013-06-28

Changed the loading order of the extension.
Changed to not load view components when in daemon mode.

4 - 2013-05-27

Updated language files.

3 - 2013-04-18

Updated for ZAP 2.1.0 and added JSON highlighter

2 - 2013-02-05

Fixed build issue to include help

1 - 2013-02-05

Server-Sent Events Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Server-Sent Events tab

Mon, 01 Jan 0001 00:00:00 +0000

Server-Sent Events tab

The Server-Sent Events tab displays all events from event streams.


	Basic Server-Sent Events concepts	for a short introduction to Server-Sent Events

Sites tab

Mon, 01 Jan 0001 00:00:00 +0000

Sites tab

The sites tab contains two trees, one for Contexts and the other for the Sites Tree.

Contexts tree

Shows the contexts contained in the current session. It allows to quickly access its properties by double clicking them and provides access to other functionality through the component’s context menu.

SOAP Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

SOAP Automation Framework Support

This add-on supports the Automation Framework.

The add-on will import WSDL files containing SOAP endpoints if they are found while spidering but adding them explicitly via a URL or local file is recommended if they are available.

Job: soap

The soap job allows you to import WSDL files locally or from a URL.

SOAP Support Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

29 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.
Update dependencies.

28 - 2025-09-18

Added

QA CICD policy tag to active scan rules.

27 - 2025-09-10

Fixed

When parsing WSDL files ensure the dateTime values are generated in UTC.

26 - 2025-09-02

Added

The SOAP Action Spoofing, SOAP XML Injection, and WSDL File Detection scan rules now all have CWE references.

25 - 2025-06-20

Added

The WSDL passive scan rule has been tagged of interest to Penetration Testers and QA.
The included active scan rules have been tagged of interest to Penetration Testers.

Changed

Depends on an updated version of the Common Library add-on.

24 - 2025-01-10

Changed

Update minimum ZAP version to 2.16.0.
Depend on newer version of Common Library add-on (Issue 8016).
Fields with default or missing values are omitted for the soap job in saved Automation Framework plans.

Added

Standardized Scan Policy related alert tags on scan rules.

23 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

22 - 2024-03-25

Added

Video link in help for Automation Framework job.

Changed

Maintenance changes.
Link website alert pages and help (Issue 8189).
Updated Alerts’ reference links (Issue 8262).

21 - 2023-12-19

Fixed

Use empty values as defined by the Value Generator configuration (Issue 8202).
Correct generation of values for date and dateTime, it would fail with warnings in previous versions.

20 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.

19 - 2023-09-07

Changed

The “Import a WSDL file from local file system” and “Import a WSDL file from a URL” menu items were merged into one, “Import a WSDL File”. The merged dialog uses the shortcut Ctrl+J (Cmd+J on macOS).
The Import dialog shows the values used in the previous import when reopened.
Maintenance changes.
Depend on newer versions of Automation Framework and Common Library add-ons (Related to Issue 7961).
Use Common Library add-on to obtain the Value Generator (Issue 8016).
The SOAP Support Script has been superseded by a variant (Issue 6500).

18 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Dependency updates.

17 - 2023-02-09

Added

Support for relative file paths and ones including vars in the Automation Framework job.

Changed

Maintenance changes.

16 - 2022-11-17

Changed

The SOAP Support.js input vector script is removed when the add-on is uninstalled.
Dependency updates.

15 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Remove parser used for core spider (Related to Issue 3113).

14 - 2022-09-23

Changed

Dependency updates.
Maintenance changes.
Use Spider add-on (Issue 3113).
Use Form Handler add-on directly.
Promoted to Beta status.

13 - 2022-02-01

Changed

Update minimum ZAP version to 2.11.1.
Dependency updates.
When the automation Job is edited via UI Dialog then the status will be set to Not started

Fixed

Do not report “Unrecognised parameter” for valid parameters.

12 - 2021-11-29

Changed

Maintenance changes.
WSDL File scan rule now includes identification of URLs in the form “example.com/service?wsdl”, and specifically excludes 404s and 500s (including support for Custom Pages).
Import a WSDL file from a URL now logs a more specific message for some exception conditions, or when failing to convert the input ‘URL’ string into an actual URL to make the WSDL request.
The Import a WSDL file from a URL dialog now accepts pressing the enter key to activate the import process (instead of having to click the Import button), and the escape key to close/cancel the dialog.

11 - 2021-10-29

Changed

Dependency updates.

Fixed

NPE when detecting parameters.

10 - 2021-10-06

Added

OWASP Top Ten 2021/2017 alert tags.

Changed

Update minimum ZAP version to 2.11.0.

9 - 2021-09-16

Changed

Maintenance changes.

Fixed

Fixed var support in URLs (Issue #6726)

Changed

Maintenance changes.

8 - 2021-08-05

Added

Automation Framework GUI

Changed

Maintenance changes.

7 - 2021-06-23

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
Import WSDL documents synchronously when not using the UI.
Maintenance changes.

Fixed

Warnings generated by add-on dependencies.

6 - 2021-03-30

Changed

Accept only encoded URLs.
Add support for the Automation Framework.
Add support for statistics for the number of added URLs (or SOAP Actions).
Maintenance changes.

Fixed

Fix detection of WSDL files (Issue 6440).
Cope with missing Nashorn engine (Issue 6500).

5 - 2021-01-04

Changed

Add support for ValueGenerator (Issue 3345).

4 - 2020-12-16

Changed

Internationalise file filter description.
Dynamically unload the add-on.
Change default accelerator for “Import a WSDL file from local file system”.
Update minimum ZAP version to 2.10.0.
Add import menus to (new) top level Import menu instead of Tools menu.
Add support for SOAP version 1.2 to the Action Spoofing Scan Rule.
Distinguish alerts by adding the SOAP version to the “Other Info” section.
Maintenance changes.

Fixed

Various fixes (related to Issue 4832 and other testing).
Fix exception with Java 9+ (Issue 4037).
SOAP operations are no longer overwritten in sites tree (Issue 1867).
Persist the add-on configuration required by the scan rules in the ZAP database (Issue 4866).

3 - 2017-03-31

Added API, help and other minor code changes.

2 - 2015-09-07

Fixes a problem where operations under the same location were overwritten. Other minor fixes.

1 - 2015-04-13

First version

SOAP Support Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Software Risk Manager Extension Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

[Unreleased]

Changed

First version

Somethings not working. What should I do?

Mon, 01 Jan 0001 00:00:00 +0000

Somethings not working as you expect with ZAP, and you’re not sure if it’s a bug or a misunderstanding of how ZAP works.

The following steps may well help:

Check for Updates

Click on the ‘Manage Add-ons’ button on the toolbar and then click on the ‘Check for updates’ button.

Spider Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Spider Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Spider Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Spider Automation Framework Support

This add-on supports the Automation Framework.

Job: spider

The Spider job runs the Traditional Spider. This is fast but does not handle modern applications as effectively.

SVN Digger Files Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

4 - 2021-10-07

Added

Add help.
Add repo URL.

Changed

Update minimum ZAP version to 2.11.0.
Promote to release status.
Change info URL to link to the site.

3 - 2015-04-13

Updated for ZAP 2.4

2 - 2013-01-17

1 - 2013-01-17

Tabbed Output Panel

Mon, 01 Jan 0001 00:00:00 +0000

Tabbed Output Panel

The Common Library add-on provides a tabbed output panel that replaces the default output panel in ZAP. This allows other add-ons to optionally log messages under named tabs in the output panel. If a name is not provided, messages are shown under the “General” tab and exceptions are shown under the “Errors” tab by default.

Technology Detection Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

21.54.0 - 2026-03-31

Changed

Updated with enthec upstream icon and pattern changes.

21.53.0 - 2026-02-24

Changed

Updated with enthec upstream icon and pattern changes.
Dependency update.

21.52.0 - 2025-12-18

Changed

Updated with enthec upstream icon and pattern changes.
Adjust warnings logged when a pattern incorrectly contains Confidence or Version tags, use just one punctuation character.

21.51.0 - 2025-12-15

Added

A help page for the tech-detection (wappalyzer) automation framework job.

Changed

Update minimum ZAP version to 2.17.0.

21.50.0 - 2025-12-03

Changed

Updated with enthec upstream icon and pattern changes.

21.49.0 - 2025-11-04

Changed

Updated with enthec upstream icon and pattern changes.
Maintenance changes.
The Technology panel toolbar now includes a toggle button to link its displayed contents to the Sites Tree selection.

Fixed

Icon sizing in the Technology table when a transparent placeholder needs to be used.
Reduced usage of error level logging.

21.48.0 - 2025-09-02

Changed

Updated with enthec upstream icon and pattern changes.
During load the time taken to process the data files will be shown in human readable format (generally seconds), as well as milliseconds (ms).
Maintenance changes.

21.47.0 - 2025-07-15

Changed

Updated with enthec upstream icon and pattern changes.

21.46.0 - 2025-06-20

Changed

Updated with enthec upstream icon and pattern changes.

21.45.0 - 2025-03-04

Changed

Updated with enthec upstream icon and pattern changes.

21.44.0 - 2025-01-15

Changed

Updated with enthec upstream icon and pattern changes.
Update minimum ZAP version to 2.16.0.
Depend on Passive Scanner add-on (Issue 7959).
The scan rule no longer sets a CWE for alerts (Issue 8733).

21.43.0 - 2024-11-25

Changed

Updated with enthec upstream icon and pattern changes.
Maintenance changes.

21.42.0 - 2024-09-24

Changed

Updated with enthec upstream icon and pattern changes.
Maintenance changes.

21.41.0 - 2024-09-02

Added

Request stats.

Fixed

Example alert details for documentation generation (Issue 6119).

21.40.0 - 2024-08-28

Changed

Updated with enthec upstream icon and pattern changes.
The add-on now has an options screen to allow users to select Quick/Exhaustive mode used by the passive scanner (part of Issue 8361).
- Quick > Return on first match; which may mean missing version information, but should be slightly more performant. (This is the default.)
- Exhaustive > Keep matching and don’t return early; likely slightly less performant.
The add-on now also has the ability to optionally raise Alerts for each technology identified. The default setting is enabled. (Issue 8361)
Maintenance changes.
- This may be a breaking change for anyone that has code using the Automation Framework’s Tech Detection (Wappalyzer) data.
The scan rule now includes example alert functionality for documentation generation purposes (Issue 6119).
Link website alert page and help (Issues 8189).

21.39.0 - 2024-07-04

Changed

Updated with enthec upstream icon and pattern changes.

21.38.0 - 2024-06-03

Changed

Updated with enthec upstream icon and pattern changes.

21.37.0 - 2024-05-21

Changed

Update minimum ZAP version to 2.15.0.
Updated with enthec upstream icon and pattern changes.
Maintenance changes (standardize on “Technology Detection” naming).

21.36.0 - 2024-05-02

Fixed

Implemented a change to address a resource contention issue when loading Tech Detection details (Issue 8464).

Changed

Suppress further un-helpful messages from the jsvg library logger.

21.35.0 - 2024-04-23

Changed

Maintenance changes.

Fixed

A typo in the help content.

21.34.0 - 2024-04-11

Changed

Updated with enthec upstream icon and pattern changes.
Parallelize loading of the technology files, to improve install/start-up performance.

21.33.0 - 2024-03-28

Changed

Updated with enthec upstream icon and pattern changes.

21.32.0 - 2024-03-04

Changed

Updated with enthec upstream icon and pattern changes.
Maintenance changes.

21.31.0 - 2024-02-09

Changed

Updated with enthec upstream icon and pattern changes.

21.30.0 - 2024-02-05

Changed

Updated with enthec upstream icon and pattern changes.
Made UI strings and help less Wappalyzer centric and more Technology Detection focused.

21.29.0 - 2024-01-03

Changed

Updated with enthec upstream icon and pattern changes.

21.28.0 - 2023-12-04

Changed

Updated with enthec upstream icon and pattern changes.
Dependency updates.

21.27.0 - 2023-11-03

Changed

Updated with enthec upstream icon and pattern changes.

21.26.0 - 2023-10-18

Changed

Updated with last AliasIO/Wappalyzer icon and pattern changes.
Updated with first set of icon and pattern changes from enthec/webappanalyzer.
Help entries are now identified as ‘Technology Detection - Wappalyzer’ to simplify searching/filtering.

21.25.0 - 2023-10-13

Changed

Update minimum ZAP version to 2.14.0.
Moved from Apache batik libraries to weisJ’s jsvg library (thus reducing the size of the add-on).

21.24.0 - 2023-09-07

Changed

Dependency updates.
Depend on newer versions of Automation Framework and Common Library add-ons (Related to Issue 7961).

Fixed

Ensure icons render when expected.

21.23.0 - 2023-08-14

Changed

Maintenance changes.
Update minimum ZAP version to 2.13.0.
Updated with upstream Wappalyzer icon and pattern changes.

21.22.0 - 2023-06-06

Changed

Updated with upstream Wappalyzer icon and pattern changes.

21.21.0 - 2023-05-03

Changed

Updated with upstream Wappalyzer icon and pattern changes.

21.20.0 - 2023-04-04

Changed

Updated with upstream Wappalyzer icon and pattern changes.

21.19.0 - 2023-03-03

Changed

Updated with upstream Wappalyzer icon and pattern changes.
Maintenance changes.

21.18.0 - 2023-01-06

Changed

Updated with upstream Wappalyzer icon and pattern changes.

21.17.0 - 2022-12-13

Changed

Updated with upstream Wappalyzer icon and pattern changes.

Fixed

Prevent exception if no display (Issue 3978).

21.16.0 - 2022-11-14

Changed

Updated with upstream Wappalyzer icon and pattern changes.

21.15.0 - 2022-11-03

Changed

Updated with upstream Wappalyzer icon and pattern changes.

21.14.0 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Updated with upstream Wappalyzer icon and pattern changes.
Maintenance changes.

21.13.0 - 2022-09-23

Changed

Maintenance changes.
Updated with upstream Wappalyzer icon and pattern changes.

21.12.0 - 2022-08-15

Changed

Maintenance changes.
Updated with upstream Wappalyzer icon and pattern changes.

21.11.0 - 2022-06-03

###Changed

Technology Detection Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Technology Detection API

Mon, 01 Jan 0001 00:00:00 +0000

Technology Detection API

The following views are available via the API:

Views

listSites: Lists all the sites recognized by the Technology Detection add-on.
listAll: Lists all sites and their associated applications (technologies).
listSite (site*): Lists all the applications (technologies) associated with the specified site.


	Wappalyzer

Tips and Tricks Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

16 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

15 - 2025-09-10

Changed

Change IRC tip to reference Slack.

14 - 2025-01-10

Changed

Update minimum ZAP version to 2.16.0.

13 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

12 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.

11 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Maintenance changes.

10 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.

9 - 2021-10-06

Changed

Update minimum ZAP version to 2.11.0.

8 - 2021-05-28

Changed

Update minimum ZAP version to 2.10.0.
Update docker refs to use zaproxy.org instead of GitHub wiki.
Update IRC link to Libera Chat.
Maintenance changes.

7 - 2020-01-17

Added

Add info and repo URLs.

Changed

Updated for move from irc.mozilla.org to freenode

Removed

Remove tips related to Filter functionality, it no longer exists.

6 - 2019-06-07

Updated for 2.8.0.

6 - 2017-04-03

Minor code changes.
Updated for 2.7.0.

5 - 2015-08-23

Updated help page to show latest tips, fix typos and use proper charset.

4 - 2015-04-13

Removed the ‘show on start’ option as the tips are now shown in the splash screen, added more tips

2 - 2014-10-16

Dont show on start in daemon mode or for a dev build

1 - 2014-10-16

First version

Tips and Tricks Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Token Generation and Analysis Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

16 - 2025-12-15

Changed

Maintenance changes.
Update minimum ZAP version to 2.17.0.

15 - 2021-10-07

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
Maintenance changes.
Update minimum ZAP version to 2.11.0.

14 - 2020-12-15

Added

Add info and repo URLs.

Changed

Update minimum ZAP version to 2.10.0.
Improve permissions and space handling when saving.

13 - 2019-07-15

Maintenance changes.
Address problem from v12 where analysis dialog wasn’t being shown after collection (this was due to a build issue).

12 - 2018-05-17

Stop the test and clear the panel on session changes.
Respect the current mode and react to changes.
Inform of running test (e.g. on session change, add-on uninstall).
Allow to configure the number of threads.
Allow to delay the requests.
Update minimum ZAP version to 2.6.0.
Deletes the cookie in question before sending the request.

11 - 2017-11-24

Use custom HTTP Sender initiator ID.
Show same cookies once in Generate Tokens dialogue (Issue 2116).
Fix exception when no tokens are found (Issue 2116).
Added help file.
Issue 2338: Allow dynamic timeout adjustment to combat read timeout issues.
Ensure initial dialog is properly sized.
Issue 2000: Title caps adjustments.
Code changes for Java 9 (Issue 2602).
Ensure Analyse Token dialogue is shown in front of main window.

10 - 2015-09-07

Change active Pause Button to a Play button (Issue 1802).

9 - 2015-07-24

Allow the user to specify the number of requests (Issue 1711)

8 - 2015-04-13

Updated for ZAP 2.4

7 - 2014-04-10

Updated to use the latest core changes (Issues 609 and 1104).
Changed to display the messages generated in a table (Issue 503).
Updated add-on dir structure (Issue 1113).

6 - 2013-12-13

Updated for 2.2.0

5 - 2013-05-27

Updated language files.

4 - 2013-05-13

Changed to unload all components when uninstalling.
Changed the messages keys prefix.
Changed to use the messages automatically loaded by ZAP.
Updated for ZAP 2.1.0

3 - 2013-01-17

Updated to support new addon format

2 - 2012-11-23

Token Generation and Analysis Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

TreeTools Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

8 - 2021-10-07

Added

Add help.
Add info and repo URLs.

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.

7 - 2017-11-27

Code changes for Java 9 (Issue 2602)

6 - 2015-04-13

Safe menu items will now be enabled in protected and safe modes (Issue 1278).

5 - 2014-04-10

Updated add-on dir structure (Issue 1113).

4 - 2013-09-11

Updated for ZAP 2.2.0

2 - 2013-06-28

Moved to beta status.
Changed the loading order of the extension.

1 - 2013-02-11

Value Generator Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

6.8.0 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

6.7.0 - 2025-01-09

Changed

Update minimum ZAP version to 2.16.0.
Depend on Common Library add-on, to provide the default/custom values to the other add-ons (Issue 8016).

