diff --git a/ZapVersions-2.16.xml b/ZapVersions-2.16.xml index 0135ca0..08eea45 100644 --- a/ZapVersions-2.16.xml +++ b/ZapVersions-2.16.xml @@ -78,20 +78,30 @@ Alert Filters Allows you to automate the changing of alert risk levels. ZAP Dev Team - 22 - alertFilters-release-22.zap + 23 + alertFilters-release-23.zap release - <h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Handle deleted alerts gracefully.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Fields with default or missing values are omitted for the <code>alertFilter</code> job in saved Automation Framework plans.</li> +<li>Depend on Passive Scanner add-on (Issue 7959).</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/alertFilters-v22/alertFilters-release-22.zap - SHA-256:a8036a258f67b9974cb07407e274bb2535e56a78b5b85c51b1ee5e6544e034c9 + https://github.com/zaproxy/zap-extensions/releases/download/alertFilters-v23/alertFilters-release-23.zap + SHA-256:20effe0ea05bfe0939a2f4bde15ebe65c61d458b2f898441356ef11a65bb3fb8 https://www.zaproxy.org/docs/desktop/addons/alert-filters/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 566059 - 2.15.0 + 2025-01-09 + 568692 + 2.16.0 + + + + pscan + >= 0.1.0 & < 1.0.0 + + + allinonenotes @@ -124,29 +134,49 @@ Active scanner rules The release status Active Scanner rules ZAP Dev Team - 69 - ascanrules-release-69.zap + 70 + ascanrules-release-70.zap release <h3>Changed</h3> <ul> -<li>The XML External Entity Attack scan rule now include example alert functionality for documentation generation purposes (Issue 6119).</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Updated help with specific Category identifiers for use with the Custom Payloads add-on for rules: +<ul> +<li>Hidden File Finder</li> +<li>User Agent Fuzzer</li> +</ul> +</li> +<li>Now depends on minimum Common Library version 1.29.0.</li> +<li>Add the <code>OUT_OF_BAND</code> alert tag to the following scan rules: +<ul> +<li>Server Side Template Injection (Blind)</li> +<li>XML External Entity Attack</li> +</ul> +</li> +<li>Cloud Metadata Attack scan rule is improved to support GCP, Azure, and OCI.</li> +<li>Remove double dot in skipped message of a scan rule that uses the Active Scan OAST service.</li> </ul> <h3>Fixed</h3> <ul> -<li>Added more checks for valid .htaccess files to reduce false positives (Issue 7632).</li> +<li>A situation where the Server-Side Template Injection (SSTI) scan rule might result in false positives related to the Go payloads (Issue 8622).</li> +<li>False Positives in Cloud Metadata Attack scan rule (Issue 8514).</li> +</ul> +<h3>Added</h3> +<ul> +<li>Standardized Scan Policy related alert tags on the rule.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v69/ascanrules-release-69.zap - SHA-256:0d5aae9ca89f7329590591199f382d9c12248b3cb02fa7d73167fb87c5e2646a + https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v70/ascanrules-release-70.zap + SHA-256:236ae035feb96d24436af446086959cee1ebdf352ed32645783e26dff7130dcd https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/ https://github.com/zaproxy/zap-extensions/ - 2024-10-23 - 3302878 - 2.15.0 + 2025-01-09 + 3323142 + 2.16.0 commonlib - >= 1.21.0 & < 2.0.0 + >= 1.29.0 & < 2.0.0 network @@ -261,20 +291,23 @@ Authentication Helper Helps identify and set up authentication handling ZAP Dev Team - 0.16.0 - authhelper-beta-0.16.0.zap + 0.17.0 + authhelper-beta-0.17.0.zap beta - <h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Address concurrency issue while passive scanning with the Session Management Response Identified scan rule (Issue 8187).</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Depend on Passive Scanner add-on (Issue 7959).</li> +<li>Address deprecation warnings with newer Selenium version (4.27).</li> +<li>Optionally depend on the Client Integration add-on to provide Browser Based Authentication to the Client Spider.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/authhelper-v0.16.0/authhelper-beta-0.16.0.zap - SHA-256:ef6a2362387c67598cd6861dbf9350b646c14d79b923e6013404ccddc2db547f + https://github.com/zaproxy/zap-extensions/releases/download/authhelper-v0.17.0/authhelper-beta-0.17.0.zap + SHA-256:d3b6a90ef97d57db528c971fe548a07ec15a77f1923fac1bf0e175b8c3655be4 https://www.zaproxy.org/docs/desktop/addons/authentication-helper/ https://github.com/zaproxy/zap-extensions/ - 2024-11-06 - 813708 - 2.15.0 + 2025-01-09 + 818701 + 2.16.0 @@ -285,6 +318,10 @@ network >=0.6.0 + + pscan + >= 0.1.0 & < 1.0.0 + selenium 15.