Releases: zaproxy/zap-extensions
Releases · zaproxy/zap-extensions
Custom Payloads version 0.10.0
Added
- Add info and repo URLs.
- Add functionality to add multiple payloads from a file.
Changed
- Update minimum ZAP version to 2.10.0.
- Maintenance changes.
Active scanner rules (beta) version 34
Changed
- Now using 2.10 logging infrastructure (Log4j 2.x).
- The .env file scan rule now performs even better checks to reduce false positives (Issue 6099, 6629).
- The trace.axd file scan rule now performs a content check to reduce false positives (Issue 6517).
- XML External Entity Attack scan rule changed to detect a possible XML File Reflection Attack when XML validation is present. (Issue 6204)
- Added/updated the details of some alerts (some changes might break Alert Filters)
- Backup File Disclosure
- The attack, evidence, and other info will use URIs in encoded form.
- Insecure HTTP Method
- The URI field will be in encoded form.
- Integer Overflow
- Added evidence
- Relative Path Confusion
- The attack and URI field will use URIs in encoded form.
- Source Code Disclosure - File Inclusion
- The URI field will be in encoded form.
- Source Code Disclosure - Git
- The URI field will be in encoded form.
- Source Code Disclosure - SVN
- The URI field will be in encoded form.
- SQL Injection - Hypersonic SQL
- The URI field will be in encoded form.
- SQL Injection - MySQL
- The URI field will be in encoded form.
- SQL Injection - Oracle
- The URI field will be in encoded form.
- SQL Injection - PostgreSQL
- The URI field will be in encoded form.
- SQL Injection - SQLite
- Evidence is now the string that was matched in the response
- The URI field will be in encoded form.
- XPath Injection
- Added evidence
- Backup File Disclosure
- The Source Code Disclosure - File Inclusion scan rule was modified to make use of the Dice algorithm for calculating the match percentage, thus improving its performance.
- Update links to repository.
- Maintenance changes.
Fixed
- Add missing file, used by Hidden File Finder scan rule.
- Correct Context check in scan rules:
- Session Fixation
- Possible Username Enumeration
Active scanner rules (alpha) version 31
Changed
- Update links to zaproxy and zap-extensions repos.
- Target 2.10 core and use new logging infrastructure (Log4j 2.x).
- The LDAP Injection scan rule was modified to use:
- The Dice algorithm for calculating the match percentage, thus improving its performance.
- The URI in encoded form in alerts' other info field.
- Maintenance changes.
Added
- CORS active scan rule.
- Forbidden (403) Bypass scan rule.
- Web Cache Deception scan rule.
Removed
- Unused file, it was used by promoted scan rule.
Fixed
- Correct Context check in NoSQL Injection - MongoDB scan rule.
Active scanner rules version 40
Changed
- The SQL Injection scan rule will raise alerts with the URI field in encoded form.
- Update links to repository.
Fixed
- Correct Context check in SQL Injection scan rule.
- "Source Code Disclosure - /WEB-INF folder" is no longer skipped on Java 9+ (Issue 4038).
- Fix ascan rules not enforcing MaxRuleDuration when getting IOExceptions (Issue 6647).
Fuzzer version 13.2.0
Changed
- Now using 2.10 logging infrastructure (Log4j 2.x).
- Maintenance changes.
- Update dependency (Issue 4751).
Fixed
- Update results panels when Look and Feel changes (Issue 6479).
- Correct payload count from file.
- Show Add Payload dialogue above the Payloads dialogue.
Tips and Tricks version 8
Changed
- Update minimum ZAP version to 2.10.0.
- Update docker refs to use zaproxy.org instead of GitHub wiki.
- Update IRC link to Libera Chat.
- Maintenance changes.
Common Library version 1.3.0
Added
- Added AbstractHostFilePlugin for use with ElmahScanRule and other future Host level file scan rules (Issue 6133).
- Maintenance changes (Issue 6376 & Issue 6099).
- Added DiceMatcher, which implements the Dice algorithm to calculate the percentage similarity between two strings.
Active scanner rules version 39
Changed
- Now using 2.10 logging infrastructure (Log4j 2.x).
- Maintenance changes.
- The Path Traversal scan rule should now be less False Positive prone at High Threshold, one of it's checks will now be excluded at High Threshold (Issues: 4209, 6030, 6219, 6372, and 6380).
- The Other info field of Alerts will now include a reference indicating which check the triggered alert is caused by, in order to assist in future user inquiries.
- Added/updated the details of some alerts (some changes might break Alert Filters)
- Buffer Overflow
- Includes an Attack string
- Evidence changed from the whole request header to the specific string sought
- Code Injection
- Includes evidence for PHP and ASP related alerts
- CRLF Injection
- Attack and Evidence are now more specific
- Directory Browsing
- Attack is now the URL of the request
- Evidence added
- Buffer Overflow
- Parameter Tampering scan rule, adjusted regular expression related to VBScript errors.
- Code Injection scan rule is now using random numbers for the ASP related check.
- SQL Injection scan rule now has one more payload for error based checks, and an additional SQLite related check string (Issue 6588).
Fixed
- Fix XSS false positive (Issue 5958).
Report Generation version 0.3.0
Added
- API Support.
- Support for statistics
Changed
- Maintenance Changes.
- Promote to beta
Fixed
- Correct logging of dependency.
- Inconsistencies between traditional reports and the 'old' core ones
- Do not rely on default encoding when creating the reports, use UTF-8 always (Issue 6561).
MacOS WebDrivers version 28
Fixed
- Bundle geckodriver with the correct architecture (Issue 6543).