Fixed

Fixed an issue in the help which may cause images to be displayed inline impacting the flow of the text.

6.6.0 - 2024-05-07

Changed

Update minimum ZAP version to 2.15.0.

6.5.0 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.
Tweak help for proper rendering in the website.

6.4.0 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.

6.3.0 - 2023-06-02

Changed

Renamed to “Value Generator” to more clearly identify to users what the add-on does.

6.2.1 - 2023-04-05

Fixed

Correctly read fields provided with -config arguments when setting up the default fields.

6.2.0 - 2023-04-04

Added

Statistics.

Changed

Maintenance changes.
The value generator can now match fields based on regex.
Expanded the list of default fields and values.

6.1.0 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
No longer provide the value generator through the core spider (Related to Issue 3113).
Maintenance changes.

6.0.0 - 2022-09-21

Changed

Maintenance changes.
Expose value generator for other add-ons (Related to Issue 3113).

5 - 2022-07-20

Changed

Update minimum ZAP version to 2.11.1.
Maintenance changes.

Fixed

Fix an exception when generating values for unidentified fields (Issue 7386).

4 - 2021-10-06

Changed

Maintenance changes.
Update minimum ZAP version to 2.11.0.

3 - 2020-12-15

Added

Add info and repo URLs.

Changed

Update minimum ZAP version to 2.10.0.
Promote to beta

2 - 2018-10-26

Add context menu to params panel.

1 - 2017-03-23

First version

Value Generator Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

ViewState Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

3 - 2021-10-07

Changed

Update minimum ZAP version to 2.11.0.
Maintenance changes.

2 - 2020-07-07

Added

Add help.
Add info and repo URLs.

Changed

Update minimum ZAP version to 2.9.0.

Fixed

Fix memory leak.

1 - 2016-09-14

WebSocket tab

Mon, 01 Jan 0001 00:00:00 +0000

WebSocket tab

The WebSockets tab displays all messages from WebSocket connections. While ZAP is active, visit e.g.: Mozilla’s BrowserQuest to see WebSockets in action.

Filters

Channel Selector

You can restrict the display of messages to one specific WebSocket channel or all.

WebSockets Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog.

36 - 2026-03-02

Fixed

Correct shutdown state.

35 - 2025-12-15

Changed

Update minimum ZAP version to 2.17.0.

34 - 2025-11-04

Changed

Update alert reference to latest location.
Adjusted and internationalized the text in some exceptions/warning dialogs to use multiple lines and thus be more clear.

Fixed

Error logs to always include stack trace.

33 - 2025-06-20

Changed

Add website alert links to the help page (Issue 8189).
Replace usage of CWE-200 for the following rules (Issue 8712):
- Email Disclosure.
- Debug Error Disclosure.

32 - 2025-01-10

Changed

Update minimum ZAP version to 2.16.0.

Fixed

Correct location/function of New Context context menu item.

31 - 2024-05-07

Added

Support for menu weights (Issue 8369)

Changed

Update minimum ZAP version to 2.15.0.
Maintenance changes.

30 - 2023-10-12

Changed

Update minimum ZAP version to 2.14.0.
Maintenance changes.

29 - 2023-07-11

Changed

Update minimum ZAP version to 2.13.0.
Maintenance changes.
Replace usage of singletons with injected variables (e.g. model, control) in scripts.

28 - 2023-01-03

Changed

Maintenance changes.

Fixed

Prevent exception if no display (Issue 3978).

27 - 2022-10-27

Changed

Update minimum ZAP version to 2.12.0.
Maintenance changes.
Use the Requester add-on for the WebSocket Message Editor dialogues.

Fixed

Correctly handle no message in the WebSocket message panel.

26 - 2022-05-20

Changed

Maintenance changes.
Cache WebSocket Passive Rules scripts for better performance with all script engines.

Fixed

Handle errors caused by WebSocket Passive Rules scripts, which would break the passive scan.

25 - 2022-03-14

Changed

Update minimum ZAP version to 2.11.1.
Update the reference links used in the Username IDOR passive scan script.
Reset the name of the connection threads when not actively used.

Fixed

Fix exception when manually reconnecting to the server.
Stop properly when shutting down.

24 - 2021-10-06

Changed

Now using 2.10 logging infrastructure (Log4j 2.x).
Maintenance changes (some changes impact the visibility of variables and add getters/setters, which may impact third party add-ons or scripts).
Update links to repository.
Support passive scan alert examples so they can be added to the website
Missing default scripts will always be added and enabled on start up.
Update minimum ZAP version to 2.11.0.

23 - 2020-12-18

Changed

Update minimum ZAP version to 2.10.0.

Fixed

Fix exception when handling breakpoints with ZAP 2.10.0.
Terminology

22 - 2020-08-17

Changed

Update minimum ZAP version to 2.9.0.
Allow to use newer versions of Fuzzer add-on.
Maintenance changes.

Fixed

Correctly handle API request without parameters.
Fixed an exception which was occurring when the tab was shown when a handshake response was first encountered during a ZAP session.

21 - 2020-01-17

Added

Add info and repo URLs.

Changed

Maintenance changes.
Disable table sort in WebSockets panel, not working properly (Issue 1661).

20 - 2019-07-23

Add WebSocket passive scan infrastructure.
- Add WebSocket Passive scan script plugin.
  - Template scripts for:
    - Python
    - Javascript
  - Default scripts for (loaded and enabled by default):
    - Base64 disclosure
    - Email disclosure
    - Error Application disclosure
    - Private IP disclosure
    - Credit Card disclosure
    - Username disclosure
    - Debug Error disclosure
    - Suspicious XML Comments disclosure
  - Help content for the default scripts.
Add stats for websocket frames sent and time taken for passive scanning.

19 - 2019-06-07

Fix exceptions when handling/dispatching events.
Add wrapper to websocket API responses.
Fix exception when handling API request with no API implementor.
Correct output stream used in server mode.
Add support for ‘other’ API operations.
Handle API options.
Validate the Origin for API connections.
Generate websocket events.
Add break API endpoints.
Scale fonts and icons correctly

18 - 2018-08-01

Allow to reopen WebSocket connection to (re)send messages (Issue 4290).

17 - 2018-07-13

Register WebSocket Sender script type also in daemon mode.
Fix an exception when dispatching events.
Fix an exception while uninstalling the add-on with no GUI (Issue 4815).
Remove event consumers when channel is no longer in expected state.

16 - 2018-06-05

Tweak About help page.
Remove event consumers when the channel is closed.
Don’t enable the sender scripts by default.
Fix send of CLOSE messages with message editor (Issue 4657).
Add missing error message.
Fix removal of pop up menu items.
Allow to filter by payload in WebSocket tab (Issue 1382).
Show string representation of binary payloads in WebSocket tab and message panels.

15 - 2018-02-21

Remove usage of core filter functionality.
Do not set messages when switching views if text view shows an error message (Issue 4108)
Add rewind to fix issue #4149
Added Websocket Sender script interface
Added API support

14 - 2017-11-27

Updated for 2.7.0.

13 - 2017-11-24

Fix context include/exclude pop up menu items.
Fix/correct help buttons.
Set fuzzer script type enabled by default (Issue 2997).
Normalise the Session Properties panel Exclude from WebSockets.
Implements WebSocketSenderListener.
Use JRE decoder for UTF-8 conversions and log (debug) invalid payloads (related to Issue 3324).
Focus WebSockets tab just once (Issue 3747).
Minor code adjustment to align with core changes.
Code changes for Java 9 (Issue 2602).
Remove header Sec-WebSocket-Extensions (Issue 3324).
Add description to Fuzzer WebSocket Processor script type.
Update fuzzer template (use JSDoc and fix typos).

12 - 2017-04-06

Make breakpoint dialogues modal.
Fix exception during the unload of the add-on, when in daemon mode.
Correct fuzz location overlap detection with same start index.

11 - 2016-06-02

Unload WebSockets components during uninstallation.
Use hostname/port of the handshake message to build the name of the channel.
Adjust log levels, from INFO to DEBUG.

10 - 2015-12-04

Fix issue with length of handshake’s url (Issue 2097).
Restore fuzzing capabilities (Issue 1905).

9 - 2015-04-13

Minor code changes and fix of exception.
Removed fuzzing code - will need to be re-implemented for new adv fuzzing

8 - 2014-04-10

Minor code changes (Issues 503, 609, 1104 and 1105).
Changed help file structure to support internationalisation (Issue 981).
Added content-type to help pages (Issue 1080).
Updated add-on dir structure (Issue 1113).
Restored the rendering of a custom icon for “handshake” messages shown in “Sites” tab.

7 - 2013-09-11

Updated for 2.2.0.

6 - 2013-05-27

Updated language files

5 - 2013-05-13

Fixed a NullPointerException while starting ZAP with ExtensionBreak disabled

4 - 2013-04-26

Fix Issue 2: setting payload for modified WebSocket messages was erroneous

3 - 2013-04-18

Updated for ZAP 2.1.0

2 - 2013-02-24

WebSockets Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Windows WebDrivers Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Zest - Graphical Security Scripting Language Add-on Changelog

Mon, 01 Jan 0001 00:00:00 +0000

Changelog

All notable changes to this add-on will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Zest - Graphical Security Scripting Language Add-on SBOM

Mon, 01 Jan 0001 00:00:00 +0000

Mozilla

Wed, 14 Apr 2021 00:00:00 +0000

ZAP is integral to how Mozilla secures the services powering core Firefox features including Accounts, Addons, and Sync for millions of individuals around the world. We support the open source development of ZAP, because it helps us ensure the security and privacy of our users keeping the Internet a global, public resource open and accessible to all.

Mon, 01 Jan 0001 00:00:00 +0000

Simon released ZAP in 2010 and has been working on it ever since.

Simon is employed by Checkmarx to work on ZAP.

Access Control Context Options

Mon, 01 Jan 0001 00:00:00 +0000

Access Control Context Options

The Access Control Context options are present as a panel for each Context when opening the Session Properties dialog. This panel allows ZAP users to define the Access Rules for each User of each Context.

As mentioned on the concepts page, ZAP is making use of the tree-based structure of URLs. So, when configuring the access rules, only 1 rule needs to be set explicitly for an entire subtree, while for the other nodes rules are inferred. Three possible values can be set for any node in Context for each User:

Add Alert dialog

Mon, 01 Jan 0001 00:00:00 +0000

Add Alert dialog

This dialog allows you to manually add or change an Alert associated with a specific request.

Fields

The dialog has the following fields:

Add-ons

Mon, 01 Jan 0001 00:00:00 +0000

Add-ons

Add-ons add additional functionality to ZAP.

They have full access to all of the ZAP internals, and so can provide very powerful new features.

You can dynamically install add-ons from the online Add-on Marketplace via the Manage Add-ons dialog.

You can typically add and remove add-ons to and from the ZAP UI without having to restart it.

AJAX Spider Context

Mon, 01 Jan 0001 00:00:00 +0000

AJAX Spider Context

This screen allows you to manage Context data for the AJAX Spider.

Excluded Elements

Allows to configure the elements that should be excluded from the crawling.

Alert Tags

Mon, 01 Jan 0001 00:00:00 +0000

Alert Tags

The Common Library add-on provides Alert Tags for use by scan rules.

Of note the following tags/groups of tags are included:

Custom Payloads - A tag which indicates the scan rules which support Custom Payloads functionality.
HIPAA (Health Insurance Portability and Accountability Act) - A tag representing alerts/rules which we’ve mapped to the HIPAA standard.
OWASP Top 10 (2017) - Tags representing the risks/vulnerabilities from the 2017 OWASP Top 10 list.
OWASP Top 10 (2021) - Tags representing the risks/vulnerabilities from the 2021 OWASP Top 10 list.
PCI DSS (Payment Card Industry Data Security Standard) - A tag representing alerts/rules which we’ve mapped to the PCI DSS standard.
Test Timing - A tag which represent rules/alerts which are based on time (induced delay) payloads.
OWASP Web Security Testing Guide (v4.2) - Tags which map rules/alerts to the relevant sections of the OWASP WSTG (version 4.2).

Compliance Tags

Please note that the PCI DSS and HIPAA standards deal with specific types of data, while an identified vulnerability may expose such data ZAP has insufficient context with which to differentiate what is or might be exposed by leveraging a given vulnerability. If the system being tested does not hold any such data then the related compliance tag may not be relevant.

Auto-Detect Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Auto-Detect Authentication

This add-on adds a new authentication type which you can use to indicate that the Authentication Request Identification passive scan rule should attempt to configure the Authentication method automatically.

Automation Framework - Options

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Options

The following options are available:

Open Last Plan on Start

If selected then the Automation tab will automatically load the last plan opened when the GUI starts. This can be useful if you need to regularly use the same plan.

Client Side Integration

Mon, 01 Jan 0001 00:00:00 +0000

Recording Client Side Scripts

The ZAP Browser extensions allow you to record all of the actions you take in the browser as a Zest script. They can be used to record things like authentication scripts or other complex interactions. Zest scripts can be replayed in ZAP, whether in the desktop or in automation.

Command Line

Mon, 01 Jan 0001 00:00:00 +0000

Command Line

The Network add-on supports the following command line options:


	-certload	Loads the Root CA certificate from the specified file.
	-certpubdump	Dumps the Root CA certificate into the specified file, this is suitable for importing into browsers.
	-certfulldump	Dumps the Root CA certificate and the private key into the specified file, this is suitable for importing into ZAP.
	-host	Overrides the host of the main proxy, specified in the configuration file.
	-port	Overrides the port of the main proxy, specified in the configuration file.

Local Servers/Proxies

When ZAP is running in command line mode (i.e. -cmd) only the main proxy is started, for example, to proxy integration tests or access the ZAP API. If unable to start the main proxy in command line mode or in daemon mode (i.e. -daemon) ZAP is terminated, when running with GUI an appropriate warning is shown instead.

Connection

Mon, 01 Jan 0001 00:00:00 +0000

Connection

General

This tab allows you to configure the general connection options.

Timeout (in seconds)

Allows to configure the connection and read timeout, a higher timeout allows to test slower applications.
Default: 20.

Default Policy

Mon, 01 Jan 0001 00:00:00 +0000

Default Policy

A policy which enables all of the installed active scan rules.

Programmatic Name: Default Policy

Return to main scan policies page.

Does ZAP offer community services?

Mon, 01 Jan 0001 00:00:00 +0000

Yes, the ZAP team currently offers the following services to the community.

Be Aware

The following are all subject to change without notice. We intend for them all to remain as-is over the long term, however, they are primarily intended to be used with ZAP and as such may change is/when required by the project/team.

Forced Browse tab

Mon, 01 Jan 0001 00:00:00 +0000

Forced Browse tab

The Forced Browse tab allows you to perform a Forced Browse scan on any of the sites that have been accessed.

Sites can be selected via the toolbar or the Sites tab .
Any sites that have have been or are currently being scanned are marked in bold in the toolbar Sites pulldown control.
The toolbar provides a set of buttons which allow you to start, stop, pause and resume the scan.
A progress bar shows how far the scan of the selected site has progressed.
The ‘Current scans’ value shows how many scans are currently active - hovering over this value will show a list of the sites being scanned in a popup.
The toolbar also includes a button to export the displayed content as CSV.

Fuzz AI Files - Extract Training Data

Mon, 01 Jan 0001 00:00:00 +0000

Fuzz AI Files - Extract Training Data

001 By Asking

This file contains fuzzing payloads specific to AI-RMM Control “Measure 2.7.2” The goal is to test if the system has established security and resilience metrics to detect potential theft of model training data, including encryption, access controls, and alarm thresholds for unauthorized access.

Fuzzer dialog

Mon, 01 Jan 0001 00:00:00 +0000

Fuzzer dialog

This allows you to select the fuzzers to use when fuzzing a request.

Fuzz Locations tab

To configure the fuzzing:

GraphQL Variant

Mon, 01 Jan 0001 00:00:00 +0000

GraphQL Variant

The GraphQL variant is responsible for two things:

Correctly representing the nodes for a GraphQL request in the sites tree.
Allow injecting payloads in GraphQL queries (Active Scan Input Vector support).

The following sections will elaborate a little on each of these functionalities.

Sites Tree Representation

Each unique GraphQL request proxied through ZAP is represented in the sites tree. Requests are placed under a common node if they have the same operations. Two queries that have the same fields will be represented by the same node. The only exception is when a query is sent with inline arguments and also using variables. In this case, a prefix of either ‘0’ or ‘1’ is added to distinguish between them respectively.
For example, the following figure illustrates how two requests may be represented in the sites tree.

gRPC WebSocket

Mon, 01 Jan 0001 00:00:00 +0000

gRPC WebSocket Support

The gRPC WebSocket support feature enables the WebSocket add-on to decode and encode gRPC messages seamlessly. This integration allows users to inspect, modify, and manage gRPC communication over WebSockets.


	gRPC	for an overview of the gRPC add-on.
	gRPC Variant	for information about the gRPC variant.

How do I get a specific feature implemented in ZAP?

Mon, 01 Jan 0001 00:00:00 +0000

You have 3 options:

Convince one of the existing ZAP developers that they should implement it
Convince someone else to implement it for you
Implement it yourself

Some of the ZAP core developers are paid to work on ZAP. If you can convince one of the us that we should implement it asap then this will probably be the quickest option as obviously we know the code base well. However we are all very busy and the companies who pay us have expectations on what we will deliver. We do have a lot of freedom to do what we think is right, but we all have a long list of things we’d really like to work on. But it doesn’t hurt to try.

How do I use Chrome with ZAP in Docker?

Mon, 01 Jan 0001 00:00:00 +0000

The Chrome browser is not included by default in the ZAP Docker images. This FAQ entry will walk-through the steps necessary to install and run Chrome with ZAP in a Docker container, to be used by its tools (e.g. DOM XSS Scan Rule, AJAX Spider).

Create a Dockerfile using one of the ZAP images and installing Chrome, e.g.:

FROM --platform=linux/amd64 zaproxy/zap-stable:latest

USER root

RUN apt-get update && \
	wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \
	apt-get install -y ./google-chrome-stable_current_amd64.deb && \
	rm -rf /var/lib/apt/lists/*

USER zap

Build the new image, e.g.: zap-chrome

docker build -f Dockerfile --platform linux/amd64 -t zap-chrome .