* @@ -323,30 +360,52 @@ Automation Framework Automation Framework. ZAP Dev Team - 0.43.0 - automation-beta-0.43.0.zap + 0.44.0 + automation-beta-0.44.0.zap beta - <h3>Fixed</h3> + <h3>Added</h3> <ul> -<li>Handle exceptions while running jobs.</li> +<li>Active scan policy job.</li> +<li>Add job to configure the active scanner, <code>activeScan-config</code>.</li> +<li>Allow to enable/disable jobs (Issue 5845).</li> +<li>Method to allow the user to set the exit code via a script.</li> +<li>Add exitStatus job (Issue #6928)</li> </ul> <h3>Changed</h3> <ul> -<li>In saved YAML plans: -<ul> -<li>Fields with default values are omitted.</li> -<li>The &quot;name&quot; and &quot;type&quot; fields are added before other fields.</li> -<li>Values are not quoted unless required.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Maintenance changes.</li> +<li>Updated automation framework documentation and templates for <code>activeScan</code> job to reflect changes to the default value of threadPerHost parameter</li> +<li>Update help for the &quot;requestor&quot; job.</li> +<li>Update help to indicate that job order is important (Issue 8675).</li> +<li>Fields with default or missing values are omitted for the following automation jobs in saved plans: +<ul> +<li><code>activeScan</code></li> +<li><code>delay</code></li> +<li><code>requestor</code></li> </ul> </li> +</ul> +<h3>Removed</h3> +<ul> +<li>Remove job implementations that were previously migrated to the Passive Scanner add-on (Issue 7959).</li> +</ul> +<h3>Fixed</h3> +<ul> +<li>Templates generated with <code>-autogenmin</code> or <code>-autogenmax</code> were invalid in some cases.</li> +<li>Allow to choose one thread for the <code>activeScan</code> job through the GUI.</li> +<li>Active Scan jobs will once again use the default policy if neither a policy nor a policyDefinition has been set.</li> +<li>Bug in job alert tests related to alert matching.</li> +<li>Active scan rule ID 0 (Directory Browsing) will be included in the plan (yaml) when saved (Issue 8746).</li> +<li>Sizing/display of the Active Scan Policy job rule add/modify dialogs.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/automation-v0.43.0/automation-beta-0.43.0.zap - SHA-256:d765faa76ccc53a36d3622fea5ac3a12cf42f2c0d6372c692be2afc3abe69626 + https://github.com/zaproxy/zap-extensions/releases/download/automation-v0.44.0/automation-beta-0.44.0.zap + SHA-256:7733123076ff40a7636c88baf4929765530ea9fe67aed4e912b6d39b8b2bace4 https://www.zaproxy.org/docs/desktop/addons/automation-framework/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 1770789 - 2.15.0 + 2025-01-09 + 1809201 + 2.16.0 @@ -418,29 +477,20 @@ Forced Browse Forced browsing of files and directories using code from the OWASP DirBuster tool ZAP Dev Team - 16 - bruteforce-beta-16.zap + 17 + bruteforce-beta-17.zap beta - <h3>Added</h3> -<ul> -<li>Support for menu weights (Issue 8369).</li> -</ul> -<h3>Changed</h3> -<ul> -<li>Update minimum ZAP version to 2.15.0.</li> -<li>Maintenance changes.</li> -</ul> -<h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Help content typos.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/bruteforce-v16/bruteforce-beta-16.zap - SHA-256:01c8d25f1ef05dfc85d0feadbff38f7891f859d088a81041e6fca59be5e74cd0 + https://github.com/zaproxy/zap-extensions/releases/download/bruteforce-v17/bruteforce-beta-17.zap + SHA-256:4c5828447d69da32e450e65a6b082284b56538383d5cf4036b743805115a9a90 https://www.zaproxy.org/docs/desktop/addons/forced-browse/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 553638 - 2.15.0 + 2025-01-09 + 552468 + 2.16.0 @@ -504,20 +554,25 @@ Call Home Handles all of the calls to ZAP services. ZAP Dev Team - 0.13.0 - callhome-release-0.13.0.zap + 0.14.0 + callhome-release-0.14.0.zap release - <h3>Added</h3> + <h3>Changed</h3> +<ul> +<li>Update minimum ZAP version to 2.16.0.</li> +</ul> +<h3>Added</h3> <ul> -<li>Tech stats to telemetry.</li> +<li>Network stats to telemetry.</li> +<li>Sequence stats to telemetry.