Custom Payloads version 0.10.0

Added

• Add info and repo URLs.
• Add functionality to add multiple payloads from a file.

Changed

• Update minimum ZAP version to 2.10.0.
• Maintenance changes.

Active scanner rules (beta) version 34

Changed

• Now using 2.10 logging infrastructure (Log4j 2.x).
• The .env file scan rule now performs even better checks to reduce false positives (Issue 6099, 6629).
• The trace.axd file scan rule now performs a content check to reduce false positives (Issue 6517).
• XML External Entity Attack scan rule changed to detect a possible XML File Reflection Attack when XML validation is present. (Issue 6204)
• Added/updated the details of some alerts (some changes might break Alert Filters)
  • Backup File Disclosure
    • The attack, evidence, and other info will use URIs in encoded form.
  • Insecure HTTP Method
    • The URI field will be in encoded form.
  • Integer Overflow
    • Added evidence
  • Relative Path Confusion
    • The attack and URI field will use URIs in encoded form.
  • Source Code Disclosure - File Inclusion
    • The URI field will be in encoded form.
  • Source Code Disclosure - Git
    • The URI field will be in encoded form.
  • Source Code Disclosure - SVN
    • The URI field will be in encoded form.
  • SQL Injection - Hypersonic SQL
    • The URI field will be in encoded form.
  • SQL Injection - MySQL
    • The URI field will be in encoded form.
  • SQL Injection - Oracle
    • The URI field will be in encoded form.
  • SQL Injection - PostgreSQL
    • The URI field will be in encoded form.
  • SQL Injection - SQLite
    • Evidence is now the string that was matched in the response
    • The URI field will be in encoded form.
  • XPath Injection
    • Added evidence
• The Source Code Disclosure - File Inclusion scan rule was modified to make use of the Dice algorithm for calculating the match percentage, thus improving its performance.
• Update links to repository.
• Maintenance changes.

Fixed

• Add missing file, used by Hidden File Finder scan rule.
• Correct Context check in scan rules:
  • Session Fixation
  • Possible Username Enumeration

Active scanner rules (alpha) version 31

Changed

• Update links to zaproxy and zap-extensions repos.
• Target 2.10 core and use new logging infrastructure (Log4j 2.x).
• The LDAP Injection scan rule was modified to use:
  • The Dice algorithm for calculating the match percentage, thus improving its performance.
  • The URI in encoded form in alerts' other info field.
• Maintenance changes.

Added

• CORS active scan rule.
• Forbidden (403) Bypass scan rule.
• Web Cache Deception scan rule.

Removed

• Unused file, it was used by promoted scan rule.

Fixed

• Correct Context check in NoSQL Injection - MongoDB scan rule.

Active scanner rules version 40

Changed

• The SQL Injection scan rule will raise alerts with the URI field in encoded form.
• Update links to repository.

Fixed

• Correct Context check in SQL Injection scan rule.
• "Source Code Disclosure - /WEB-INF folder" is no longer skipped on Java 9+ (Issue 4038).
• Fix ascan rules not enforcing MaxRuleDuration when getting IOExceptions (Issue 6647).

Fuzzer version 13.2.0

Changed

• Now using 2.10 logging infrastructure (Log4j 2.x).
• Maintenance changes.
• Update dependency (Issue 4751).

Fixed

• Update results panels when Look and Feel changes (Issue 6479).
• Correct payload count from file.
• Show Add Payload dialogue above the Payloads dialogue.

Tips and Tricks version 8

Changed

• Update minimum ZAP version to 2.10.0.
• Update docker refs to use zaproxy.org instead of GitHub wiki.
• Update IRC link to Libera Chat.
• Maintenance changes.

Common Library version 1.3.0

Added

• Added AbstractHostFilePlugin for use with ElmahScanRule and other future Host level file scan rules (Issue 6133).
• Maintenance changes (Issue 6376 & Issue 6099).
• Added DiceMatcher, which implements the Dice algorithm to calculate the percentage similarity between two strings.

Active scanner rules version 39

Changed

• Now using 2.10 logging infrastructure (Log4j 2.x).
• Maintenance changes.
• The Path Traversal scan rule should now be less False Positive prone at High Threshold, one of it's checks will now be excluded at High Threshold (Issues: 4209, 6030, 6219, 6372, and 6380).
  • The Other info field of Alerts will now include a reference indicating which check the triggered alert is caused by, in order to assist in future user inquiries.
• Added/updated the details of some alerts (some changes might break Alert Filters)
  • Buffer Overflow
    • Includes an Attack string
    • Evidence changed from the whole request header to the specific string sought
  • Code Injection
    • Includes evidence for PHP and ASP related alerts
  • CRLF Injection
    • Attack and Evidence are now more specific
  • Directory Browsing
    • Attack is now the URL of the request
    • Evidence added
• Parameter Tampering scan rule, adjusted regular expression related to VBScript errors.
• Code Injection scan rule is now using random numbers for the ASP related check.
• SQL Injection scan rule now has one more payload for error based checks, and an additional SQLite related check string (Issue 6588).

Fixed

• Fix XSS false positive (Issue 5958).

Report Generation version 0.3.0

Added

• API Support.
• Support for statistics

Changed

• Maintenance Changes.
• Promote to beta

Fixed

• Correct logging of dependency.
• Inconsistencies between traditional reports and the 'old' core ones
• Do not rely on default encoding when creating the reports, use UTF-8 always (Issue 6561).

MacOS WebDrivers version 28

Fixed

• Bundle geckodriver with the correct architecture (Issue 6543).