To verify everything is working create an Automation Framework plan called chrome.yaml with the following contents:

Insights List

Mon, 01 Jan 0001 00:00:00 +0000

Insights List

This is the full set of Insights currently supported:

Key	Description	Site	Type	Low	High
insight.database.full	Database full			High	High
insight.diskspace.full	Diskspace full			High	High
insight.memory.usage	Percentage of memory used		Mem	Medium	High
insight.log.error	Count of ZAP errors			Low	Low
insight.log.warn	Count of ZAP warnings			Low	Low
insight.network.failure	Percentage of network failures		Msg	Low	Med
insight.auth.failure	Percentage of authentication failures	Yes	Msg	Low	Med
insight.code.Xxx	Percentage of Xxx response codes	Yes	Msg	Info	Low
insight.response.slow	Percentage of slow responses	Yes	Msg	Info	Low
insight.endpoint.content.CCC	Percentage of responses with content-type CCC	Yes		Info	Info
insight.endpoint.method.MMM	Percentage of responses with method MMM	Yes		Info	Info
insight.endpoint.total	Total number of endpoints	Yes		Info	Info

The columns show the Insight fields with the following additions:

MCP Tools

Mon, 01 Jan 0001 00:00:00 +0000

MCP Tools

The following tools are available for MCP clients to invoke:

zap_version

Get the ZAP version.

zap_info

Get basic ZAP information.

OAST API

Mon, 01 Jan 0001 00:00:00 +0000

OAST API

The following operations are supported by the API:

Views

getActiveScanService: Gets the service used with the active scanner, if any.
getBoastOptions: Gets the BOAST options.
getCallbackOptions: Gets the Callback options.
getDaysToKeepRecords: Gets the number of days the OAST records will be kept for.
getInteractshOptions: Gets the Interactsh options.
getServices: Gets all of the services.

Actions

setActiveScanService (name*): Sets the service used with the active scanner.
- name: The name of the service.
setBoastOptions (server* pollInSecs*): Sets the BOAST options.
- server: The server URL.
- pollInSecs: The polling frequency.
setCallbackOptions (localAddress* remoteAddress* port*): Sets the Callback options.
- localAddress: The local address
- remoteAddress: The remote address.
- port: The port to listen on.
setDaysToKeepRecords (days*): Sets the number of days the OAST records will be kept for.
- days: The number of days.
setInteractshOptions (server* pollInSecs* authToken*): Sets the Interactsh options.
- server: The server URL.
- pollInSecs: The polling frequency.
- authToken: The Interactsh authentication token.


	OAST Services

OpenAPI LLM Support

Mon, 01 Jan 0001 00:00:00 +0000

OpenAPI LLM Support

This add-on supports LLM integration for importing OpenAPI definitions. It will only be enabled if you have chosen to install the LLM add-on and configured it.

LLM/AI OpenAPI Importer

The add-on adds a menu item to the Import menu:

Options Active Scan Input Vectors screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Active Scan Input Vectors screen

This screen allows you to configure the active scan input vectors.

These are the elements that the active scanner will attack.

Scanning all of the elements supported will take longer, but not scanning some elements may cause some vulnerabilities to be missed.

Injectable Targets

The request elements that the active scanner will target:

Options Custom Payloads screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Custom Payloads screen

This screen/table allows you to configure Custom Payload options:

Custom Payloads Table

Enabled

A checkbox indicating whether or not the particular custom payload is to be used or not.

Options Global Alert Filters

Mon, 01 Jan 0001 00:00:00 +0000

Options Global Alert Filters

This Options screen allows you to configure Global Alert Filters which allow you to automatically override the risk levels of any alerts raised by the active and passive scan rules. Unlike Context Alert Filters they apply to all alerts raised, not just those raised in a specific context.

Options Tech Detection screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Tech Detection screen

This screen allows you to configure the Tech Detection options:

Mode

The Mode which controls the behavior of the technology detection passive scan rule. This Mode is persisted between ZAP sessions.

Param Digger dialog

Mon, 01 Jan 0001 00:00:00 +0000

Param Digger dialog

This dialog launches the Param Digger.

Control

The first tab allows you to select or change the URL along with selection of guessers.
If the URL is in one or more Contexts then you will be able to choose one of them.
You can also modify the number of threads that would be used for the Param Digger.

Passive Scan Rules

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scan Rules

This screen allows you to configure the passive scan rules.

Threshold

This controls how likely ZAP is to report potential vulnerabilities.

Passive Scanner Automation Framework - passiveScan-wait Job

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scanner Automation Framework - passiveScan-wait Job

This job waits for the passive scanner to finishing scanning the requests and responses in the current queue. You should typically run this job after the jobs that explore you application, such as the spider jobs or those that import API definitions. If any more requests are sent by ZAP or proxied through ZAP after this job has run then they will be processed by the passive scanner. You can run this job as many times as you need to.

Passive Scanner Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scanner Automation Framework Support

This add-on supports the Automation Framework.

Jobs

The following automation jobs are supported by this add-on:

Port Scan tab

Mon, 01 Jan 0001 00:00:00 +0000

This add-on has been retired and is no longer available.

Release 2.16.1

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.16.1

This is a bug fix release, along with some minor enhancements.

This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP.

These release notes do not include all of the changes included in add-ons updated since 2.16.0.

The enhancements include:

Report Generation Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Report Generation Automation Framework Support

This add-on supports the Automation Framework.

Job: report

The report job allows you to generate reports using any of the installed report templates.

Request tab

Mon, 01 Jan 0001 00:00:00 +0000

Request tab

The Request tab shows you the data sent by your browser for the request that you have highlighted in either the Sites tab or the History tab.

The top panel shows the request header and the bottom panel shows any data also sent, for example as a result of a POST request.

Requester Tab

Mon, 01 Jan 0001 00:00:00 +0000

Requester Tab

The Requester tab in the workspace panel, next to the standard “Request” and “Response” tabs.

The Requester tab acts like the Manual Request Editor dialog but supports as many sub-tabs as you need.

Right click on a request in any of the other ZAP tabs and select “Open in Requester Tab…” to open that request in a new Requester tab. You can also use the Control / Command + “W” key to do the same thing via the keyboard.

Script Console Tab

Mon, 01 Jan 0001 00:00:00 +0000

Script Console Tab

The Scripts Console allows you to write scripts which run within ZAP.

It is made up of:

A toolbar
A text area (top) in which you can write your scripts
An output text area (bottom) for debug and error messages, with “print” statements.

To create a new script or to load or switch scripts see the The Scripts ’tree’ tab.

Selenium API

Mon, 01 Jan 0001 00:00:00 +0000

Selenium API

The ‘selenium’ API allows to set and view the paths to the required WebDrivers and binary.

API actions/views

Name	Type	Parameters	Description
getBrowserArguments	view	browser*	Gets the browser arguments.
optionChromeBinaryPath	view		Returns the current path to Chrome binary
optionChromeDriverPath	view		Returns the current path to ChromeDriver
optionFirefoxBinaryPath	view		Returns the current path to Firefox binary
optionFirefoxDriverPath	view		Returns the current path to Firefox driver (geckodriver)
addBrowserArgument	action	browser* argument* enabled	Adds a browser argument.
launchBrowser	action	browser*	Launches a browser proxying through ZAP, for manual usage.
removeBrowserArgument	action	browser* argument*	Removes a browser argument.
setBrowserArgumentEnabled	action	browser* argument* enabled*	Sets whether or not a browser argument is enabled.
setOptionChromeBinaryPath	action	String*	Sets the current path to Chrome binary
setOptionChromeDriverPath	action	String*	Sets the current path to ChromeDriver
setOptionFirefoxBinaryPath	action	String*	Sets the current path to Firefox binary
setOptionFirefoxDriverPath	action	String*	Sets the current path to Firefox driver (geckodriver)

Starred parameters are mandatory

Sequence Policy

Mon, 01 Jan 0001 00:00:00 +0000

Sequence Policy

An active scan policy with a small set of scan rules we think are good for testing sequences.

For the list of scan rules included see the Alert Tag: POLICY_SEQUENCE page.

Return to main Sequence add-on page.

Session Context screens

Mon, 01 Jan 0001 00:00:00 +0000

Session Context screens

These screens allows you manage contexts.

There is a set of screens for each context you define.

Top screen

This allows you to set the context name and description.

Sites Tree File Format

Mon, 01 Jan 0001 00:00:00 +0000

Sites Tree File Format

The Sites Tree Format is a YAML representation of the ZAP Sites Tree.
It is a hierarchy of nodes, each of which represents all of the essential information needed to uniquely identify the corresponding node in the Sites tree.

Each node has the following format:

SOAP Alerts

Mon, 01 Jan 0001 00:00:00 +0000

SOAP Alerts

The following alerts are raised by the SOAP add-on. {#id-90026}{#id-90029}{#id-90030}

Alert Reference	Name	Description	Latest Code
90026	Action Spoofing	SOAP requests contain some sort of operation that is later executed by the web application. This operation can be found in the first child element of the SOAP Body. However, if HTTP is used to transport the SOAP message the SOAP standard allows the use of an additional HTTP header element called SOAPAction. This header element contains the name of the executed operation. It is supposed to inform the receiving web service of what operation is contained in the SOAP Body, without having to do any XML parsing. This optimization can be used by an attacker to mount an attack, since certain web service frameworks determine the operation to be executed solely on the information contained in the SOAPAction header field.	SOAPActionSpoofingActiveScanRule.java
90029	SOAP XML Injection	During an “XML Injection” an attacker tries to add or manipulate various XML Tags in the SOAP message aiming to manipulate the XML structure. Usually a successful XML injection results in the execution of a restricted or unintended operation. Depending on the executed operation various security or business controls might be violated.	SOAPXMLInjectionActiveScanRule.java
90030	WSDL File Detection	This alert is raised when the passive scanner detects a WSDL file.	WSDLFilePassiveScanRule.java


	SOAP	for an overview of the SOAP support add-on.
	SOAP Automation	for information about the automation framework support.

Spider dialog

Mon, 01 Jan 0001 00:00:00 +0000

Spider dialog

This dialog launches the Spider.

Scope

The first tab allows you to select or change the starting point.
If the starting point is in one or more Contexts then you will be able to choose one of them.
If that context has any Users defined then you will be able to select one of them.
If you select one of the users then the spider will be performed as that user, with ZAP (re)authenticating as that user whenever necessary.

WebSocket specific options

Mon, 01 Jan 0001 00:00:00 +0000

WebSocket specific options

This screen allows you to configure the WebSocket options:

Forward all

If you’re not interested in WebSockets communication, but you want to allow its messages being sent back & forth through ZAP, then you should enable this option. As a result no message will be stored in the session database. Moreover no message will appear in the WebSockets tab. This setting can be useful if you have to deal with performance critical WebSocket connections and you’re not interested what is being sent.

What 'calls home' does ZAP make?

Mon, 01 Jan 0001 00:00:00 +0000

From 2.12.0 all ZAP ‘calls home’ are made to the zaproxy.org domain.

The availability of these services is shown on an UptimeRobot dashboard.

Check for Updates

ZAP makes one request to https://cfu.zaproxy.org to see if ZAP or any of the add-ons are up to date.

What are the command line options?

Mon, 01 Jan 0001 00:00:00 +0000

Refer to command line help page.

What data does ZAP collect?

Mon, 01 Jan 0001 00:00:00 +0000

A.K.A. ZAP Privacy Statement

The ZAP Tool

As a Manipulator in the Middle (MitM) proxy ZAP is able to observe a large amount of potentially very sensitive information.

What does ZAP test for?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP supports:

HTTP active and passive scanning.
WebSockets passive scanning.

For a full list of the HTTP active and passive scan rules see the Alert Details page.

By default ZAP comes with the following (HTTP) scan rules:

But you can also download and install:

What is the default directory that ZAP uses?

Mon, 01 Jan 0001 00:00:00 +0000

The default directory that ZAP uses depends on the OS.

You can open the ZAP Home directory in your OS’s file explorer in ZAP via Help > Support Info ... and by clicking on the Open ZAP Home button.

It can be overridden using the -dir command line option.

What versions of Java are supported?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP should be able to run with all/newer Java versions, but might require a minimum for certain ZAP versions:

ZAP 2.16.0 and later requires a minimum of Java 17
ZAP 2.12.0 and later requires a minimum of Java 11
ZAP 2.7.0 and later requires a minimum of Java 8
ZAP 2.0.0 and later requires a minimum of Java 7
Previous versions of ZAP also support Java 6, the last of those being 1.4.1

Where can I ask ZAP related questions?

Mon, 01 Jan 0001 00:00:00 +0000

User Guide

The User Guide (which is also included with ZAP) is a good place to start.

User Group

The User Group is the best place for questions about using ZAP.

Where does ZAP put its logs?

Mon, 01 Jan 0001 00:00:00 +0000

Where is ZAP installed?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP is installed in different places depending on the OS.

The install directory contains everything that’s bundled with ZAP originally.

Windows 7 / 8 / 10

Underneath the Program Files directory, e.g.

Why does my Antivirus Tool Flag ZAP?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP Downloads

As of April 2025 browsers appear to be flagging the ZAP downloads as potentially dangerous.

This appears to be the ‘fault’ of the Google SafeBrowsing service.

Why does ZAP Access Out of Scope Domains?

Mon, 01 Jan 0001 00:00:00 +0000

You have automated ZAP to attack your site but then you see that there are other domains in the Sites Tree or in the report.

Does this mean ZAP has attacked those other domains?

No. ZAP will only attack the sites you specify.

However, the AJAX Spider and the DOM XSS Scan Rule both launch browsers. We allow the browsers to access certain off domain resources such as JavaScript files - blocking these often breaks the target sites and mean the AJAX Spider or DOM XSS Scan Rule would not work.

Why don't you rewrite ZAP in ?

Mon, 01 Jan 0001 00:00:00 +0000

OK, so this question doesn’t get asked all the time, but it does come up every so often.

So here’s the official response:

Firstly, do you really need ZAP rewritten?

ZAP supports all of the JSR 223 scripting languages, so you can already extend ZAP in a very wide range of scripting languages, including JavaScript, Jython, and Jruby.

Why is ZAP not available in my language?

Mon, 01 Jan 0001 00:00:00 +0000

We rely on people like yourself to translate ZAP into other languages.

If your language is not available then it means that we, the developers, unfortunately don’t speak your language well enough to translate it and no one else has volunteered.

However you can help :)

Get in touch with us if you want to translate ZAP into another language, we’d love to hear from you!

ZAPit

Mon, 01 Jan 0001 00:00:00 +0000

ZAPit

Quick Start add-on supports the following Command Line option to perform a quick ‘reconnaissance’ scan of the URL specified.

You can specify multiple URLs by specifying the option multiple times:

-zapit https://www.example1.com -zapit http://example2.com/ -cmd

The -cmd option must be specified, if it is not then the -zapit option will be ignored.

Add/Edit Breakpoint dialog

Mon, 01 Jan 0001 00:00:00 +0000

Add/Edit Breakpoint dialog

This dialogue allows you to add and edit HTTP breakpoints.

A breakpoint is defined by the following fields:

Location - where the String is checked in the HTTP message: URL, Request Header, Request Body, Response Header, or Response Body.
Match - how the String is interpreted, Regex or Contains, for regular expression or exact match, respectively, in the Location. The regular expression does not need to match the whole content of the Location.
String - the string that triggers the breakpoint.
Inverse - if the result of the Match should be the inverse.
Ignore case - if the case of the String should be ignored.

If you proxy a HTTP message that matches a breakpoint then ZAP will intercept it and allow you to change either the request or the response.

AJAX Spider dialog

Mon, 01 Jan 0001 00:00:00 +0000

AJAX Spider dialog

This dialog launches the AJAX Spider.

Scope

The first tab allows you to change key features like:

Starting Point

The URL which the AJAX spider will start crawling from, or a context (in which case it will be used one of the URLs that are in context as starting point).

Alert Filter Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Alert Filter Automation Framework Support

This add-on supports the Automation Framework.

Job: alertFilter

The alertFilter job allows you to define global and context specific alert filters.

Alerts

Mon, 01 Jan 0001 00:00:00 +0000

Alerts

An alert is a potential vulnerability and is associated with a specific request.

A request can have more than one alert.

Alerts are shown in the UI with a flag indicating the risk:


	High
	Medium
	Low
	Informational
	False Positive

Alerts can be raised by various ZAP components, including but not limited to: active scanning, passive scanning, scripts, by addons (extensions), or manually using the Add Alert dialog (which also allows you to update or change alert details/information).

Automation Framework - Environment

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Environment

This section of the YAML configuration file defines the applications which the rest of the jobs can act on.

The environment is covered in the video: ZAP Chat 08 Automation Framework Part 2 - Environment.

The Automation Framework supports all of the authentication mechanisms supported by ZAP.

Browser Based Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Browser Based Authentication

This add-on adds a new authentication method which uses a browser to login to the target website.

The authentication method requires the login URL and user credentials to perform the authentication. By default it automatically attempts to find suitable fields for the username and for the password, in the same page and multiple pages (i.e. password field is only made visible when the username has been entered).

Client Side Integration - Client Spider

Mon, 01 Jan 0001 00:00:00 +0000

Client Side Integration - Client Spider

This add-on adds a Client Spider which is designed to explore modern web apps more effectively.

The Client Spider works in a similar way to the AJAX Spider but it has access to the DOM via the ZAP Browser Extension which means that it can find content which the AJAX Spider cannot find.

Creating Reports

Mon, 01 Jan 0001 00:00:00 +0000

Creating Reports

You can easily create your own reports.

The add-on uses the Thymeleaf templating engine, so see their documentation for details of the templating syntax.

The built in reports are copied into the ‘reports’ directory underneath the ZAP default directory. Each report is in its own subdirectory. The easiest way to create a new report is to copy and existing one into a new directory at the same level.

Developer CI/CD Policy

Mon, 01 Jan 0001 00:00:00 +0000

Developer CI/CD Policy

This policy is designed to be used by developers in a CI/CD pipeline.

Recommended for running in CI/CD
No environmental / server related rules
No long running rules
No rules with high false positives
No timing attacks
No informational only rules
Minimal overlap

For the list of scan rules included see the Alert Tag: POLICY_DEV_CICD page.

Fuzz AI Files - Test Edge Cases

Mon, 01 Jan 0001 00:00:00 +0000

Fuzz AI Files - Test Edge Cases

001 Trick Model Safety

This file contains adversarial prompts designed to test model safety boundaries. The goal is to determine whether the model can be tricked into bypassing its alignment constraints, especially through indirect, obfuscated, or deceptive instructions.