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/callhome-v0.13.0/callhome-release-0.13.0.zap - SHA-256:b0b9ed9e68fee11fceac339a49c96e7f21e1a377270dde08ada65aecd795454f + https://github.com/zaproxy/zap-extensions/releases/download/callhome-v0.14.0/callhome-release-0.14.0.zap + SHA-256:100870954c18d9f9c9ed2db5348eb069262a7c177bfbe158355c1b20e9fa5cef https://www.zaproxy.org/docs/desktop/addons/call-home/ https://github.com/zaproxy/zap-extensions/ - 2024-09-02 - 322396 - 2.15.0 + 2025-01-09 + 322668 + 2.16.0 client @@ -569,29 +624,25 @@ Common Library A common library, for use by other add-ons. ZAP Dev Team - 1.29.0 - commonlib-release-1.29.0.zap + 1.30.0 + commonlib-release-1.30.0.zap release - <h3>Changed</h3> -<ul> -<li>Dependency updates.</li> -<li>Let the Value Generator add-on provide the custom values through this add-on (Issue 8016).</li> -</ul> -<h3>Added</h3> + <h3>Added</h3> <ul> -<li>Policy tags for use with scan rules and the new Scan Policies add-on.</li> +<li>Add solutions to Insufficient Process Validation vulnerability (Issue 8056).</li> </ul> -<h3>Fixed</h3> +<h3>Changed</h3> <ul> -<li>Be more lenient with the input used for providing values, to prevent exceptions.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Improve solution and add more references to 'Information Leakage' vulnerability (Issue 8056).</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.29.0/commonlib-release-1.29.0.zap - SHA-256:423202fc2597edb5fa172f00dd2d6411f8ea5ec6405f08f07257e11d0f9bba07 + https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.30.0/commonlib-release-1.30.0.zap + SHA-256:f178d4e48506fda85a70faf9346fc67fe0c895b98469dd02579b04b4c39c3dbc https://www.zaproxy.org/docs/desktop/addons/common-library/ https://github.com/zaproxy/zap-extensions/ - 2024-12-23 - 15145366 - 2.15.0 + 2025-01-09 + 15146336 + 2.16.0 communityScripts @@ -731,20 +782,20 @@ to find and add subdomains to the Sites Tree.</li> Database Provides database engines and related infrastructure. ZAP Dev Team - 0.6.0 - database-alpha-0.6.0.zap + 0.7.0 + database-alpha-0.7.0.zap alpha - <h3>Added</h3> + <h3>Changed</h3> <ul> -<li>Allow to access persistence manager of the database.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/database-v0.6.0/database-alpha-0.6.0.zap - SHA-256:63b9318b4fd82652bd45e84b59d38747e8825af17534061fada5bab504131e4f + https://github.com/zaproxy/zap-extensions/releases/download/database-v0.7.0/database-alpha-0.7.0.zap + SHA-256:12e4a7bb69aa5d7fa359da44406f5dfcd085cdc77110244cc5f1a38dfeee11d4 https://www.zaproxy.org/docs/desktop/addons/database/ https://github.com/zaproxy/zap-extensions/ - 2024-09-17 - 23094122 - 2.15.0 + 2025-01-09 + 23094350 + 2.16.0 dev @@ -784,20 +835,20 @@ to find and add subdomains to the Sites Tree.</li> Diff Displays a dialog showing the differences between 2 requests or responses. It uses diffutils and diff_match_patch ZAP Dev Team - 16 - diff-beta-16.zap + 17 + diff-beta-17.zap beta - <h3>Updated</h3> + <h3>Changed</h3> <ul> -<li>Add-on help content.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/diff-v16/diff-beta-16.zap - SHA-256:36baf1f731573c3ef0d7657403b7d789a4be2fe5ae59f9b18c112726d0c8cc0e + https://github.com/zaproxy/zap-extensions/releases/download/diff-v17/diff-beta-17.zap + SHA-256:6629fdcd55e509dfaf1e1004204b3dca5a75bfb1593c11bd8281bd7c7fd367b9 https://www.zaproxy.org/docs/desktop/addons/diff/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 679075 - 2.15.0 + 2025-01-09 + 693148 + 2.16.0 @@ -812,20 +863,20 @@ to find and add subdomains to the Sites Tree.</li> Directory List v1.0 List of directory names to be used with Forced Browse or Fuzzer add-on. ZAP Dev Team - 8 - directorylistv1-release-8.zap + 9 + directorylistv1-release-9.zap release <h3>Changed</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/directorylistv1-v8/directorylistv1-release-8.zap - SHA-256:8f5eb460d8c57a7a26566b7b653c8557a875d40245ad6bb4ad0cdef60b56ea18 + https://github.com/zaproxy/zap-extensions/releases/download/directorylistv1-v9/directorylistv1-release-9.zap + SHA-256:71e5b57bcf89774267375426f2e67f789cf13a4b69c97c8946a325fa321d18ce https://www.zaproxy.org/docs/desktop/addons/directory-list-v1.0/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 961163 - 2.15.0 + 2025-01-09 + 961164 + 2.16.0 directorylistv2_3 @@ -884,32 +935,24 @@ to find and add subdomains to the Sites Tree.</li> DOM XSS Active scanner rule DOM XSS Active scanner rule Aabha Biyani, ZAP Dev Team - 20 - domxss-release-20.zap + 21 + domxss-release-21.zap release <h3>Changed</h3> <ul> -<li>Address deprecation warnings with newer Selenium version (4.27).</li> -<li>Include the whole HTTP message in the raised alerts.</li> -<li>Include the steps to reproduce the DOM XSS in the other info of the alert.