There are a large number of changes in this release, so this post will just give a high level overview of some of the most significant changes:
ZAP ‘lite’ version
For this release we are providing a ‘lite’ version of ZAP in addition to the ‘full’ version. This contains exactly the same core code, but it just includes fewer default add-ons. Of course, you can download all of the ‘missing’ add-ons from the ZAP marketplace to ‘upgrade’ the lite version to a full one.
The ‘lite’ version is aimed at people new to security who need less initial functionality which will hopefully be easier to get started with. It will also be suitable for people looking for a smaller download or those wishing to customize exactly which add-ons they install.
Support for client-side (browser) events
You can now view, intercept, manipulate, resend and fuzz client-side events. This includes postMessages, so you can now detect DOM based XSS vulnerabilities in postMessages. This is the first phase in a series of planned changes to support the testing of AJAX and HTML5 applications even more effectively.
Enhanced authentication support
ZAP's support for authentication has been completely revamped to easily handle complex types of authentication methods and scenarios. Support has also been added for user-defined scripts which allow you to handle custom authentication schemes. In addition, now ZAP understands and allows you to configure web applications' Users so various actions throughout ZAP can be performed from the point of view of defined users. To get started, check out the new Authentication and Users panels in the Session Properties for each of the defined Contexts.
Support for non standard apps
This release includes support for ‘single page’ applications and non standard key-value separators. You can now control these settings via the new Structure panel in the Session Properties.
New Input Vectors including user-defined scripts
ZAP supports new options for defining the input vectors i.e. the elements of a request that ZAP will attack. The new options are available in the Active Scan Input Vectors panel of the Options. Support has also been added for defining custom scripts that define new input vectors.
Scan policy - fine grained control
The scan policy now has a fine grained control, allowing you to tweak individual scanner rules. You can also define, load and save scan policies, allowing you to maintain a set of policies that work well in different circumstances.
In addition, by default ZAP will not now scan well-known service parameters (e.g. __VIEWSTATE) speeding up the overall scanning process. This is completely user configurable, allowing you to specify exactly which parameters ZAP should ignore.
Advanced Active Scan dialog
A new 'Advanced Active Scan' dialog allows you to specify exactly how you want the active scanner to function. It allows you to specify‘custom vectors’ that explicitly define which strings you want to attack. It also supports the option to scan as any of the Users you have defined for the application under test. Start an Advanced Active Scan via the Tools menu or via the Attack section of the right click popup menu.
Extended command line options
You can now run ZAP ‘inline’ i.e. without starting the ZAP UI or a daemon. In this mode you can run simple attacks or run scripts which can access all of the ZAP functionality. You can also now override any of the options defined in the configuration file via command line parameters.
More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
The help file has been internationalized and is in the process of being translated into many other languages viahttps://crowdin.net/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
Bosnian
French
Japanese
Spanish
Keyboard shortcuts
All menu items can now be invoked via keyboard shortcuts. Defaults are defined for virtually all cases, but you can configure your own preferences in the Keyboard panel of the Options.
New UI options
There is a new option to change the display so that the selected tab takes up the full screen. This is useful when using ZAP on small screens. There is also an option to toggle the visibility of the tab names on an off to further conserve space.
Most of the UI lists have also been converted to tables, which allow you to change column widths and define exactly which columns are displayed, and how the tables are sorted.
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
This includes the language packs, so translations made to the ZAP UI via https://crowdin.net/project/owasp-zap can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release quality active and passive scanning rules have been improved. There are new alpha and beta quality rules and many rules have been promoted from alpha to beta and from beta to release quality.
Other miscellaneous changes and additions
A new option to stop individual scan rules without stopping the whole scan
A new toolbar button that allows you to quickly and easily record Zest scripts.
-
The ability to spider applications based on source control metadata (SVN and Git) exposed via a web server
The ability to force breaks from within Proxy scripts
To keep up to date with ZAP related news follow @zaproxy on twitter.