Global Exclusions

Mon, 01 Jan 0001 00:00:00 +0000

Global Exclusions

The URLs/domains that should be ignored by the local proxies and scanners/tools. The Value is a regular expression matched against the requested target.


	Network	the introduction to Network add-on

GraphQL Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

GraphQL Automation Framework Support

This add-on supports the Automation Framework.

The add-on will import GraphQL schemas using introspection if endpoints are found while spidering. However, specifying an endpoint and (optionally) a schema file or URL is recommended if they are available.

Job: graphql

The graphql job allows you to import GraphQL schemas locally or from a URL. It supports the following parameters:

How can I add my own payloads to active scan rules?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP doesn’t just throw a load of payloads at a target to see what happens :)

The payloads are targeted based on the responses to other payloads so that it hopefully zeros in on specific vulnerabilities.

However there a various options:

Try out the custom payloads add-on which is supported by some of the existing rules
Change the existing rules to improve them - this blog post is a good place to start: Hacking ZAP: Active Scan Rules - if you do improve them then please submit pull requests :)
Write new rules to do whatever you want - this gives you full control, but could be a bit daunting to start with
Tweak the User defined attacks.js script - this is probably the easiest way to get started

How can I prevent ZAP from sending me 1000s of emails via a 'Contact Us' form?

Mon, 01 Jan 0001 00:00:00 +0000

In this case prevention is definitely better than cure.

By default when you use the ZAP spider and active scanner then ZAP will access all of the URLs, forms, and functionality it can find. If one of those results in your application sending emails then someone is going to get a LOT of emails. (Consider other scenarios like sending orders, HR actions, helpdesk tickets, etc.)

How can you speed up scans?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP finds vulnerabilities by sending lots of potentially malicious payloads at a target app and then trying to work out if the app is vulnerable to them. In order to find a wide range of vulnerabilities it has to send a lot of requests. This sort of scanning is going to take time.

How do I handle a False Positive?

Mon, 01 Jan 0001 00:00:00 +0000

False positives are where ZAP raises alerts for things that are not really vulnerabilities. You should make sure that you understand the potential vulnerability being reported and manually test it before concluding that it is not a real vulnerability.

Please report any false positives that you identify supplying as much information as you can, while obfuscating any sensitive information. New issues should just cover one scan rule and should include enough information for us to reproduce the problem. This will help us improve ZAP.

How do I report a False Negative?

Mon, 01 Jan 0001 00:00:00 +0000

False Negatives are where ZAP fails to identify an issue when it should.

Reporting these problems to us for passive scan rules is straightforward - just let us know the full request and/or response that ZAP should have raised the problem for.

Reporting problems with active scan rules is a bit more tricky, as ZAP will potentially send several requests to detect a specific problem and we need to know how your application responded to each one.

How often are scan rules updated?

Mon, 01 Jan 0001 00:00:00 +0000

Scan rules are defined in add-ons so they can be updated and published whenever they are improved.

However this may be less frequently than you might expect, and there are good reasons for that.

Some security tools focus on finding known vulnerabilities in known applications. New vulnerabilities are being found all of the time so the rules for these tools need to be frequently updated. These rules are often quite simple, they just need to detect that you are running a specific version of an application that has known vulnerabilities.

HTTP Message Processors

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Message Processors

HTTP Message Processors can access and change the HTTP messages being fuzzed, control the fuzzing process, and interact with the ZAP UI.

Built-in HTTP Message Processors include:

Anti-CSRF Token Refresher

Allows to refresh anti-CSRF tokens contained in the request. The anti-CSRF tokens must be properly detected by ZAP to be able to use this processor.
For more information consult the help page “Getting Started” > “Features” > “Anti CSRF Tokens”.
Note: This processor is automatically added to the list of processors, if anti-CSRF tokens were detected.

Insight Automation Framework Job

Mon, 01 Jan 0001 00:00:00 +0000

Insight Automation Framework Job

This add-on supports the Automation Framework.

Job: insights

The insights job allows you to configure the insights options.

Is there any danger when scanning with ZAP against a live website (e.g. create/delete/update/corrupt data)?

Mon, 01 Jan 0001 00:00:00 +0000

Proxying (and therefore passive scanning) requests via ZAP is completely safe and legal, it just allows you to see whats going on.

Spidering is a bit more dangerous. It could cause problems depending on how your application works.

Note that there is an Spider option to not use POST requests - this may be safer but is also likely to reduce the effectiveness of the Spider.

MCP Prompts

Mon, 01 Jan 0001 00:00:00 +0000

MCP Prompts

Prompts are reusable instruction templates. MCP clients discover them via prompts/list and retrieve them via prompts/get.

zap_baseline_scan

Run a ZAP baseline scan: spider the target (standard then AJAX) and check for passive vulnerabilities without any active attacking.

OAST Options

Mon, 01 Jan 0001 00:00:00 +0000

OAST Options

A tabbed pane allows you to configure the available OAST services.

General Settings

These are options not specific to a single OAST service.

Options Alerts screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Alerts screen

This screen allows you to configure the alerts options:

If selected then related issues will be merged in any reports generated.
This will significantly reduce the size of the report as duplicated information will be removed.

Options Quick Start Launch screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Quick Start Launch

Start Page

This controls the page that is shown when you launch a browser to be proxied through ZAP.
There are 3 options:

Param Digger tab

Mon, 01 Jan 0001 00:00:00 +0000

Param Digger tab

The Param Digger tab shows you the set of parameters identified by the Param Digger during the scans.

The ‘New Scan’ button launches the Param Digger dialog which allows you to specify exactly which URL should be scanned.
The Param Digger can be run on multiple URLs in parallel and the results for each scan are shown by selecting the scan via the ‘Progress’ pull-down.

Passive Scan Tags

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scan Tags

This screen allows you to configure the tags that are added by the passive scanner. You can add, modify and remove the tags via the appropriate buttons.

Tag Interpolation

In order to allow some flexibility in Tag creation and content it is possible for the user to specify a regular expression with capturing groups which will be used to replace the group identifiers (ex: $1) in the resulting tag.

Release 2.16.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.16.0

This is a bug fix and enhancement release. Look out for new Blog Posts and Videos which will cover some of these new features in much more depth in the coming days and weeks.

This release was made possible thanks to Checkmarx who employ 3 of the Core Team to work on ZAP.

Response tab

Mon, 01 Jan 0001 00:00:00 +0000

Response tab

The Response tab shows you the data sent to your browser for the request that you have highlighted in either the Sites tab or the History tab.

Pull downs allow you to select different Views for the Response header and body.

Note that images are only shown in the History tab if the ‘Enable Image in History’ flag in the View menu is selected.

Scanner Rules

Mon, 01 Jan 0001 00:00:00 +0000

Scanner Rules

ZAP supports both active and passive scanning rules.

All rules are contained in add-ons so that they can be updated quickly and easily.

By default ZAP ships with just the ‘Release’ status rules, but you can install ‘Beta’ and ‘Alpha’ status rules via the Manage Add-ons dialog.

Scan Policies define which rules run and how they run.

Script Console Options

Mon, 01 Jan 0001 00:00:00 +0000

Script Console Options

When the Script in the Console Changes on Disk

This setting allows you to configure the default behaviour when a script open in the Script Console changes on disk, for example if it was updated in another code editor. There are three options to choose from:

Session Context Authentication screen

Mon, 01 Jan 0001 00:00:00 +0000

Session Context Authentication screen

This is one of the Session Context screens which allows you to manage the way in which Authentication is being done for the Context.

Authentication Method

After selecting the Authentication Method type, the options that need to be configured depend on the Authentication Method.

Someone is using ZAP to attack my website - what should I do?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP is a free tool designed to help everyone secure their own websites. Unfortunately this means that other people can use it to attack your website as well.

ZAP is not designed to be a covert tool - it uses various variations of “ZAP” in its attacks, so if someone does use ZAP to attack your site then this should be apparent in your web server logs.

Spider tab

Mon, 01 Jan 0001 00:00:00 +0000

Spider tab

The Spider tab shows you the set of unique URIs found by the Spider during the scans.

The ‘New Scan’ button launches the Spider dialog which allows you to specify exactly what should be scanned.

The Spider can be run on multiple Sites in parallel and the results for each scan are shown by selecting the scan via the ‘Progress’ pull-down.

Technology Detection Automation Framework Support

Mon, 01 Jan 0001 00:00:00 +0000

Technology Detection Automation Framework Support

This add-on supports the Automation Framework.

Job: wappalyzer

The wappalyzer job is a data job. It does not have any configurable parameters. It provides technology detection data to other jobs via the TechJobResultData class.

Top Level Toolbar

Mon, 01 Jan 0001 00:00:00 +0000

This toolbar provides a set of controls for commonly used functionality.

Mode pulldown

This allows you to change the current mode.

WebSocket specific session properties

Mon, 01 Jan 0001 00:00:00 +0000

WebSocket specific session properties

Exclude from WebSocket

This allows you to manage the URLs where WebSocket communication is not processed in ZAP.
Although all messages from excluded URLs are forwarded, nothing is stored nor can you view them in the user interface. This feature is useful for high volume, performance critical WebSocket connections.
You can differentiate on the port for one given domain, by using e.g.: example.com:443 to exclude WebSocket connections from example.com only on port 443.

What should I do if ZAP doesn't detect a known problem?

Mon, 01 Jan 0001 00:00:00 +0000

If ZAP fails to detect a known problem then please let us know!

Obviously the more information you can give us the better, and the best option would be a simple one page ‘proof of concept’ in the form of a wavsep test - we can then include those in our regression tests.

Why can ZAP scans be inconsistent?

Mon, 01 Jan 0001 00:00:00 +0000

If you run ZAP multiple times against a target then you may well find that the results are subtly different even though the target has not changed.

This is not unusual, and we do not consider this a significant problem.

In our experience it is usually all down to how the application is explored - the traditional and ajax spiders seem to be sensitive to small changes, including things like network speed.

Mon, 01 Jan 0001 00:00:00 +0000

Ricardo started working on ZAP in 2011 and has made more PRs against the ZAP repos than anyone else.

Ricardo is employed by Checkmarx to work on ZAP.

A Basic Penetration Test

Mon, 01 Jan 0001 00:00:00 +0000

A Basic Penetration Test

A basic penetration test is made up of the following steps:

Explore

Use your browser to explore all of the functionality provided by the application.
Follow all links, press all buttons and fill in and submit all forms.
If the applications supports multiple roles then do this for each of the roles.
For each role save the ZAP session in a different file and start a new session before you start using the next role.

Add Note dialog

Mon, 01 Jan 0001 00:00:00 +0000

Add Note dialog

This allows you to add a note to a request.

Accessed via


	History tab	‘Note…’ right click menu item


	UI Overview	for an overview of the user interface
	Dialogs	for details of the dialogs or popups

Anti CSRF Handling

Mon, 01 Jan 0001 00:00:00 +0000

Anti CSRF Tokens

Anti CSRF tokens are (pseudo) random parameters used to protect against Cross Site Request Forgery (CSRF) attacks.

However they also make a penetration testers job harder, especially if the tokens are regenerated every time a form is requested.

ZAP detects anti CSRF tokens purely by attribute names - the list of attribute names considered to be anti CSRF tokens is configured using the Options Anti CSRF screen.

Automation Framework - authentication

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - authentication

The Automation Framework supports all of the authentication mechanisms supported by ZAP.

Environmental Variables

ZAP supports a set of Authentication Header Environmental Variables - these will be applied by ZAP if they are defined however ZAP is run, including via the Automation Framework.

Break tab

Mon, 01 Jan 0001 00:00:00 +0000

Break tab

The Break tab allows you to change a request or response when it has been caught by ZAP via a breakpoint.

It allows you to change elements that you would not normally be able to change via your browser, including:


	The header
	Hidden fields
	Disabled fields
	Fields that use javascript to filter out illegal characters

This functionality is key to effectively pen testing your application.

Client Side Integration - Client Spider API

Mon, 01 Jan 0001 00:00:00 +0000

Client Side Integration - Client Spider API

This add-on adds various API endpoints to allow you to control the Client Spider programmatically.

The API is accessible via clientSpider API prefix.

Views

status (scanId*): Gets the status of the spider scan. Returns an integer between 0 and 100 indicating current progress.

Actions

scan (browser url contextName userName subtreeOnly maxCrawlDepth pageLoadTime numberOfBrowsers scopeCheck): Runs the Client Spider against the given URL and/or context. Returns the scanId.
stop (scanId*): Stops a Client Spider scan.

Parameters

browser: The browser to use for the scan, e.g. ‘firefox-headless’. If not specified, uses Firefox Headless.
url: The URL to start the scan at. If not specified and a context is set, the first URL in the context will be used.
contextName: The name of the context to scan.
userName: The name of the user to run the scan as. The user must exist in the specified context.
subtreeOnly: If set to ’true’, the spider will only scan URLs under the specified URL. Default: ‘false’.
maxCrawlDepth: The maximum depth the spider should crawl, where 0 is unlimited. Defaults to client options.
pageLoadTime: The time in seconds to wait for a page to load. Defaults to client options.
numberOfBrowsers: Number of Browser Windows to Open (concurrency). Integer, defaults to client options.
scopeCheck: Scope Check mode, either FLEXIBLE (default) or STRICT.
scanId: The ID of the scan to query or manage.

Examples

Start a scan:

https://zap/JSON/clientSpider/action/scan/?url=https://example.com&maxCrawlDepth=5&pageLoadTime=30&numberOfBrowsers=1&scopeCheck=STRICT

Check status:

https://zap/JSON/clientSpider/view/status/?scanId=1

Stop a scan:

https://zap/JSON/clientSpider/action/stop/?scanId=1

Command Line

Mon, 01 Jan 0001 00:00:00 +0000

Command Line

To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:

C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat

Note: The command line options are not used by the executable (zap.exe) only the bat file.

Mac:

/Applications/ZAP.app/Contents/Java/zap.sh

Linux:
zap.sh will be below the directory where ZAP was installed.

Developer Standard Policy

Mon, 01 Jan 0001 00:00:00 +0000

Developer Standard Policy

A developer focused policy meant to perform fairly quickly while providing a greater set of results than the CICD policy, intended for use in a dev environment.

A superset of Developer CICD
Intended to run in a dev environment
No environmental / server related rules
No rules with high false positives
No timing attacks
No informational only rules
Can include longer running rules

For the list of scan rules included see the Alert Tag: POLICY_DEV_STD page.

Fuzz AI Files - Exploit Model Memory

Mon, 01 Jan 0001 00:00:00 +0000

Fuzz AI Files - Exploit Model Memory

001 Inject Context Memory

This file is part of the Exploit Model Memory series and contains targeted fuzzing payloads for “context injection attacks” that attempt to manipulate a model by embedding malicious or contradictory content into earlier parts of the conversation or request context. The objective is to determine whether the target model will adopt, act upon, or preserve injected instructions or facts that were planted earlier in the session.

Fuzz Location Processors dialog

Mon, 01 Jan 0001 00:00:00 +0000

Fuzz Location Processors dialog

This allows you to select the payload processors to use with all payload generators.

The built-in payload processors included are the same that are available via the Payload Processors dialog.

Accessed via


	Fuzzer dialog ‘Processors…’ button


	Fuzzer concepts

GraphQL Alerts

Mon, 01 Jan 0001 00:00:00 +0000

GraphQL Alerts

The following alerts are raised by the GraphQL add-on.

Alert Reference	Name	Description	Latest Code
50007-1	GraphQL Endpoint Supports Introspection	This alert is raised when the spider discovers a GraphQL endpoint that supports introspection.	GraphQlParser.java
50007-2	GraphQL Server Implementation Identified	This alert is raised when the GraphQL implementation used by the server is identified. It utilises fingerprinting techniques adapted from the tool graphw00f. Note: If the Tech Detection (Wappalyzer) add-on is installed the fingerprinter will also add identified GraphQL Engines to the Technology tab/data.	GraphQlFingerprinter.java
50007-3	GraphQL Circular References in Schema	This alert is raised when cycles are found in the object types in the imported GraphQL schema. A new alert is raised for each unique cycle. The alert contains information about the cycle and a message with an example query. No requests are actually sent.	GraphQlCycleDetector.java

Alert ID: 50007.

How can I add an application icon for ZAP to Fedora / Gnome 3?

Mon, 01 Jan 0001 00:00:00 +0000

As root create a file called /usr/share/applications/owasp-zap.desktop containing:

[Desktop Entry]
Name=OWASP ZAP
Exec=/opt/owasp/ZAP_2.8.0/zap.sh
Icon=/opt/owasp/ZAP_2.8.0/zap.ico
Categories=Programming;Security;
Type=Application

Make sure you correct the paths to match your environment!

How can I connect to ZAP remotely?

Mon, 01 Jan 0001 00:00:00 +0000

By default ZAP will now also only allow connections from the local machine. You can set which IP addresses can connect to the API using the command line:

-config api.addrs.addr.name=123.456.789.123

If you are using ZAP in a completely isolated environment you can allow all IP addresses to connect to the ZAP API using:

How can I fix 'browser was not found'?

Mon, 01 Jan 0001 00:00:00 +0000

If you want to manually explore your target app then the easiest way is to launch your favourite browser from ZAP. ZAP will automatically configure it to proxy via ZAP and to ignore the certificate warnings you would otherwise get from the ZAP root CA certificate.

But what can you do if ZAP fails to launch your browser?

How can I use ZAP with a Java application which connects to a web service over SSL?

Mon, 01 Jan 0001 00:00:00 +0000

You’ll need to generate a root CA certificate.

Export it into a file.

Import it in to the JRE cacerts keystore.

Assuming the Java keytool is on the system path, JAVA_HOME is set to the location of a JRE and the ZAP Root CA cert is exported to “~/zap_root_ca.cer”, then the command is:

How can you import POST requests?

Mon, 01 Jan 0001 00:00:00 +0000

GET requests can be easily imported into ZAP using the “Import URLs” option which is included in ZAP by default. However this only supports GET requests.

If you need to import POST requests, or requests using other HTTP methods like PUT and DELETE, then you have a selection of options:

How can you start ZAP?

Mon, 01 Jan 0001 00:00:00 +0000

Again, this depends on the OS:

Windows

There are 3 options on Windows:

Via the desktop icon (assuming you selected this option during installation)
Via the ‘Start’ menu:
- All Programs
  - ZAP
    - Zed Attack Proxy
      - ZAP <version>
Via the ‘zap.bat’ command line script in the installation directory

Linux

On Linux there’s just a ‘zap.sh’ script in the installation directory, although you can create a desktop icon manually as well.