</li> -<li>Do not request URLs explicitly excluded from the context or global excludes</li> -<li>Depend on newer version of Common Library add-on.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> <h3>Fixed</h3> <ul> -<li>Address false negatives through query parameters.</li> -</ul> -<h3>Added</h3> -<ul> -<li>Standardized Scan Policy related alert tags on the rule.</li> +<li>Handle exceptions while obtaining the XPath of an element.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/domxss-v20/domxss-release-20.zap - SHA-256:69a551db6553a16462faa63a04c232ec56f80c0db1d37b0f6dccf9dc02d8db7f + https://github.com/zaproxy/zap-extensions/releases/download/domxss-v21/domxss-release-21.zap + SHA-256:4902e5d519c7b4a68441d9fb3ae2edc1df3d1c4086333a2e4844279e65ea96ec https://www.zaproxy.org/docs/desktop/addons/dom-xss-active-scan-rule/ https://github.com/zaproxy/zap-extensions/ - 2024-12-23 - 275082 - 2.15.0 + 2025-01-09 + 284336 + 2.16.0 @@ -932,25 +975,25 @@ to find and add subdomains to the Sites Tree.</li> Encoder Adds encode/decode/hash dialog and support for scripted processors as well ZAP Dev Team - 1.5.0 - encoder-release-1.5.0.zap + 1.6.0 + encoder-release-1.6.0.zap release - <h3>Added</h3> + <h3>Changed</h3> <ul> -<li>Support for menu weights (Issue 8369)</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> -<h3>Changed</h3> +<h3>Added</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> -<li>Maintenance changes.</li> +<li>A predefined processor &quot;ASCify&quot; which converts text removing accents/diacritics/ligatures (perhaps not fully, due to operation in compatibility mode) leaving only ASCII characters.</li> +<li>Predefined processors for encoding and decoding Morse Code.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/encoder-v1.5.0/encoder-release-1.5.0.zap - SHA-256:5914245314d1c9eba1892097318c089aef9d89e107bf61745093924e4591d632 + https://github.com/zaproxy/zap-extensions/releases/download/encoder-v1.6.0/encoder-release-1.6.0.zap + SHA-256:1d8194472413b02de94f14db73e5cf6ebfad3b73ab35679cb166217f585713e8 https://www.zaproxy.org/docs/desktop/addons/encode-decode-hash/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 470124 - 2.15.0 + 2025-01-09 + 477920 + 2.16.0 @@ -994,24 +1037,34 @@ to find and add subdomains to the Sites Tree.</li> Import/Export Import and Export functionality ZAP Dev Team & thatsn0tmysite - 0.12.0 - exim-beta-0.12.0.zap + 0.13.0 + exim-beta-0.13.0.zap beta - <h3>Changed</h3> + <h3>Added</h3> <ul> -<li>Improved HTTP 1.1 traffic detection in PCAP files</li> +<li>Add Automation Framework job to export data (e.g. HAR, URLs).</li> +<li>Support for Sites Tree export and prune.</li> +</ul> +<h3>Changed</h3> +<ul> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Update dependency.</li> +<li>Maintenance changes.</li> </ul> <h3>Fixed</h3> <ul> -<li>Count invalid messages as tasks done toward progress when importing HARs.</li> +<li>Import HAR entry sent and elapsed time.</li> +<li>Duplicate or missing &quot;Save URLs...&quot; entries in the Export menu.</li> +<li>The &quot;Save All URLs...&quot; export option was saving only the selected URLs.</li> +<li>Correct bundled dependencies to avoid conflicts with core logging libraries.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/exim-v0.12.0/exim-beta-0.12.0.zap - SHA-256:290a834250748f885ba57f7c54ca662bdc065057341dea2486baba4f9b7379cf + https://github.com/zaproxy/zap-extensions/releases/download/exim-v0.13.0/exim-beta-0.13.0.zap + SHA-256:c2322edb3c5a29e2a844a36ba23e3f5d8202c77d16610a323b6ff3b69914eb7c https://www.zaproxy.org/docs/desktop/addons/import-export/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 3019308 - 2.15.0 + 2025-01-09 + 940208 + 2.16.0 @@ -1042,41 +1095,53 @@ to find and add subdomains to the Sites Tree.</li> Value Generator This Value Generator Add-on allows a user to define field names and values to be used when submitting values to an app. Fields can be added, modified, enabled/disabled, and deleted. ZAP Dev Team - 6.6.0 - formhandler-beta-6.6.0.zap + 6.7.0 + formhandler-beta-6.7.0.zap beta <h3>Changed</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Depend on Common Library add-on, to provide the default/custom values to the other add-ons (Issue 8016).</li> +</ul> +<h3>Fixed</h3> +<ul> +<li>Fixed an issue in the help which may cause images to be displayed inline impacting the flow of the text.