How can ZAP automatically authenticate via forms?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP can handle pretty much any authentication out there.

The best place to start is the Authentication Decision Tree.

How do you add a script to ZAP from the command line?

Mon, 01 Jan 0001 00:00:00 +0000

If you are doing anything non-trivial with ZAP from the command line then you should use the Automation Framework. This has direct support for scripts.

If you cannot use the Automation Framework for any reason then you’ll need to use the following command line options (with the values changed to match your requirements of course;)

How do you configure ZAP logging?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP logs to a file called “zap.log” in the ZAP ‘home’ directory.

The logging is configured by the log4j2.properties file in the same directory.

By default the ‘main’ logging levels are set to info by these lines:

logger.paros.name = org.parosproxy.paros
logger.paros.level = info

logger.zap.name = org.zaproxy.zap
logger.zap.level = info

Changing these to debug (and restarting ZAP) will significantly increase the amount of logging performed:

How do you configure ZAP to test an application on localhost?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP has no problems scanning applications running on localhost, however there are a couple of things you need to be aware of.

By default ZAP listens on port 8080. If your app also listens on 8080 then you’ll need to change one of them to listen on a different port - it’s probably easier to change ZAP using the Options Local Proxies screen, remember to change your browser’s proxy settings as well: Configuring Proxies.

How do you find out what key to use to set a config value on the command line?

Mon, 01 Jan 0001 00:00:00 +0000

If you need to set options via the command line then have a look at the Automation Framework first. This is well documented and has support for all of the most commonly needed configuration parameters.

The ZAP command line allows you to set individual values as follows:

-config api.key=12345 -config network.connection.timeoutInSecs=60

How can you find out what keys to use to set the values you want?

How to connect to an HTTPS site that reports a handshake failure?

Mon, 01 Jan 0001 00:00:00 +0000

First of all try checking the ‘Enable unsafe SSL/TLS renegotiation’ checkbox in the Certificate Options screen and trying again.

Second check if you’ve enabled SSLv2Hello in the outbound connection options. If so, disable SSLv2Hello and reload the content to see if the issue is resolved.

If this doesn’t help and an HTTPS site reports a handshake failure then try installing the ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’:

Insights Options

Mon, 01 Jan 0001 00:00:00 +0000

Insights Options

This screen allows you to configure the Insights options.

Exit Automation on High

If set then a High Level Insight will stop automation.

Local Servers/Proxies

Mon, 01 Jan 0001 00:00:00 +0000

Local Servers/Proxies

This tab allows you to configure the addresses and ports on which ZAP accepts incoming connections.

Main Proxy

By default ZAP will listen on one local address and port, and usually these should be the address and port that you must configure your browser to use as a proxy.

MCP Resources

Mon, 01 Jan 0001 00:00:00 +0000

MCP Resources

The following resources are available for MCP clients to read:

zap://alerts

ZAP security alerts summary. Returns a lightweight list with name, risk, pluginId, alertRef, instanceCount, systemic, and instancesUri. Use zap://alerts/{alertRef} to get the full instances for a specific alert.

Options AJAX Spider screen

Mon, 01 Jan 0001 00:00:00 +0000

Options AJAX Spider screen

This screen allows you to configure the AJAX Spider options. The AJAX Spider is an add-on for a crawler called Crawljax. The add-on sets up a local proxy in ZAP to talk to Crawljax. The AJAX Spider allows you to crawl web applications written in AJAX in far more depth than the native Spider. Use the AJAX Spider if you may have web applications written in AJAX. You should also use the native Spider as well for complete coverage of a web application (e.g., to cover HTML comments).

Options Anti CRSF screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Anti CRSF Tokens screen

This screen allows you to configure the anti CSRF tokens options:

Tokens

The form POST parameter names that should be treated as anti CSRF tokens.

Options Spider screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Spider screen

This screen allows you to configure the Spider options.

It should be noted that modifying most of these options also affects the running Spider.

Maximum depth to crawl

The parameter defines the maximum depth in the crawling process where a page must be found in order for it to be processed. Resources found deeper than this level are not fetched and parsed by the spider. The value zero means unlimited depth.

Release 2.15.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.15.0

This is a bug fix and enhancement release.
These release notes do not include all of the changes included in add-ons updated since 2.14.0.

This release was made possible thanks to our biggest supporter, the Crash Override.

Some of the more significant enhancements include:

Scripts as First Class Scan Rules

Active and passive scan script rules can now be treated as “first class” scan rules. This means that they can be individually referenced in an active scan policy, in the passive scan rules options, and in Automation Framework plans. In addition directories of scripts can now be added with all of the scripts enabled - this will make it much more straightfoward to manage script rules in automation.

Report Generation - About

Mon, 01 Jan 0001 00:00:00 +0000

Report Generation - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/reports

Authors

ZAP Dev Team

Script Scan Rules

Mon, 01 Jan 0001 00:00:00 +0000

Script Scan Rules

Active and Passive Scripts that implement the getMetadata function are treated as first-class scan rules by ZAP. An example implementation of this function in a script would look like:

function getMetadata() {
	return ScanRuleMetadata.fromYaml(`
id: 12345
name: Active Vulnerability Title
description: Full description
solution: The solution
references:
  - Reference 1
  - Reference 2
category: INJECTION  # info_gather, browser, server, misc, injection
risk: INFO  # info, low, medium, high
confidence: LOW  # false_positive, low, medium, high, user_confirmed
cweId: 0
wascId: 0
alertTags:
  name1: value1
  name2: value2
otherInfo: Any other Info
status: alpha
alertRefOverrides:
  12345-1:
    name: Alert Reference 1

`);
}

The metadata function is evaluated upon saving the script, which is exposed as a scan rule if the metadata is valid.

Session Context Structure screen

Mon, 01 Jan 0001 00:00:00 +0000

Session Context Structure screen

This is one of the Session Context screens which allows you to manage ZAP’s understanding of the structure of the application.

URL Key value pair separators

The characters that separate pairs of keys and values in URLs, by default ‘&’.

Session Management Identification

Mon, 01 Jan 0001 00:00:00 +0000

Session Management Identification

This add-on includes a passive scan rule which attempts to identify session management methods.
It identifies session management methods by the presence of commonly used session management identifiers and any values specified in Authorization request headers.

The rule will not attempt to identify very unusual session management methods - automation is one of the end goals so false negatives (missing unusual session management methods) are more desirable than false positives (incorrectly identifying a session management method).

WebSocket Scripts

Mon, 01 Jan 0001 00:00:00 +0000

WebSocket Scripts

WebSocket Sender

WebSocket Sender scripts are called before forwarding the WebSocket message frame to the server or client and can access and change any WebSocket message that is proxied via ZAP.
They are initially disabled, to enable them right click the relevant script in the Scripts tree and select “enable”.
A template script is provided which gives details of the methods and parameters supported.

What options exist for selective proxying?

Mon, 01 Jan 0001 00:00:00 +0000

There are a number of ways to accomplish selective proxying.

1 - Via a Browser Add-on/Extension

Such as FoxyProxy: https://getfoxyproxy.org/

2 - Via Global Exclusions

Leveraging Global Exclusions you can specify URLs that ZAP should not intercept.

3 - Via a PAC (Proxy Auto-Config) File

You can create your own PAC (Proxy Auto-Config) file and dynamically set proxying as you need, then point your browser at it on your harddrive using the file:/// scheme. For example:

function FindProxyForURL(url, host) {
    if (shExpMatch(host, "*.example.org")) {
        return "PROXY localhost:8080"; //Use ZAP for *.example.org
    }
    // Go directly to the WWW for everything else
    return "DIRECT";
}

Why can't ZAP connect to my web application?

Mon, 01 Jan 0001 00:00:00 +0000

This is usually not a ZAP problem.

Is your web application actually running?

Can you connect to it using the IP address rather than the FQDN or hostname?

Can you connect to your application from the same machine using another tool like curl?

If you are using one of the ZAP Docker images then be aware that using Docker will change the networking. In this case make sure that you run curl from the Docker image, e.g. using a command like:

AJAX Spider tab

Mon, 01 Jan 0001 00:00:00 +0000

AJAX Spider tab

The AJAX Spider tab shows you the set of unique URIs found by AJAX Spider.

For each request you can see:


	The request index - each request is numbered, starting at 1
	The request timestamp
	The HTML method, e.g. GET or POST
	The URL requested
	The HTTP response status code
	A short summary of what the HTTP response code means
	The length of time the whole request took
	The size of the response header
	The size of the response body
	Any Alerts on the request
	Any Notes you have added to request
	Any Tags you have added to request

Selecting a requests will display it in the Request tab and Response tab above.

API

Mon, 01 Jan 0001 00:00:00 +0000

API

ZAP provides an Application Programming Interface (API) which allows you to interact with ZAP programmatically.

The API is available in JSON, HTML and XML formats.

A simple web UI which allows you to explore and use the API is available via the URL http://zap/ when you are proxying via ZAP, or via the host and port ZAP is listening on, eg http://localhost:8080/.

Automation Framework - addOns Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - addOns Job

This job has been depreciated, no longer does anything, and should no longer be used.

Previously it allowed you to manage the ZAP add-ons. However it turns out that adding and updating add-ons when running a plan is a bad idea and does not work well.

Client Script Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Client Script Authentication

This add-on adds a new authentication type which uses a browser to login to the target website.

This functionality leverages Zest scripts (which may have been recorded via the ZAP Browser Extension) to login.

Automation Framework

Client Script Authentication can be configured in the environment section of an Automation Framework plan using:

Client Side Integration - Passive Scan Rules

Mon, 01 Jan 0001 00:00:00 +0000

Client Side Integration - Passive Scan Rules

The Client Side Integration add-on supports passive scanning of the data streamed from the browser.

The following rules are included in this add-on:

Information Disclosure - Information in Browser Storage

This rule reports any information stored in browser localStorage and sessionStorage.

Developer Full Policy

Mon, 01 Jan 0001 00:00:00 +0000

Developer Full Policy

A developer focused policy, including a superset of the dev standard with a greater variety of potential findings and only minimal environmental/server related rules, intended for use in a dev environment.

A superset of Developer Standard
Intended to run in a dev environment
No rules with high false positives
No timing attacks
Minimal environmental / server related rules

For the list of scan rules included see the Alert Tag: POLICY_DEV_FULL page.

Encode / Decode / Hash dialog

Mon, 01 Jan 0001 00:00:00 +0000

The Encode / Decode / Hash dialog is now provided by the Encode / Decode / Hash add-on.

Find dialog

Mon, 01 Jan 0001 00:00:00 +0000

Find dialog

This allows you to find the text you enter in the selected tab.

Accessed via


	Top level Edit menu	‘Find…’ menu item
	Break tab	‘Find…’ right click menu item
	Request tab	‘Find…’ right click menu item
	Response tab	‘Find…’ right click menu item
	Spider tab	‘Find…’ right click menu item


	UI Overview	for an overview of the user interface
	Dialogs	for details of the dialogs or popups

History tab

Mon, 01 Jan 0001 00:00:00 +0000

History tab

The History tab shows a list of all of the requests in the order in which they were made.

For each request you can see:


	The request index - each request is numbered, starting at 1
	The HTML method, e.g. GET or POST
	The URL requested
	The HTTP response code
	A short summary of what the HTTP response code means
	The length of time the whole request took
	Any Alerts on the request
	Any Notes you have added to request
	Any Tags on the request

Selecting a requests will display it in the Request tab and Response tab above.

Options API screen

Mon, 01 Jan 0001 00:00:00 +0000

Options API screen

This screen allows you to configure the API options:

Enabled

If enabled then the API is available to all machines that are able to access ZAP’s proxies that expose the API.

Payloads dialog

Mon, 01 Jan 0001 00:00:00 +0000

Payloads dialog

This allows you to select the payload generators to use when fuzzing a request.

Payload generators generate the raw values or attacks that the fuzzer submits to the target application.

The following types of generators are provided by default:

Empty/Null - generates the selected payload multiple times, leaving the message without changes. This payload generator is useful to send multiple messages that are later processed, for example, with a Fuzzer HTTP Processor (Script).
File - select any local file for one off attacks
File Fuzzers - select any combination of the fuzzing files registered with ZAP, e.g. via add-ons like fuzzdb
Numberzz - allows to easily generate a sequence of numbers, with custom increment
Regex - generate attacks based on regex patterns
Strings - raw strings, which can be entered manually or pasted in
Script - custom scripts that can generate any payloads required
Json - generate attacks by fuzzing the provided json

You can write custom payload generator scripts - these can supply any payloads that you need.

Rate Limit

Mon, 01 Jan 0001 00:00:00 +0000

Rate Limit

The Rate Limit feature limits the request rate of HTTP/HTTPS (not web sockets) traffic to hosts or domains to prevent overloading the target or being blocked. The limit is applied using a matcher against the request host to pick an individual host, an entire domain, or anything between. In the case a host matches multiple rules, the rule with the most restrictive rate is used.

Release 2.14.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.14.0

This is a bug fix and enhancement release.
These release notes do not include all of the changes included in add-ons updated since 2.13.0.

This release was made possible thanks to our Platinum Sponsor, the Software Security Project.

Some of the more significant enhancements include:

Rebranding and Docker Hub Move

ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.

Report Generation API

Mon, 01 Jan 0001 00:00:00 +0000

Report Generation API

The following operations are added to the API:

Views

templates: View available templates.
templateDetails (template*): View details of the specified template.

Actions

generate (title* template* theme description contexts sites sections includedConfidences includedRisks reportFileName reportFileNamePattern reportDir display): Generate a report with the supplied parameters.
- title: Report Title
- template: Report Template
- theme: Report Theme
- description: Report Description
- contexts: The name of the contexts to be included in the report, separated by ‘|’. For example, “Default Context|My Context”.
- sites: The site URLs that should be included in the report, separated by ‘|’.
- sections: The report sections that should be included, separated by ‘|’. View section names via API view templateDetails (template*)
- includedConfidences: Confidences that should be included in the report, separated by ‘|’. Accepted values are “False Positive”, “Low”, “Medium”, “High”, and “Confirmed”.
- includedRisks: Risks that should be included in the report, separated by ‘|’. Accepted values are “Informational”, “Low”, “Medium”, and “High”.
- reportFileName: The file name of the generated report. This value overrides the reportFileNamePattern parameter.
- reportFileNamePattern: Report File Name Pattern. For example, {{yyyy-MM-dd}}-ZAP-Report-[[site]].
- reportDir: Path to directory in which the generated report should be placed.
- display: Display the generated report. Either “true” or “false”.

Scripts tree tab

Mon, 01 Jan 0001 00:00:00 +0000

Scripts tree tab

The Scripts tree tab shows you all of the scripts you currently have loaded organized by type.

It also shows you which templates you have available - these cannot be run directly, you use them to create new scripts.

It also allows you to add new scripts, load, save and remove them.

WebSocket API

Mon, 01 Jan 0001 00:00:00 +0000

WebSocket API

Views

channels

Returns all of the registered web socket channels.

Mon, 01 Jan 0001 00:00:00 +0000

Rick started contributing to ZAP in 2014.

Rick is employed by Checkmarx to work on ZAP.

Other Work

Rick is very active in OWASP and also co-leads the Web Security Testing Guide and Vulnerable Web Applications Directory projects.

Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Authentication

ZAP can handle a wide range of authentication mechanisms.
If you are new to ZAP automation then the best place to start is the ZAP Authentication Decision Tree (external link).

Each Context has:

an Authentication Method which defines how authentication is handled. The authentication is used to create Web Sessions that correspond to authenticated webapp Users.
an Authentication Verification Strategy which defines how ZAP should detect when messages correspond to authenticated requests.

You can use any combination of Authentication Method and Verification Strategy which works for your webapp.

Auto-Detect Session Management

Mon, 01 Jan 0001 00:00:00 +0000

Auto-Detect Session Management

This add-on adds a new Session Management type which you can use to indicate that the Session Management Request Identification passive scan rule should attempt to configure the Session Management method automatically.

Automation Framework - activeScan-config Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - activeScan-config Job

This job configures the active scanner, for custom active scans (e.g. Sequence).

YAML

  - type: activeScan-config                # Configures the settings of the active scanner.
    parameters:
      maxRuleDurationInMins:               # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
      maxScanDurationInMins:               # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
      maxAlertsPerRule:                    # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
      defaultPolicy:                       # String: The name of the default scan policy to use, default: Default Policy
      handleAntiCSRFTokens:                # Bool: If set then automatically handle anti CSRF tokens, default: true
      injectPluginIdInHeader:              # Bool: If set then the relevant rule ID will be injected into the X-ZAP-Scan-ID header of each request, default: false
      threadPerHost:                       # Int: The max number of threads per host, default: 2 * Number of available processor cores
    inputVectors:                          # The input vectors used during the active scan.
      urlQueryStringAndDataDrivenNodes:    # Configures the scanning of query parameters and DDNs.
         enabled:                          # Bool: If query parameters and DDNs scanning should be enabled. Default: true
         addParam:                         # Bool: If a query parameter should be added if none present. Default: false
         odata:                            # Bool: If OData query filters should be scanned. Default: true
      postData:                            # Configures the scanning of request bodies.
        enabled:                           # Bool: If enabled. Default: true
        multiPartFormData:                 # Bool: If multipart form data bodies should be scanned. Default: true
        xml:                               # Bool: If XML bodies should be scanned. Default: true
        json:                              # Configures the scanning of JSON bodies.
          enabled:                         # Bool: If JSON scanning should be enabled. Default: true
          scanNullValues:                  # Bool: If null values should be scanned. Default: false
        googleWebToolkit:                  # Bool: If GWT scanning should be enabled. Default: false
        directWebRemoting:                 # Bool: If DWR scanning should be enabled. Default: false
      urlPath:                             # Bool: If URL path segments should be scanned. Default: false
      httpHeaders:                         # Configures the scanning of HTTP headers.
        enabled:                           # Bool: If HTTP header scanning should be enabled. Default: false
        allRequests:                       # Bool: If set then the headers of requests that do not include any parameters will be scanned. Default: false
      cookieData:                          # Configures the scanning of cookies.
        enabled:                           # Bool: If enabled. Default: false
        encodeCookieValues:                # Bool: If cookie values should be encoded. Default: false
      scripts:                             # Bool: If Input Vector scripts should be used. Default: true
    excludePaths:                          # An optional list of regexes to exclude
    enabled:                           # Bool: If set to false the job will not be run, default: true
    alwaysRun:                         # Bool: If set and the job is enabled then it will run even if the plan exits early, default: false

Note that the ’excludePaths’ will overwrite any existing session “Exclude from Scanner” paths.

Client Side Integration - AJAX Spider Enhancement

Mon, 01 Jan 0001 00:00:00 +0000

Client Side Integration - AJAX Spider Enhancement

This add-on now adds a Client Spider which is designed to explore modern web apps more effectively. You are recommended to try this out as it is likely to be more effective that the AJAX Spider Enhancement detailed here.

Also note that from ZAP 2.16.0 the AJAX Spider has an option to enable browser extensions, and that option is turned off by default. You will need to turn it on in order for this integration to work.

Footer

Mon, 01 Jan 0001 00:00:00 +0000

This footer displays counts of the High, Medium, Low and Informational alerts and counts of the currently active active and spider scans.

It can also contain counters for other tools or provided by add-ons.


	UI Overview	for an overview of the user interface

History Filter dialog

Mon, 01 Jan 0001 00:00:00 +0000

History Filter dialog

This dialog allows you to restrict which requests are displayed in the History tab.

Fields

The dialog has the following fields:

Options Breakpoints screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Breakpoints screen

This screen allows you to configure the breakpoint options:

Confirm drop trapped message

Asks for confirmation when a request or response is dropped.

Payload Processors dialog

Mon, 01 Jan 0001 00:00:00 +0000

Payload Processors dialog

This allows you to select the payload processors to use with specific payload generators.

Built-in payload processors include:

Base64 Decode
Base64 Encode
Expand (to a minimum specified length)
JavaScript Escape
JavaScript Unescape
MD5 Hash
Postfix String
Prefix String
SHA-1 Hash
SHA-256 Hash
SHA-512 Hash
Trim
URL Decode
URL Encode

You can also write custom payload processor scripts - these can perform any manipulation of the payload that you need.

QA CI/CD Policy

Mon, 01 Jan 0001 00:00:00 +0000

QA CI/CD Policy

A quality assurance focused policy meant to perform fairly quickly while providing a greater set of results than developer policies, intended for use in a CI/CD pipeline for a QA/staging environment.

Recommended for running in CI/CD
Intended to run in a QA / Staging environment which is close to production
A superset of Developer CI/CD but with important env / server rules enabled
No long running rules
No rules with high false positives
No timing attacks
No informational only rules
Minimal overlap

For the list of scan rules included see the Alert Tag: POLICY_QA_CICD page.

Release 2.13.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.13.0

This is a bug fix and enhancement release.
These release notes do not include all of the changes included in add-ons updated since 2.12.0.

Some of the more significant enhancements include:

HTTP/2 Support

HTTP/2 is now supported, with no configuration changes required.

Search tab

Mon, 01 Jan 0001 00:00:00 +0000

Search tab

The Search tab allows you to search for regular expressions in all of the URLs, requests, responses, headers and in other functionalities provided by add-ons.

Enter the regular expression you would like to search for in the search box and either press return or click on the search button:

Server Certificates

Mon, 01 Jan 0001 00:00:00 +0000

Server Certificates

This screens allows to manage and configure the root CA certificate and issued certificates.

ZAP allows you to transparently decrypt SSL connections. For doing so, ZAP has to encrypt each request before sending to the server and decrypt each response, which comes back. But, this is already done by the browser. That’s why, the only way to decrypt or intercept the transmission, is to do a ‘manipulator in the middle’ approach.

WebSocket Passive Scan Rules

Mon, 01 Jan 0001 00:00:00 +0000

WebSocket Passive Scan Rules

Scripts

Scripts which are included by default in the add-on and they implement the following WebSocket passive scan rules:

Authentication Methods

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Methods

ZAP handles multiple types of authentication (called Authentication Methods ) that can be used for websites / webapps. Each Context has an Authentication Method defined which dictates how authentication is handled. The authentication is used to create Web Sessions that correspond to authenticated webapp Users.

Authentication methods can be used in multiple places around ZAP. Some of the examples include:

Automation Framework - activeScan-policy Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - activeScan-policy Job

This job defines an active scan policy. This policy can be used later in the plan by active scan related jobs, like activeScan job.

YAML

  - type: activeScan-policy            # Defines a new active scan policy which can be used by later activeScan related jobs
    parameters:
      name:                            # String: Name of the policy, mandatory
    policyDefinition:                  # The policy definition
      defaultStrength:                 # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
      defaultThreshold:                # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
      alertTags:                       # Add rules based on alert tags; does not override or remove rules listed explicitly under "rules"
        include: []                    # List of alert tags to include, regex supported
        exclude: []                    # List of alert tags to exclude from this include list, regex supported
        strength:                      # String: The Attack Strength for this set of rules, one of Low, Medium, High, Insane, default: Medium
        threshold:                     # String: The Alert Threshold for this set of rules, one of Off, Low, Medium, High, default: Medium
      rules:                           # A list of one or more active scan rules and associated settings which override the defaults
      - id:                            # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
        name:                          # Comment: The name of the rule for documentation purposes - this is not required or actually used
        strength:                      # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
        threshold:                     # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
    enabled:                           # Bool: If set to false the job will not be run, default: true
    alwaysRun:                         # Bool: If set and the job is enabled then it will run even if the plan exits early, default: false

Policy Definition Hierarchy

ZAP processes the policy definition in the following order:

Breakpoints tab

Mon, 01 Jan 0001 00:00:00 +0000

Breakpoints tab

The Breakpoints tab shows you all of the breakpoints that you have set.

Breakpoints can be set via the History and Sites tabs as well as the ‘Add a custom HTTP breakpoint’ button on the top level toolbar

Right clicking on a breakpoint will bring up a menu which will allow you to:

Can ZAP be used to test mobile apps?

Mon, 01 Jan 0001 00:00:00 +0000

Yes, see this video from ZAPCon 2021:

These videos from @SecureCloudDev:

And these articles:

Intercepting Android traffic using OWASP ZAP - TheZero blog
Four Ways to Bypass Android SSL Verification and Certificate Pinning - NetSPI Blog
Debugging iOS apps with Zaproxy - Omer Levi Hevroni’s blog - Via The Way Back Machine

Can ZAP be used to test my favorite framework or technology?

Mon, 01 Jan 0001 00:00:00 +0000

If you have questions about using ZAP to test your app or site based on a specific framework or technology, please ask in the User Group.

Can ZAP be used to test my favorite vulnerable app?

Mon, 01 Jan 0001 00:00:00 +0000

We have a new section of the site focused on how to set up ZAP to scan a variety of test vulnerable web apps: ZAP Vs Test Apps.

The following pages will be updated and moved to that section in time.

Can ZAP be used to test Windows 8 Metro apps?

Mon, 01 Jan 0001 00:00:00 +0000

Yes, and there’s an excellent description of how to do that written by Bill Sempf: https://www.sempf.net/post/Pentesting-Windows-8-Metro-Apps-with-Zed-Attack-Proxy

Client Side Integration - Firefox Profile

Mon, 01 Jan 0001 00:00:00 +0000

Client Side Integration - Firefox Profile

This add-on creates a Firefox profile called ‘zap-client-profile’ and sets it as the default profile that ZAP will use. This profile enables the ZAP Firefox extension for all sites.

If you choose to use another profile then you will need to manually approve the ZAP extension for every site you use it for, every time you launch a browser from ZAP.

Fonts in ZAP look bad on my system - what should I do?

Mon, 01 Jan 0001 00:00:00 +0000

This seems to come up on various Linux distros from time to time. For example: https://github.com/zaproxy/zaproxy/issues/3051

The following suggestions may let you work past the issue.

Try starting ZAP from the command line instead of starting it from a shortcut (such as a Plasma/KDE button, dock icon, etc.)
Try adding the following to /etc/environment:

_JAVA_OPTIONS='-Dawt.useSystemAAFontSettings=on'

Fuzzer tab

Mon, 01 Jan 0001 00:00:00 +0000

Fuzzer tab

The Fuzzer tab shows you the requests and responses performed when you fuzz a message.
Select a row to see the full requests and responses. You can also search for strings in the fuzz results using the ‘Search’ tab.

HTTP Fuzzer results

The results have to be manually assessed to know if any vulnerability was found.

Header Based Session Management

Mon, 01 Jan 0001 00:00:00 +0000

Header Based Session Management

This add-on adds a new session management type which supports an arbitrary number of headers.

If used in conjunction with Browser Based Authentication or Client Script Authentication then it will also maintain all of the cookies and any headers with names containing the strings “auth” or “csrf” (ignoring case) set as part of authentication.

How can I run ZAP with a high DPI display?

Mon, 01 Jan 0001 00:00:00 +0000

If ZAP is displayed in a really tiny window then it’s probably because you have a high DPI display.

We believe High DPI displays and ZAP should behave properly with Windows and Java 11+.

If you’re using Windows and encounter an issue then you can set the compatibility settings:

How can I use the ZAP API in my own regression tests?

Mon, 01 Jan 0001 00:00:00 +0000

You can use ZAP to perform security regression tests on your own products.

Note that this answer is very basic and WILL need to be improved ;)

You need to have installed Java and ZAP.

To launch ZAP from a Java program you can do something like:

ProcessBuilder pb = new ProcessBuilder("/home/myuser/fullpath/ZAP 2.9.0/zap.sh");  // full path to script, use zap.bat on Windows
pb.directory(new File("/home/myuser/fullpath/ZAP 2.9.0/"));  // directory where the script is in
Process p = pb.start();

Note that this will bring up the full UI, which is useful for initial testing. To launch it in the background pass “-daemon” as an argument to the script. Obviously there will be equivalents in other languages - you just need to run the relevant script (zap.sh or zap.bat) with the working directory set up to the location of that script.

How can you easily maximize a tab?

Mon, 01 Jan 0001 00:00:00 +0000

You can maximise any tab in ZAP by double clicking on it - that tab will now take up all of the ZAP window.

To see the other sets of tabs double click any of the tabs again.

How can you use ZAP to scan APIs?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP understands API formats like JSON and XML and so can be used to scan APIs.

The problem is usually how to effectively explore the APIs.

There are various options:

If your API has an OpenAPI/Swagger definition then you can import it using the OpenAPI add-on.
If your API uses GraphQL then you can explore it using the GraphQL add-on.
If your API has a WSDL then you can import it using the SOAP add-on.
If you have a list of endpoint URLs then you can import these using the Import files containing URLs add-on.
If you have regression tests for you API then you can proxy these through ZAP

The add-ons are available from the ZAP Marketplace.

How can ZAP test sites that use certificate pinning?

Mon, 01 Jan 0001 00:00:00 +0000

Certificate pinning also known as Public Key Pinning “is a mechanism for sites to specify which certificate authorities have issued valid certs for that site, and for user-agents to reject TLS connections to those sites if the certificate is not issued by a known-good CA.”

Sites that use certificate pinning will typically not be loaded in your browser if you are proxying it through ZAP.

How do I see what version of an add-on/extension I have installed?

Mon, 01 Jan 0001 00:00:00 +0000

There are three ways to do this:

1 - Via the Marketplace

Click the Marketplace button in the main toolbar:
The Installed tab now displays a column including the current version. This adds clarity if/when an update is available as the bottom panel displays the details for the update:

From the Help menu select “Support Info…”
Copy the entire contents or find the specific add-on you’re interested in.

3 - Via the CLI

zap.bat -suppinfo or zap.sh -suppinfo will produce output similar to:

OWASP ZAP
Version: 2.8.0
Installed Add-ons: [[id=alertFilters, version=8.0.0], [id=ascanrules, version=33.0.0], [id=bruteforce, version=8.0.0]
...snip...
[id=tips, version=6.0.0], [id=webdriverwindows, version=10.0.0], [id=websocket, version=19.0.0], [id=zest, version=29.0.0]]
Operating System: Windows 7
Java Version: Oracle Corporation 1.8.0_191
System's Locale: en_CA
Display Locale: en_GB
Format Locale: en_GB
ZAP Home Directory: C:\Users\someone\OWASP ZAP\
ZAP Installation Directory: C:\Program Files\OWASP\Zed Attack Proxy\.\
Look and Feel: Metal (javax.swing.plaf.metal.MetalLookAndFeel)

Manage Add-ons

Mon, 01 Jan 0001 00:00:00 +0000

Manage Add-ons

This allows you to manage the add-ons that you have installed and download new ones from the Add-on Marketplace.

Two tabs are available:

Installed

This tab shows you the version of ZAP you are running, all of the installed add-ons and allows you to check for any updates to ZAP or any of the add-ons.
Hovering over an add-on will show you more information about it.
You can also uninstall add-ons from this tab - typically add-ons are dynamically removed from the ZAP UI as soon as you uninstall them.

Manual Request Editor dialog

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

Options Callback Address screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Callback Address screen

The Callback Address screen allows you to configure the address used to detect vulnerabilities that allow an attacker to call remote URLs.
In previous versions the ZAP API was used for this purpose, but from 2.6.0 onwards a separate endpoint is used so that target systems no longer need access to the API.

Options Check for Updates screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Check for Updates screen

This screen allows you to configure whether ZAP checks to see if you are running the latest version when it starts, and if so what it does.

Check for Updates on startup

If selected then ZAP will automatically check for updates to the whole application and all of the add-ons when it starts.

Options Client Certificate screen

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

Paros Proxy

Mon, 01 Jan 0001 00:00:00 +0000

Paros Proxy

ZAP is a fork of version 3.2.13 of the open source variant of Paros developed by Chinotec Technologies Company.

The releases section details of the changes made to Paros.

The source code is freely and publicly available as required by the Clarified Artistic License under which Paros was released.

QA Standard Policy

Mon, 01 Jan 0001 00:00:00 +0000

QA Standard Policy

A quality assurance focused policy meant to perform fairly quickly while providing a greater set of results than developer policies, intended for use in a QA/staging environment.

Intended to run in a QA / Staging environment which is close to production
A superset of Developer Standard but with important env / server rules enabled
Not env issues that should have been fixed by everyone

For the list of scan rules included see the Alert Tag: POLICY_QA_STD page.

Release 2.12.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.12.0

This is a bug fix and enhancement release, which now requires a minimum of Java 11.
As the main zaproxy/zaproxy repo has just reached 10k stars we’re calling this the ‘Ten Thousand Star’ Release!

This release fixes an HTML Injection vulnerability in the ZAP Desktop which was rated a P3 / Medium level vulnerability. While we do not think that it can be exploited in any meaningful way, desktop users are still recommended to update from older ZAP versions a.s.a.p.

Setting up ZAP to Test Damn Vulnerable Web App (DVWA)

Mon, 01 Jan 0001 00:00:00 +0000

Following the steps used to spider/scan DVWA.

This was tested with

DVWA 2.3
ZAP 2.15.0

To set up DVWA follow the instructions on https://github.com/digininja/DVWA

In this case the following commands were used, but you should check to see if anything has changed:

git clone https://github.com/digininja/DVWA.git
cd DVWA
docker compose up -d

To run a full authenticated scan against DVWA download and import the Automation Framework plan:

Setting up ZAP to Test OWASP Pixi

Mon, 01 Jan 0001 00:00:00 +0000

Notes:

This FAQ is a work in progress as of 2018-June-1
This FAQ contains spoilers: <details> tags have been used to make them expandable and not immediately visible (which should work in most modern browsers).
These instructions assume you’ve created a user: test@example.com with password: testExample (via http://localhost:8000/register).

The following the steps are based on spider/scan of Pixi at http://localhost:8000/ using ZAP 2.7.0.

Setting up ZAP to Test Vaadin Apps

Mon, 01 Jan 0001 00:00:00 +0000

The information in this FAQ is based on details from: This user group thread

The Vaadin framework makes heavy use of JavaScript, so it seems the Ajax Spider is the way to go.

As you work to figure things out and get them configured correctly it makes sense to starting by proxying your browser through ZAP, identifying the http session and then flagging it as the ‘active session’ before starting the Ajax Spider.

Web Sockets - About

Mon, 01 Jan 0001 00:00:00 +0000

Web Sockets - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/websocket

Authors

ZAP Dev Team

What causes: Exception in thread 'AWT-EventQueue-0' when loading ZAP on Docked Mac OSX?

Mon, 01 Jan 0001 00:00:00 +0000

As discussed in https://github.com/zaproxy/zaproxy/issues/5469, this issue seems to occur when laptops are docked. (The work around is to un-dock your system.)

This is the same as https://github.com/oracle/visualvm/issues/84 which links to https://bugs.openjdk.java.net/browse/JDK-8223158

This issue is unfortunately outside the control of the ZAP team.

What is ZAP's assurance case?

Mon, 01 Jan 0001 00:00:00 +0000

Basic Threat Model & Trust Boundaries

ZAP is a Java application which is meant to be used primarily in Single user and CI/CD deployment models. As such protection of ZAP and its associated/generated data is outside the scope of ZAP’s sphere of influence (ex: if a system which houses ZAP can be physically stolen, then all the data on the system is at risk).

What operating systems are supported?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP should run on all operating systems that support Java 17 - it can even run on a Raspberry Pi!

If you experience any problems running ZAP then please report them to us.

What vulnerability classifications are supported?

Mon, 01 Jan 0001 00:00:00 +0000

ZAP includes the following classifications for all of the vulnerabilities it finds wherever possible:

Why am I getting blank ZAP windows on Linux?

Mon, 01 Jan 0001 00:00:00 +0000

Java has problems with ’non standard’ window managers.

If you have changed from one of the main window managers and are seeing blank windows when you use ZAP then see https://wiki.haskell.org/Xmonad/Frequently_asked_questions#Problems_with_Java_applications.2C_Applet_java_console for potential solutions.

Why are there missing History IDs?

Mon, 01 Jan 0001 00:00:00 +0000

When you proxy via ZAP you will often see that some of the Ids in the History tab are ‘missing’, e.g. it will jump from 1 to 4 etc.

The missing Ids do not refer to ‘hidden’ requests that ZAP is making.

Instead those requests (which are not sent at all) are generated by ZAP for “internal” use only. They are used to show a “GET” request when “directory” nodes of the “Sites” tab, not yet (manually) accessed, are selected.

Why has the Quick Scan Attack reported an invalid URL?