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/formhandler-v6.6.0/formhandler-beta-6.6.0.zap - SHA-256:a9dd593ce8fc116ce0ea9545db734d0ab166a452edac3857985ce3e8b14a108b + https://github.com/zaproxy/zap-extensions/releases/download/formhandler-v6.7.0/formhandler-beta-6.7.0.zap + SHA-256:2adb0a7f60f7c43861cdeac14d0d72cde139abcaf12fdd6cb82cf4739e52bd81 https://www.zaproxy.org/docs/desktop/addons/value-generator/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 2126686 - 2.15.0 + 2025-01-09 + 2128203 + 2.16.0 + + + + commonlib + >= 1.29.0 & < 2.0.0 + + + fuzz Fuzzer Advanced fuzzer for manual testing ZAP Dev Team - 13.14.0 - fuzz-beta-13.14.0.zap + 13.15.0 + fuzz-beta-13.15.0.zap beta <h3>Changed</h3> <ul> -<li>Maintenance changes.</li> -<li>Replace library used for regex payload generation, to address performance and compatibility issues.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/fuzz-v13.14.0/fuzz-beta-13.14.0.zap - SHA-256:259c116cf914cd20477447251da5da7c11b847b52dd80389c6fa208866851f48 + https://github.com/zaproxy/zap-extensions/releases/download/fuzz-v13.15.0/fuzz-beta-13.15.0.zap + SHA-256:d8171808ac8e04395575aeca0f11469c79d93fa8e4327b8c7a82f4d0fd6119da https://www.zaproxy.org/docs/desktop/addons/fuzzer/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 2011237 - 2.15.0 + 2025-01-09 + 2014110 + 2.16.0 @@ -1153,51 +1218,40 @@ to find and add subdomains to the Sites Tree.</li> Getting Started with ZAP Guide A short Getting Started with ZAP Guide ZAP Dev Team - 18 - gettingStarted-release-18.zap + 19 + gettingStarted-release-19.zap release <h3>Changed</h3> <ul> -<li>Rebrand to ZAP by Checkmarx.</li> +<li>Update Getting Started Guide for 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/gettingStarted-v18/gettingStarted-release-18.zap - SHA-256:8253e27e7fd43ecc2baad50c0488c5678cf9885b5db3ce12c327c8fc5e34277c + https://github.com/zaproxy/zap-extensions/releases/download/gettingStarted-v19/gettingStarted-release-19.zap + SHA-256:74ca76fbe518917005828d3b4f4392d8d91b5e11d1d6517a1ae9fc19f16bfd9b https://www.zaproxy.org/docs/desktop/addons/getting-started-guide/ https://github.com/zaproxy/zap-extensions/ - 2024-09-24 - 968579 - 2.15.0 + 2025-01-09 + 968572 + 2.16.0 graaljs GraalVM JavaScript Provides the GraalVM JavaScript engine for ZAP scripting. ZAP Dev Team - 0.8.0 - graaljs-alpha-0.8.0.zap + 0.9.0 + graaljs-alpha-0.9.0.zap alpha - <h3>Added</h3> -<ul> -<li>Document the engine name in the help page.</li> -</ul> -<h3>Changed</h3> -<ul> -<li>Maintenance changes.</li> -<li>Update script templates: + <h3>Changed</h3> <ul> -<li>authentication/Authentication default template GraalJS.js - remove outdated example code.</li> -<li>httpsender/AddZapHeader GraalJS.js - fix runtime error (Issue 8611) and update documentation.</li> -<li>httpsender/HttpSender default template GraalJS.js - update documentation.</li> -</ul> -</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/graaljs-v0.8.0/graaljs-alpha-0.8.0.zap - SHA-256:9821e4e66d0a5d6c84a4208e06b2b4eaf6c7962802618b8ec22a4c0e65b1d198 + https://github.com/zaproxy/zap-extensions/releases/download/graaljs-v0.9.0/graaljs-alpha-0.9.0.zap + SHA-256:8abec96df1ff90177953d5fffd4dfd57228c1a8d8e140a521e81ea80a256ca19 https://www.zaproxy.org/docs/desktop/addons/graalvm-javascript/ https://github.com/zaproxy/zap-extensions/ - 2024-09-24 - 24531423 - 2.15.0 + 2025-01-09 + 24540532 + 2.16.0 @@ -1216,25 +1270,40 @@ to find and add subdomains to the Sites Tree.</li> GraphQL Support Inspect and attack GraphQL endpoints. ZAP Dev Team - 0.25.0 - graphql-alpha-0.25.0.zap + 0.26.0 + graphql-alpha-0.26.0.zap alpha <h3>Changed</h3> <ul> -<li>Dependency updates.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Depend on newer version of Common Library add-on (Issue 8016).</li> +<li>Maintenance changes.</li> +</ul> +<h3>Added</h3> +<ul> +<li>Fingerprinting checks for the following engines: +<ul> +<li>pg_graphql</li> +<li>tailcall</li> +<li>Hot Chocolate</li> +<li>Inigo</li> +</ul> +</li> +<li>Support for importing an introspection query response from a file (Issue 8569).</li> +<li>If the Tech Detection (Wappalyzer) add-on is installed and a GraphQL engine is successfully fingerprinted, it is added to the Technology tab/data.