Mon, 01 Jan 0001 00:00:00 +0000

If the Quick Start Attack fails with the message:

Failed to attack the URL, please check that the URL is valid

then the first thing to do is check your URL in a browser.

If it works ok then open the ZAP Manual Request Editor, replace the default URL with the one you are trying and send the request.

Why is an API key required by default?

Mon, 01 Jan 0001 00:00:00 +0000

Since version 2.4.1 ZAP has required an API key by default in order to invoke API operations that make changes to ZAP. Since version 2.6.0 an API key is required by default in order to invoke any of the API operations. This is a security feature to prevent malicious sites from invoking the ZAP API. ZAP version 2.6.0 also introduced additional security options. All of the API security options, including the API key, can be found in the API Options screen.

Mon, 01 Jan 0001 00:00:00 +0000

Akshath is the author of the GraphQL and OAST add-ons for ZAP.

He made his initial contributions as a Google Summer of Code student.

He loves hacking on ZAP and tries to contribute in whatever way he can - be it code, documentation or user support.

Akshath can be sponsored directly via his GitHub Sponsors page.

Alerts tab

Mon, 01 Jan 0001 00:00:00 +0000

Alerts tab

The Alerts tab show the Alerts that have been raised in this session. The alerts are displayed in a tree in risk order in the left hand pane, and each node of the tree shows the total number of alerts underneath it.

Selecting an alert with one click will display it in the right hand pane. Double clicking an alert will display the Add Alert dialog which will allow you to change the alert details.

Authentication Verification Strategies

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Verification Strategies

Verification Strategies

ZAP supports multiple Verification Strategies in order to detect when messages correspond to authenticated requests.

Check every Response

When this strategy is used then ZAP will use the specified Regex Patterns on every response. This is typically useful for traditional webapps which return full HTML pages.

Automation Framework - activeScan Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - activeScan Job

This job runs the active scanner. This actively attacks your applications and should therefore only be used against applications that you have permission to test.

It is covered in the video: ZAP Chat 12 Automation Framework Part 6 - Delays and Active Scan.

By default this job will actively scan the first context defined in the environment and so none of the parameters are mandatory.

Client Side Integration - Internals

Mon, 01 Jan 0001 00:00:00 +0000

Client Side Integration - Internals

Browser Extension

This add-on depends on a ZAP browser extension which runs in Firefox and Chrome - if this extension is not present then this add-on will not be able to do anything.

Credits

Mon, 01 Jan 0001 00:00:00 +0000

Credits

ZAP Core Team (Current)

People who have made significant enhancements to the latest releases.
For more details of code contributions see: https://www.openhub.net/p/zaproxy/contributors

How Can I set Variables in the Automation Framework?

Mon, 01 Jan 0001 00:00:00 +0000

The Automation Framework supports variables, which includes environment variables. You can use these to set values referenced in your plan from the command line, including secrets such as credentials.

To see this in action download the ScriptEnvVarAccess.yaml plan and store it in your current working directory.

Edit the script and change PATH to MyVar.

Manage History Tags dialog

Mon, 01 Jan 0001 00:00:00 +0000

Manage History Tags dialog

This allows you to manage the tags associated with a request.

Accessed via


	History tab	‘Manage History Tags…’ right click menu item


	UI Overview	for an overview of the user interface
	Dialogs	for details of the dialogs or popups

Options Database screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Database screen

This screen allows you to configure the database options:

Compact (on exit)

Allows to compact the database when ZAP is closed, compacting the database ensures a minimal space disk usage but it will also take longer to exit ZAP.

QA Full Policy

Mon, 01 Jan 0001 00:00:00 +0000

QA Full Policy

A quality assurance focused policy, including a superset of the QA standard with a greater variety of potential findings with more environmental/server related rules, intended for use in a QA/Staging environment.

Intended to run in a QA / Staging environment which is close to production
A superset of Developer Full (and QA Standard) but with more env / server rules enabled

For the list of scan rules included see the Alert Tag: POLICY_QA_FULL page.

Release 2.11.1

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.11.1

This release includes an important security fix - users are urged to upgrade asap. For more details refer to the blog post ZAP and Log4Shell.

Changes in Bundled Libraries

The following library was updated:

Verification Request Identification

Mon, 01 Jan 0001 00:00:00 +0000

Verification Request Identification

This add-on includes a passive scan rule which attempts to identify Verification requests.
Verification requests are the requests that ZAP uses to tell if a session is still valid.

Unlike the other identification scan rules in this add-on, this rule will only raise alerts if you have indicated that you want to use verification auto-detection for a specific context. Due to the way the ZAP 2.12 core works it is not currently possible to add a new Verification Method Type dynamically. Instead you will need to:

What is the Best Way to Automate ZAP?

Mon, 01 Jan 0001 00:00:00 +0000

For most use cases, the best way to automate ZAP is using the Automation Framework.

For a comparison of the different automation options see Automation Options.

Active Scan tab

Mon, 01 Jan 0001 00:00:00 +0000

Active Scan tab

The Active Scan tab allows you to perform an active scan.

The ‘Scan Policy Manager’ button shows the Scan Policy Manager dialog which allows configuration of scan policies.

The ‘New Scan’ button launches the Active Scan dialog which allows you to specify exactly what should be scanned.

The toolbar provides a set of buttons which allow you to start, stop, pause and resume the scan selected.
A progress bar shows how far the scan of the selected site has progressed.
The ‘Current scans’ value shows how many scans are currently active - hovering over this value will show a list of the sites being scanned in a popup.
The ‘Show scan progress details’ button launches the Scan Progress dialog which allows you to see details about which rules are running, skip individual rules and see a chart of the responses.

Authentication Tester Dialog

Mon, 01 Jan 0001 00:00:00 +0000

Authentication Tester Dialog

This dialog allows you to test if ZAP can authenticate and automatically handle the session handling and verification for a site given only the login page and credentials.

Fields

The following fields are provided:

Automation Framework - delay Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - delay Job

This job waits for a specified time unless one of a specific set of conditions are met.
It can be used to wait for regression tests being proxied through ZAP in order to explore your application more thoroughly.

It is covered in the video: ZAP Chat 12 Automation Framework Part 6 - Delays and Active Scan.

Breakpoints

Mon, 01 Jan 0001 00:00:00 +0000

Breakpoints

A breakpoint allows you to intercept a request from your browser and to change it before it is submitted to the web application you are testing.

You can also change the responses received from the application

The request or response will be displayed in the Break tab which allows you to change disabled or hidden fields, and will allow you to bypass client side validation (often enforced using javascript).

Options Connection screen

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

Options Display screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Display screen

The Display screen allows you to configure:

Images

If ZAP processes images.

Show (local) CONNECT requests

If the HTTP CONNECT requests received by ZAP’s proxies should be persisted in the current session and shown in the History tab. The default is to not show those requests, they happen frequently (in preparation for TLS/SSL, WebSocket… connections) and, unless inspecting the behaviour of the client application, are not (usually) of much interest.

Penetration Tester Policy

Mon, 01 Jan 0001 00:00:00 +0000

Penetration Tester Policy

A policy which enables all of the installed active scan rules with the exception of the Example rules.

Programmatic Name: Pen Test

Return to main scan policies page.

Release 2.11.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.11.0

This is the OWASP 20th anniversary bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.10.0.

Automation Framework - exitStatus Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - exitStatus Job

This job sets ZAP’s exit code based on scan results. It also allows you to choose which exit values are used. It should typically be the last job in a plan.

If warnLevel or errorLevel are set then the job will report a warning or error if any alerts are raised which have the same risk level or greater.

Callbacks

Mon, 01 Jan 0001 00:00:00 +0000

Callbacks

Various ZAP components (scan rules, etc) may leverage payloads which result in HTTP requests back to ZAP. Such callback requests may be triggered by the spider(s), a user, or a future action from a tertiary system.

The ZAP GUI includes a panel in which such requests can be reviewed: Callbacks tab.

Contexts

Mon, 01 Jan 0001 00:00:00 +0000

Contexts

Contexts are a way of relating a set of URLs together.

You can define any contexts you like, but it is expected that a context will correspond to a web application.

It is recommended that you define a new contexts for each web application that makes up the system you are testing, and set them in scope as you test each one.

Options Extensions screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Extensions screen

This screen allows you to enable/disable extensions that are available to ZAP, either core or added by add-ons.

Enable/Disable Extensions

Enabled extensions will be loaded by ZAP, thus adding the functionalities provided by those extensions. Disabled extensions will not be loaded.

Params tab

Mon, 01 Jan 0001 00:00:00 +0000

Params tab

This shows a summary of the parameters and response header fields a site uses. Sites can be selected via the toolbar or the Sites tab.

For each parameter you can see:


	The type - Cookie, FORM, URL, or Header
	The name of the parameter (or response header)
	The number of times it has been used
	The number of unique values
	The percentage change, where 0 means only one value has been used and 100 means all values are unique
	The flags - including cookie flags and anticsrf and session
	Some of the values - the full set of values may not all be visible

Right clicking on a node will bring up a menu which will allow you to:

Persist Session dialog

Mon, 01 Jan 0001 00:00:00 +0000

Persist Session dialog

This dialog is shown by default whenever you start a new session, which always happens when ZAP starts.
It allows you to specify how you would like this session persisted, you can also set the default choice so that you are not prompted again.

Persisting a session means it will be stored in a local database that you can access at a later date.

Release 2.10.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.10.0

This is a 10 year anniversary bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.9.0.

Report Templates

Mon, 01 Jan 0001 00:00:00 +0000

Report Templates

This add-on provides the following report templates:

Name / Link to Details, Screenshot/Sample	ID	Format	Sections	Themes
Authentication Report - JSON	auth-report-json	JSON	Yes

Spider tab

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

Automation Framework - requestor Job

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - requestor Job

This job sends specifically crafted requests to a target url, with a custom request method and body. The user can also specify an expected response code, against which the actual response is compared, and the user is warned in case it does not match. The user can add additional headers to the request e.g. Authorization Tokens, etc.

Custom Page

Mon, 01 Jan 0001 00:00:00 +0000

Custom Page

ZAP can accommodate the definition of various non-standard error handling conditions.
Each Context may include multiple Custom Page definitions, with the following elements:

Enabled > Whether the definition is enabled or not.
Content > The String or Regex which defines the URL or response content to be matched.
Content Location > Whether the “Content” should be matched against a URL or response “Content”.
Is Regex? > Indicating whether or not “Content” is a regular expression or not.
Custom Page Type > Specifying what type of Custom Page is being defined:
- Error Page > For ‘500 - Internal Server Error’ type pages.
- Not Found > For ‘404 - Not Found’ responses.
- Ok > For ‘200 - Ok’ definitions
- Other > To facilitate use of Custom Pages in scripts or other usages that have not yet been foreseen.
- Auth. Issue > For Authentication/Authorization related responses. For example: ‘401 - Unauthorized’ or ‘403 - Forbidden’ type conditions.

Configuration example

A configuration example showing how to fully configure a webapp that returns a 200 - Ok response with the message “Sorry, we can’t seem to find what you were looking for” is seen below:

HTTP Sessions tab

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Sessions tab

This tab shows you the set of identified HTTP sessions for each Site, as detected by the HTTP Sessions extension.

The current Site the information is referring to can be selected via the toolbar or the Sites tab.

The toolbar provides a button (“New Session”) which allows you to start a new session, forcing all outgoing request messages to be without the session tokens set, so the server considers it’s a new session. This allows the creation of a new session, without destroying the old one.

Options Global Exclude URL screen

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

Options HTTP Sessions screen

Mon, 01 Jan 0001 00:00:00 +0000

Options HTTP Sessions screen

This screen allows you to configure the HTTP Sessions Extension’s options:

Default Tokens

These are the names of the Cookies that are considered by default to be session tokens. As soon they are detected as parameters on a Site, they are automatically added as session tokens for that Site, unless manually overriden by user command.

Release 2.9.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.9.0

This is a bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.8.0.

Some of the more significant enhancements include:

Scan Policy Manager dialog

Mon, 01 Jan 0001 00:00:00 +0000

Scan Policy Manager dialog

This allows you to manage the scan policies that define the rules that are run when performing an active scan.

You can have as many scan policies as you like, and choose which one of them is run when you perform an active scan.

Add

The Add button launches the Scan Policy dialog with all of the settings defaulted.

Automation Framework - Job Tests

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Job Outcome Tests

The automation framework supports testing the job outcomes based on conditions that you can set in the YAML file.

The currently supported tests are:

alert - Alert tests - validate the presence or absence of specified alerts
monitor - Monitor tests - allow you to stop long running jobs based on statistic thresholds
stats - Statistics tests - test any of the statistics maintained by ZAP
url - URL tests - validate the presence/absence of a URL and it’s specific expressions in the HTTP response/request

Data Driven Content

Mon, 01 Jan 0001 00:00:00 +0000

Data Driven Content

Data driven content is type of Structural Modifier which identifies URL paths that represent data.

In ’traditional’ web applications the structure of the application is typically defined by the URL paths and the data is contained in the URL parameters and POST data.

URLs like:

are represented in the Sites Tree as two ’nodes’ in the tree:

Dynamic SSL Certificates

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

Options JVM screen

Mon, 01 Jan 0001 00:00:00 +0000

Options JVM screen

This screen allows you to configure the JVM options used when starting ZAP.

JVM Options

A free format text field which will be added to the Java command line call when invoking ZAP via either zap.sh or zap.bat.

Output tab

Mon, 01 Jan 0001 00:00:00 +0000

Output tab

This show various informational messages in a set of sub-tabs.

There is one “General” tab which can include the stack traces of unexpected exceptions - please include any stack traces if you report a bug.

Other ZAP add-ons can add their own sub-tabs. In particular the “Script Console” add-on will add one tab for each script that generates any output.

Release 2.8.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.8.0

This is a bug fix and enhancement release, which requires a minimum of Java 8. Note that a minimum of Java 11 is recommended, especially for high DPI displays.

These release notes do not include all of the changes included in add-ons updated since 2.7.0.

Some of the more significant enhancements include:

Scan Progress Dialog

Mon, 01 Jan 0001 00:00:00 +0000

Scan Progress Dialog

This shows you the status of an active scan.

Progress tab

This shows which scan rules are running for each host being scanned, as well as other details such as the elapsed time they have been running and the number of requests made per rule.
It also allows you to skip the rule which is currently being run by clicking on the ‘Skip current running active scan’ button in the Status column.

Automation Framework - Alert Job Test

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Alert Job Test

Alert tests are supported by the activeScan and passiveScan-wait jobs. These tests can be used to validate the presence/absence of specific alerts in the active/passive scan. It is mandatory for the alerts specified in the plan to have a scanRuleId, against which the generated alerts will always be matched. All other fields describing an alert are optional regexes, and will be matched against only if they are specified.

Globally Excluded URLs

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

HTTP Sessions

Mon, 01 Jan 0001 00:00:00 +0000

HTTP Sessions

This tool keeps track of the existing HTTP Sessions on a particular Site and allows the ZAP user to force all requests to be on a particular session. Basically, it allows the user to easily switch between user sessions on a Site and to create a new Session without “destroying” the existing ones.

Options Keyboard screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Keyboard screen

This screen allows you to configure keyboard shortcuts for all of the ZAP menus.

Clicking on any of the table rows will bring up a dialog box which allows you to change the keyboard shortcuts.

‘Action’ Cheatsheet

Clicking on this button will generate an HTML page which shows all of the keyboard shortcuts sorted by ‘action’.
This button is only enabled if the API is enabled and your operating systems supports opening URLs in a browser.

Release 2.7.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.7.0

This is a bug fix and enhancement release, which requires a minimum of Java 8.

Some of the more significant enhancements include:

Browser launch included by default - this allows you to launch browsers from ZAP that are preconfigured to proxy through ZAP and ignore the certificate warnings due to the ZAP root certificate.
Allow ZAP to listen on multiple addresses/ports
Support Server Name Indication
Updated NTLM engine implementation - this fixes the cases where the domain is being validated and improves interoperability with other (server) NTLM implementations
Lots of new API endpoints - see below for details

Note that if you do have any problems with this release then there is also a new ‘Help/Support Info…’ menu item that provides essential information about your ZAP installation which you should include with any issues you raise.

Automation Framework - Monitor Job Test

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Monitor Job Test

Monitor tests are supported by long running jobs, such as activeScan and spider.

Unlike the other Job Tests, monitor tests run while a job is running. They work in a similar way to statistic tests in that they check a specified statistic, but there is no ‘operator’ - instead the test will fail if the value of the statistic exceeds the given threshold.

Callbacks tab

Mon, 01 Jan 0001 00:00:00 +0000

Callbacks tab

This tab shows a summary of the callback requests ZAP has received. For each callback you can see:


	An Id
	The Timestamp of the received request.
	The Method associated with the request (GET, POST, etc.)
	The URL
	The Handler - The ZAP component which caught or responded to the callback request.
	The referer (if one was included in the request, Ex: the URL on which the payload was encountered).


	Callback options
	UI Overview	for an overview of the user interface

Manipulator-in-the-middle Proxy

Mon, 01 Jan 0001 00:00:00 +0000

Manipulator-in-the-middle Proxy

ZAP is a Manipulator-in-the-middle Proxy. It allows you to see all of the requests you make to a web app and all of the responses you receive from it.

Amongst other things this allows you to see AJAX calls that may not otherwise be obvious.

You can also set breakpoints which allow you to change the requests and responses on the fly.

Options language screen

Mon, 01 Jan 0001 00:00:00 +0000

Options language screen

The language screen allows you to configure:

Language selection

The language ZAP uses for its display.
A set of languages are built into ZAP, however more languages may be available after the last release.
Check the ZAP download page for the latest language pack available.

Release 2.6.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.6.0

This release contains a large number of changes, in particular to the ZAP API.
We have added a significant number of new API endpoints, working towards our goal of making ZAP completely controllable via the API. We have also changed some of the existing endpoints and in all cases these changes are backwards compatible.

Automation Framework - Statistics Job Test

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - Statistics Job Test

Statistics-based tests are supported by all add-ons that have an automation job. If there is a relevant statistic used by an add-on, a test can be created for it.
An up to date list of the statistics ZAP maintains can be found at https://www.zaproxy.org/docs/internal-statistics/.

Marketplace

Mon, 01 Jan 0001 00:00:00 +0000

Marketplace

ZAP Marketplace contains ZAP add-ons which have been written by the ZAP team and the community. The add-ons help to extend the functionalities of ZAP. You can browse and download add-ons from within ZAP by clicking on the ‘Manage Add-ons’ button in the toolbar and then selecting the Marketplace tab.