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/graphql-v0.25.0/graphql-alpha-0.25.0.zap - SHA-256:f4e491d9f7a7ec6918bee1093f8e7c4eeed9fd58e429ce4a0baf1fb60505fbda + https://github.com/zaproxy/zap-extensions/releases/download/graphql-v0.26.0/graphql-alpha-0.26.0.zap + SHA-256:7578897dd3e517d653d779f90b1565a6cac7c6c838f4107dd44d01f6233faae8 https://www.zaproxy.org/docs/desktop/addons/graphql-support/ https://github.com/zaproxy/zap-extensions/ - 2024-09-24 - 5465649 - 2.15.0 + 2025-01-09 + 5475010 + 2.16.0 commonlib - >= 1.17.0 & < 2.0.0 + >= 1.29.0 & < 2.0.0 @@ -1646,24 +1715,20 @@ to find and add subdomains to the Sites Tree.</li> Invoke Applications Invoke external applications passing context related information such as URLs and parameters ZAP Dev Team - 15 - invoke-beta-15.zap + 16 + invoke-beta-16.zap beta <h3>Changed</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> -</ul> -<h3>Added</h3> -<ul> -<li>Support for menu weights (Issue 8369)</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/invoke-v15/invoke-beta-15.zap - SHA-256:ff93f71447e26971a540d4f5029c5a1590b661dc4a32eb386810fe91b6ae794e + https://github.com/zaproxy/zap-extensions/releases/download/invoke-v16/invoke-beta-16.zap + SHA-256:439fd2ff1d090779bc9f874696286d1685dffa7b83624254c2b92a2daa943464 https://www.zaproxy.org/docs/desktop/addons/invoke-applications/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 322369 - 2.15.0 + 2025-01-09 + 323503 + 2.16.0 @@ -1898,54 +1963,46 @@ to find and add subdomains to the Sites Tree.</li> Network Provides core networking capabilities. ZAP Dev Team - 0.19.0 - network-beta-0.19.0.zap + 0.20.0 + network-beta-0.20.0.zap beta - <h3>Changed</h3> + <h3>Added</h3> +<ul> +<li>Set the local address where (e.g. server, proxy) the request header was received.</li> +</ul> +<h3>Changed</h3> <ul> -<li>Configure the logging to prevent verbose log messages when using BC JSSE provider.</li> -<li>Improve error handling on client's unknown CA TLS alert.</li> -<li>Report available TLS providers when failed to query the TLS/SSL protocol versions.</li> -<li>Rely on the default secure random generator when creating the Root CA certificate to use the most appropriate defined by the security provider.</li> -<li>Update default user-agents.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/network-v0.19.0/network-beta-0.19.0.zap - SHA-256:68d797708fba51da2edc4dee58130057c0d85a9c73eedde008833a24693ba12b + https://github.com/zaproxy/zap-extensions/releases/download/network-v0.20.0/network-beta-0.20.0.zap + SHA-256:c1465cf14a3d9720735698808e17f79c1890d9f2931027eead65da208803ec9c https://www.zaproxy.org/docs/desktop/addons/network/ https://github.com/zaproxy/zap-extensions/ - 2024-12-23 - 28128362 - 2.15.0 + 2025-01-09 + 28127964 + 2.16.0 oast OAST Support Allows you to exploit out-of-band vulnerabilities ZAP Dev Team - 0.20.0 - oast-beta-0.20.0.zap + 0.21.0 + oast-beta-0.21.0.zap beta - <h3>Added</h3> -<ul> -<li>API support.</li> -<li>Raise alerts for OAST interactions that happened in other sessions.</li> -<li>Options to trim the OAST permanent database.</li> -</ul> -<h3>Changed</h3> -<ul> -<li>Depend on newer version of Database add-on.</li> -</ul> -<h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Address warnings when using BOAST payloads.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Maintenance changes.</li> +<li>Include the handler and source when logging interactions not found in the permanent database.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/oast-v0.20.0/oast-beta-0.20.0.zap - SHA-256:93d0384912c9d64127e02b3114e82596406548f8b8152223fe5f0407cdff923e + https://github.com/zaproxy/zap-extensions/releases/download/oast-v0.21.0/oast-beta-0.21.0.zap + SHA-256:397c614b2a668fb26c6b327c489ee1b6c580440d90ca966e7ce33811ee1dad60 https://www.zaproxy.org/docs/desktop/addons/oast-support/ https://github.com/zaproxy/zap-extensions/ - 2024-09-17 - 844324 - 2.15.0 + 2025-01-09 + 904504 + 2.16.0 @@ -1964,51 +2021,47 @@ to find and add subdomains to the Sites Tree.</li> Online menus ZAP Online menu items ZAP Dev Team - 13 - onlineMenu-release-13.zap + 14 + onlineMenu-release-14.zap release <h3>Changed</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/onlineMenu-v13/onlineMenu-release-13.zap - SHA-256:c605e10c7c38c525d5dfe14f026fe6e11a26fb1055e681b51fd2e5bd576d5e1d + https://github.com/zaproxy/zap-extensions/releases/download/onlineMenu-v14/onlineMenu-release-14.zap + SHA-256:da47b95478c008545f403ffc20640c12c6215211e93727118f0854a2e40c5794 https://www.zaproxy.org/docs/desktop/addons/online-menu/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 208613 - 2.15.0 + 2025-01-09 + 208647 + 2.16.0 openapi OpenAPI Support Imports and spiders OpenAPI definitions. ZAP Dev Team plus Joanna Bona, Nathalie Bouchahine, Artur Grzesica, Mohammad Kamar, Markus Kiss, Michal Materniak, Marcin Spiewak, and SDA SE Open Industry Solutions - 43 - openapi-beta-43.zap + 44 + openapi-beta-44.zap beta - <h3>Added</h3> -<ul> -<li>Allow to import the OpenAPI definitions with a user (Issue 7739).