Options Passive Scan Rules Screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Passive Scan Rules Screen

This screen allows you to configure the passive scan rules.

Threshold

This controls how likely ZAP is to report potential vulnerabilities.

Options Rule Configuration screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Rule Configuration screen

This screen allows you to configure the behaviour of specific active and passive scan rules.

Select any of the listed rows to see details of the specific configuration and to change the associated value. Both individual and all rules can be reset.

The built-in rules include:

Release 2.5.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.5.0

The following changes were made in this release:

ZAP API Changes:

VIEW authorization / getAuthorizationDetectionMethod

Now returns data wrapped in an object called authorizationDetectionMethod For example:

Spider dialog

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

Automation Framework - URL Presence Job Tests

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - URL Presence Job Test

URL Presence tests are supported by all the jobs. These tests can be used to validate the presence/absence of a URL and it’s specific expressions in the HTTP response/request. The expressions are specified in the YAML file as regular expressions. The test will pass if the URL or the specified expression is found in the response/request depending upon the operator selection.

Modes

Mon, 01 Jan 0001 00:00:00 +0000

Modes

ZAP has a ‘mode’ which can be:

Safe - no potentially dangerous operations permitted.
Protected - you can only perform (potentially) dangerous actions on URLs in the scope.
Standard - does not restrict anything.
ATTACK - new nodes that are in scope are actively scanned as soon as they are discovered.

It is recommended that you use the Protected mode to ensure that you only attack sites that you mean to.

Options Passive Scan Tags screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Passive Scan Tags screen

This screen allows you to configure the tags that are added by the passive scanner. You can add, modify and remove the tags via the appropriate buttons.

Tag Interpolation

Options Scripts screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Scripts screen

This screen allows you to configure the script options:

Enable scripts loaded from directories

If this option is selected then all of the scripts loaded from the specified directories will be enabled by default.

Release 2.4.3

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.4.3

The following changes were made in this release:

Enhancements:

Issue 1576 : Define URL path elements as ’non structural'
Issue 1711 : Feature request: Option to specify number of token to be generated.
Issue 1768 : Update to use a more recent user-agent
Issue 1894 : ZAP only scans “User-Agent”, “Referer”, and “Host” request headers
Issue 1911 : Search AJAX spider requests
Issue 1913 : Pass all params across to zap.sh - debian package
Issue 1914 : Multiple add-on directories
Issue 1920 : Report the host:port ZAP is listening on in daemon mode, or exit if it cant
Issue 1927 : Enhancement: Break only for in-scope URLs.
Issue 1944 : Chart responses per second in ascan progress
Issue 1953 : Allow to spider a context through the ZAP API
Issue 1962 : Install and update add-ons from the command line
Issue 1975 : RC4-SHA SSL cipher suite not supported
Issue 1980 : Add ZAP CLI to Docker images
Issue 1985 : Bring up the Modify dialog if the user doubles on a row in a AbstractMultipleOptionsBaseTablePanel
Issue 2009 : Add Online links to the FAQ and Newsletter pages
Issue 2084 : Warn users if they are probably using out of date versions
Issue 2086 : Report request counts per plugin
Issue 2088 : Support an ‘update all’ button for installing all updated add-ons
Issue 2094 : Support a ‘-addoninstallall’ command line option
Issue 2102 : Allow ajax spider options to be set via the API

Bug fixes:

Issue 1070 : Breaking on custom URL with query parameters does not work.
Issue 1555 : SAXParseException while generating the report
Issue 1617 : ZAP 2.4.0 throws HeadlessExceptions when running in daemon mode on headless machine
Issue 1877 : fix path to .ZAP_JVM.properties in zap.sh
Issue 1893 : Regression: Can’t disable and enable specific scanners through the API
Issue 1910 : API does not return content in the expected encoding, on errors
Issue 1917 : Request and Response tabs dont scale the text
Issue 1939 : Scripts - Save Button Enablement Issue
Issue 1949 : Script with missing type prevents scripts and templates from being loaded
Issue 1950 : Connection closed without response, with an Authentication script with errors
Issue 1951 : Exception when trying to add users before loading an authentication script
Issue 1960 : Active Scan dialogue might use outdated scan policy
Issue 1969 : Issues with installation of scanners
Issue 1970 : Installed add-on dependencies might not be taken into account when installing add-ons
Issue 1973 : Returned HAR/list does not contain correct redirection messages
Issue 1981 : Spider might not report the correct number of URIs found
Issue 2005 : Active scanning incorrectly performed on sibling nodes
Issue 2044 : Issues in Hirschberg’s algorithm implementation
Issue 2045 : Dont copy old configs if -dir option used
Issue 2052 : Authentication changes done through the API not saved to session


	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible

Automation Framework - About

Mon, 01 Jan 0001 00:00:00 +0000

Automation Framework - About

Source Code

https://github.com/zaproxy/zap-extensions/tree/main/addOns/automation

Authors

ZAP Dev Team

Notes

Mon, 01 Jan 0001 00:00:00 +0000

Notes

A note is any text that you wish to associate with a request.

For example you could use notes to record details of extra tests that you need to perform on a request.

Notes are added and changed using the Add Note dialog.

Notes are flagged in the History tab with the icon.

Options Passive Scanner Screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Passive Scanner screen

This screen allows you to configure the passive scanner.

Configuration Options

Field	Details	Default	Config File
Only scan messages in scope	Sets whether or not the passive scan should be performed only on messages that are in scope.	Deselected	Key: `pscans.scanOnlyInScope` Values: `true` or `false`
Include traffic from the Fuzzer when passive scanning	Sets whether or not the passive scanning should be performed on messages generated by the Fuzzer.	Deselected	Key: `pscans.scanFuzzerMessages` Values: `true` or `false`
Max alerts any rule can raise	Sets the maximum number of alerts a passive scan rule should raise. This may be slightly exceeded due to threading. This setting is typically only useful for automated scanning. Scan rules that exceed this value will be disabled and will need to be manually enabled if a new session is started.	0 (unset)	Key: `pscans.maxAlertsPerRule` Values: `0`: unset or the maximum number of alerts
Max body size in bytes to scan	Sets the maximum size request or response body size in bytes that the passive scanner will scan. This can be used if passive scan rules take too long scanning very large requests or responses. If set the number of ignored requests and responses are recorded in the stats using the keys `stats.pscan.reqBodyTooBig` and `stats.pscan.respBodyTooBig` respectively.	0 (unset)	Key: `pscans.maxBodySizeInBytes` Values: `0`: unset or the maximum body size in bytes
Clear Queue	Empties the passive scan queue without passively scanning the messages. Currently running rules will run to completion but new rules will only be run when new messages are added to the queue.


	UI Overview	for an overview of the user interface
	Options dialogs	for details of the other Options dialog screens

Options Search screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Search screen

This screen allows you to configure the search options:

Maximum results show in “Search” tab

Allows to set the number of maximum results that should be show in the Search tab.

Release 2.4.2

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.4.2

The following changes were made in this release:

Enhancements:

Issue 1306 : Java PermSize command line flag removed in Java 8
Issue 1593 : Auto-scroll in Spider tab
Issue 1600 : Dont report X-Frame-Options alert on 403 and 404 pages
Issue 1654 : httpSessions/createEmptySession should initialize a site that was not previously visited
Issue 1702 : Add “recurse” option to the spider API
Issue 1715 : Unable to pass arguments when launching ZAP from the command line on Mac OS X
Issue 1766 : Remove context via the API
Issue 1768 : Update to use a more recent user-agent
Issue 1778 : Passive scan AJAX spider requests
Issue 1790 : Move Buffer Overflow Scanner from Beta to Release
Issue 1793 : Allow active scan scripts to check if the scan was stopped
Issue 1795 : Allow JVM options to be configured via GUI
Issue 1799 : Minor Feature Request: Allow URL to be pasted into start Spider dialog.
Issue 1802 : Minor Enhancement: Change active Pause Button to a Play button
Issue 1849 : Option to merge related issues in reports
Issue 1857 : Libraries that were updated
Issue 1865 : Increase maximum db size

Bug fixes:

Issue 1760 : Unable to initialize home directory! xml/config.xml (No such file or directory)
Issue 1763 : Automatic check for updates fails to report new versions
Issue 1770 : Exceptions when calling (some) context API actions in daemon mode
Issue 1771 : For OSX the zap.sh in the core download hard-codes the relative java location
Issue 1772 : On OS X, Found Java version lies
Issue 1777 : “Cannot locate configuration source null.policy” after opening “Active Scan” dialogue
Issue 1781 : ZAP errors with “Unsupported option ‘-psn_x_xxxxxxx’” on OS X
Issue 1784 : NullPointerException when active scanning through the API with a target without scheme
Issue 1785 : Plugin enabled even if dependencies are not, “hangs” active scan
Issue 1787 : Context not used by the Spider even if selected
Issue 1788 : Scan Progress Pane Needs Sorting Change
Issue 1789 : Forced Browse/AJAX Spider messages not restored to Sites tab
Issue 1792 : Report not generated in daemon mode
Issue 1798 : Stop Attack Feature Locks up ZAP?
Issue 1804 : Disable processing of XML external entities by default
Issue 1805 : ZAP API might not return the response in requested format on errors
Issue 1858 : Spider might report wrong progress after finishing
Issue 1872 : EDT accessed in daemon mode


	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible

Options Statistics screen

Mon, 01 Jan 0001 00:00:00 +0000

Options Statistics screen

This screen allows you to configure the statistics that ZAP maintains.

In Memory Statistics Enabled

By default ZAP maintains the statistics in memory. To disable the in memory statistics uncheck this box.

Passive Scan

Mon, 01 Jan 0001 00:00:00 +0000

Passive Scan

The passive scanner is provided by the Passive Scanner add-on, which allows to passively scan messages (e.g. HTTP, WebSocket) proxied/sent through/by ZAP.

Release 2.4.1

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.4.1

This release includes important security fixes - users are urged to upgrade asap.

One of the changes means that an API key is created by default, which means that any applications using the ZAP API will fail unless they are updated to use that key.

The API Key can be found in the API Options screen

Options Local Proxies screen

Mon, 01 Jan 0001 00:00:00 +0000

This page was moved.

Release 2.4.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.4.0

The following changes were made in this release:

Significant changes:

Attack mode

A new ‘ATTACK’ Mode has been added - new nodes that are in Scope are actively scanned as soon as they are discovered.

Software Bill of Materials

Mon, 01 Jan 0001 00:00:00 +0000

Software Bill of Materials

ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX for both the ZAP core and all of the add-ons maintained by the ZAP team. Each SBOM will appear as a file called “bom.json” included at the root of the ZAP JARs.

Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.

Mon, 01 Jan 0001 00:00:00 +0000

Cabelo started contributing to ZAP in 2016 and maintains the Official ZAP Linux Repos.

He works as an RPM and DEB packer in several Linux distributions.

First contact with technology in 1983, when 11 years old, in the city of Bebedouro (interior of SP).

Takes Linux seriously, researches and works with biometrics and computer vision since 1998.

Release 2.3.1

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.3.1

The following changes were made in this release:

Issue 81 : ZAP changes request data (while switching views)
Issue 377 : Unfulfilled dependencies hang the active scan
Issue 1073 : Cant remove scripts marked as ’load on start'
Issue 1114 : core.newSession doesn’t clear Sites
Issue 1155 : Historical Request Tab Doesn’t allow formatting changes
Issue 1156 : Proxy gzip decoder doesn’t update content length in response headers
Issue 1163 : Unable to set a home directory with a space on the command line
Issue 1166 : Redundant indexes in zapdb.script
Issue 1168 : Add proxy support for “deflate” content encoding
Issue 1170 : Spider Context/User pop up menus no longer shown
Issue 1179 : Unable to select 2 requests in fuzz results (Ctrl + click)
Issue 1181 : Vulnerable pages active scanned only once
Issue 1182 : Alerts of same type for different parameters of same vulnerable page shown only once in “Alerts” tree
Issue 1183 : NullPointerException while selecting a node in the “Alerts” tab after deleting a message
Issue 1191 : Cmdline session params have no effect
Issue 1193 : Scan URL path elements - turn off by default
Issue 1194 : Command line arguments are not passed to extensions when starting ZAP in daemon mode
Issue 1196 : AbstractPlugin.bingo incorrectly sets evidence to attack
Issue 1202 : Issue with loading addons that did not initialize correctly
Issue 1203 : Wordpress Authentication Script
Issue 1206 : “History” tab is not cleared when a new session is created through the API with ZAP in GUI mode


	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible

Scan Policy

Mon, 01 Jan 0001 00:00:00 +0000

Scan Policy

A scan policy defines exactly which rules are run as part of an active scan.

It also defines how these rules run influencing how many requests are made and how likely potential issues are to be flagged.

You can define as many scan policies as you like and select the most appropriate one when you start the scan via the Active Scan Dialog.

Release 2.3.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.3.0

The following changes were made in this release:

Significant changes:

ZAP ‘lite’ version

For this release we are providing a ‘lite’ version of ZAP in addition to the ‘full’ version. This contains exactly the same core code, but it just includes fewer default add-ons. Of course, you can download all of the ‘missing’ add-ons from the ZAP marketplace to ‘upgrade’ the lite version to a full one.
The ‘lite’ version is aimed at people new to security who need less initial functionality which will hopefully be easier to get started with. It will also be suitable for people looking for a smaller download or those wishing to customize exactly which add-ons they install.

Scope

Mon, 01 Jan 0001 00:00:00 +0000

Scope

The Scope is the set of URLs you are testing, and is defined by the Contexts you have specified.

By default nothing is in scope.

The Scope potentially changes:

What you can do, when you are in Protected mode
What is shown in the History tab
Protected - user can only perform (potentially) dangerous actions on URLs in the Scope
Standard - as in previous releases, user can do anything
ATTACK - new nodes that are in Scope are actively scanned as soon as they are discovered

It is recommended that you define a new Context for each web application that makes up the system you are testing, and set them in scope as you test each one.

Mon, 01 Jan 0001 00:00:00 +0000

Arkaprabha is an undergraduate computer science engineering student.

He is an open source enthusiast and has contributed to multiple open source projects. He has contributed to zaproxy and zap-extensions. He was the Google Summer of Code 2022 student contributor for the Parameter Digger add-on for ZAP. He aspires to be a full-time open source engineer, contributing to multiple open source projects 24x7.

Release 2.2.2

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.2.2

The following changes were made in this release:

Minor changes:

Issue 744 : Allow overwriting custom fuzz files

Issue 795 : Allow param types scanned to be configured via UI

Issue 797 : Limit number of ascan results listed to speed up scans

Issue 798 : Add example scripts

Bug Fixes:

Issue 656 : Content-length: 0 in GET requests

Issue 680 : Set the right content type for JSON API results

Issue 716 : ZAP flags its own HTTP responses

Issue 746 : PassiveScan Extension Crashes if the History Extension is disabled

Issue 747 : Error opening session files on directories with special characters

Issue 791 : Saved sessions are discarded on ZAP’s exit

Issue 792 : Diff dialog fails when invoked from Zest

Issue 794 : Malformed Byte Sequence Exception

Issue 800 : User not prompted with check-for-updates option

Issue 802 : XML report generated by API differs from GUI report


	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible

Scripts

Mon, 01 Jan 0001 00:00:00 +0000

Scripts

ZAP supports scripts that can be embedded within ZAP and can access internal ZAP data structures and classes. These scripts allow you to dynamically enhance ZAP from within ZAP.

ZAP supports any scripting language that supports JSR 223, including:

ECMAScript / JavaScript (through the GraalVM JavaScript add-on)
Zest
Groovy https://groovy-lang.org/
Kotlin https://kotlinlang.org/
Python https://www.jython.org
Ruby - https://jruby.org/
and many more…

WARNING - scripts run with the same permissions as ZAP, so do not run any scripts that you do not trust!

Release 2.2.1

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.2.1

The following changes were made in this release:

Bug Fixes:

Issue 789 : Scripting broken on Windows


	Introduction	the introduction to ZAP
	Releases	the full set of releases
	Credits	the people and groups who have made this release possible

Session Management

Mon, 01 Jan 0001 00:00:00 +0000

Session Management

ZAP handles multiple types of session management (called Session Management Methods ) that can be used for websites / webapps. Each Context has a Session Management Method defined which dictates how sessions are kept.

Cookie-Based Session Management

In the case of this method the session is being tracked through cookies. Currently, the session tokens that are used are imported from the HTTP Sessions Extension.

Mon, 01 Jan 0001 00:00:00 +0000

Najam (also known as: CyberSoldier) is a software developer and security engineer. He is a big advocate of open source software and likes to contribute to several open source projects to keep quality software available for free. He has contributed code towards the core zaproxy and zap-extensions codebase.

Release 2.2.0

Mon, 01 Jan 0001 00:00:00 +0000

Release 2.2.0

The following changes were made in this release:

The ZAP Homepage on ZAP

Jit

Access Control Status Tab

Access Control Status Tab

See also

Access Control Testing Add-on Changelog

Changelog

11 - 2025-12-15

Changed

10 - 2024-03-25

Changed

Fixed

9 - 2023-09-08

Added

Changed

8 - 2022-10-28

Changed

7 - 2021-10-07

Changed

6 - 2020-10-06

Added

Changed

5 - 2018-11-02

4 - 2017-11-28

3 - 2017-11-24

2 - 2016-06-02

1 - 2015-04-13

Access Control Testing Add-on SBOM

Active Scan

Active Scan

Active Scan dialog

Active Scan dialog

Scope

Active scanner rules (alpha) Add-on Changelog

Changelog

55 - 2025-12-30

Added

54 - 2025-12-15

Changed

Removed

53 - 2025-11-04

Added

Changed

52 - 2025-10-07

Added

Removed

51 - 2025-09-18

Changed

50 - 2025-09-02

Changed

Added

49 - 2025-06-20

Changed

Added

48 - 2024-09-02

Changed

Fixed

47 - 2024-03-28

Changed

46 - 2024-01-26

Changed

45 - 2024-01-16

Changed

Fixed

44 - 2023-09-08

Changed

43 - 2023-07-20

Changed

Removed

42 - 2022-12-13

Added

Fixed

Added

41 - 2022-10-27

Changed

40 - 2022-10-19

Added

Fixed

Changed

Removed