</li> -<li>Honour context exclusions when importing (Issue 8021).</li> -</ul> -<h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Allow to select the contexts of the Automation Framework plan when configuring the job.</li> -<li>Correctly handle empty context name in the Automation Framework job.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Depend on newer version of Common Library add-on (Issue 8016).</li> +<li>Fields with default or missing values are omitted for the <code>openapi</code> job in saved Automation Framework plans.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/openapi-v43/openapi-beta-43.zap - SHA-256:f72b0061547ec3e72f6e9e3ec83a86c730e48208788acf10b690fa456866ef73 + https://github.com/zaproxy/zap-extensions/releases/download/openapi-v44/openapi-beta-44.zap + SHA-256:e0c15ccdf49c083b6992bc3ef0175e1aa24bc32912ec3dbdcc7b71beafe46a46 https://www.zaproxy.org/docs/desktop/addons/openapi-support/ https://github.com/zaproxy/zap-extensions/ - 2024-09-23 - 11513623 - 2.15.0 + 2025-01-09 + 11575879 + 2.16.0 commonlib - >= 1.26.0 & < 2.0.0 + >= 1.29.0 & < 2.0.0 diff --git a/ZapVersions-dev.xml b/ZapVersions-dev.xml index d148885..6cd2c65 100644 --- a/ZapVersions-dev.xml +++ b/ZapVersions-dev.xml @@ -78,20 +78,30 @@ Alert Filters Allows you to automate the changing of alert risk levels. ZAP Dev Team - 22 - alertFilters-release-22.zap + 23 + alertFilters-release-23.zap release - <h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Handle deleted alerts gracefully.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Fields with default or missing values are omitted for the <code>alertFilter</code> job in saved Automation Framework plans.</li> +<li>Depend on Passive Scanner add-on (Issue 7959).</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/alertFilters-v22/alertFilters-release-22.zap - SHA-256:a8036a258f67b9974cb07407e274bb2535e56a78b5b85c51b1ee5e6544e034c9 + https://github.com/zaproxy/zap-extensions/releases/download/alertFilters-v23/alertFilters-release-23.zap + SHA-256:20effe0ea05bfe0939a2f4bde15ebe65c61d458b2f898441356ef11a65bb3fb8 https://www.zaproxy.org/docs/desktop/addons/alert-filters/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 566059 - 2.15.0 + 2025-01-09 + 568692 + 2.16.0 + + + + pscan + >= 0.1.0 & < 1.0.0 + + + allinonenotes @@ -124,29 +134,49 @@ Active scanner rules The release status Active Scanner rules ZAP Dev Team - 69 - ascanrules-release-69.zap + 70 + ascanrules-release-70.zap release <h3>Changed</h3> <ul> -<li>The XML External Entity Attack scan rule now include example alert functionality for documentation generation purposes (Issue 6119).</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Updated help with specific Category identifiers for use with the Custom Payloads add-on for rules: +<ul> +<li>Hidden File Finder</li> +<li>User Agent Fuzzer</li> +</ul> +</li> +<li>Now depends on minimum Common Library version 1.29.0.</li> +<li>Add the <code>OUT_OF_BAND</code> alert tag to the following scan rules: +<ul> +<li>Server Side Template Injection (Blind)</li> +<li>XML External Entity Attack</li> +</ul> +</li> +<li>Cloud Metadata Attack scan rule is improved to support GCP, Azure, and OCI.</li> +<li>Remove double dot in skipped message of a scan rule that uses the Active Scan OAST service.</li> </ul> <h3>Fixed</h3> <ul> -<li>Added more checks for valid .htaccess files to reduce false positives (Issue 7632).</li> +<li>A situation where the Server-Side Template Injection (SSTI) scan rule might result in false positives related to the Go payloads (Issue 8622).</li> +<li>False Positives in Cloud Metadata Attack scan rule (Issue 8514).</li> +</ul> +<h3>Added</h3> +<ul> +<li>Standardized Scan Policy related alert tags on the rule.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v69/ascanrules-release-69.zap - SHA-256:0d5aae9ca89f7329590591199f382d9c12248b3cb02fa7d73167fb87c5e2646a + https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v70/ascanrules-release-70.zap + SHA-256:236ae035feb96d24436af446086959cee1ebdf352ed32645783e26dff7130dcd https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/ https://github.com/zaproxy/zap-extensions/ - 2024-10-23 - 3302878 - 2.15.0 + 2025-01-09 + 3323142 + 2.16.0 commonlib - >= 1.21.0 & < 2.0.0 + >= 1.29.0 & < 2.0.0 network @@ -261,20 +291,23 @@ Authentication Helper Helps identify and set up authentication handling ZAP Dev Team - 0.16.0 - authhelper-beta-0.16.0.zap + 0.17.0 + authhelper-beta-0.17.0.zap beta - <h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Address concurrency issue while passive scanning with the Session Management Response Identified scan rule (Issue 8187).</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Depend on Passive Scanner add-on (Issue 7959).</li> +<li>Address deprecation warnings with newer Selenium version (4.27).</li> +<li>Optionally depend on the Client Integration add-on to provide Browser Based Authentication to the Client Spider.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/authhelper-v0.16.0/authhelper-beta-0.16.0.zap - SHA-256:ef6a2362387c67598cd6861dbf9350b646c14d79b923e6013404ccddc2db547f + https://github.com/zaproxy/zap-extensions/releases/download/authhelper-v0.17.0/authhelper-beta-0.17.0.zap + SHA-256:d3b6a90ef97d57db528c971fe548a07ec15a77f1923fac1bf0e175b8c3655be4 https://www.zaproxy.org/docs/desktop/addons/authentication-helper/ https://github.com/zaproxy/zap-extensions/ - 2024-11-06 - 813708 - 2.15.0 + 2025-01-09 + 818701 + 2.16.0 @@ -285,6 +318,10 @@ network >=0.6.0 + + pscan + >= 0.1.0 & < 1.0.0 + selenium 15.* @@ -323,30 +360,52 @@ Automation Framework Automation Framework. ZAP Dev Team - 0.43.0 - automation-beta-0.43.0.zap + 0.44.0 + automation-beta-0.44.0.zap beta - <h3>Fixed</h3> + <h3>Added</h3> <ul> -<li>Handle exceptions while running jobs.</li> +<li>Active scan policy job.</li> +<li>Add job to configure the active scanner, <code>activeScan-config</code>.</li> +<li>Allow to enable/disable jobs (Issue 5845).</li> +<li>Method to allow the user to set the exit code via a script.</li> +<li>Add exitStatus job (Issue #6928)</li> </ul> <h3>Changed</h3> <ul> -<li>In saved YAML plans: -<ul> -<li>Fields with default values are omitted.</li> -<li>The &quot;name&quot; and &quot;type&quot; fields are added before other fields.</li> -<li>Values are not quoted unless required.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Maintenance changes.</li> +<li>Updated automation framework documentation and templates for <code>activeScan</code> job to reflect changes to the default value of threadPerHost parameter</li> +<li>Update help for the &quot;requestor&quot; job.</li> +<li>Update help to indicate that job order is important (Issue 8675).</li> +<li>Fields with default or missing values are omitted for the following automation jobs in saved plans: +<ul> +<li><code>activeScan</code></li> +<li><code>delay</code></li> +<li><code>requestor</code></li> </ul> </li> +</ul> +<h3>Removed</h3> +<ul> +<li>Remove job implementations that were previously migrated to the Passive Scanner add-on (Issue 7959).</li> +</ul> +<h3>Fixed</h3> +<ul> +<li>Templates generated with <code>-autogenmin</code> or <code>-autogenmax</code> were invalid in some cases.</li> +<li>Allow to choose one thread for the <code>activeScan</code> job through the GUI.</li> +<li>Active Scan jobs will once again use the default policy if neither a policy nor a policyDefinition has been set.</li> +<li>Bug in job alert tests related to alert matching.</li> +<li>Active scan rule ID 0 (Directory Browsing) will be included in the plan (yaml) when saved (Issue 8746).</li> +<li>Sizing/display of the Active Scan Policy job rule add/modify dialogs.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/automation-v0.43.0/automation-beta-0.43.0.zap - SHA-256:d765faa76ccc53a36d3622fea5ac3a12cf42f2c0d6372c692be2afc3abe69626 + https://github.com/zaproxy/zap-extensions/releases/download/automation-v0.44.0/automation-beta-0.44.0.zap + SHA-256:7733123076ff40a7636c88baf4929765530ea9fe67aed4e912b6d39b8b2bace4 https://www.zaproxy.org/docs/desktop/addons/automation-framework/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 1770789 - 2.15.0 + 2025-01-09 + 1809201 + 2.16.0 @@ -418,29 +477,20 @@ Forced Browse Forced browsing of files and directories using code from the OWASP DirBuster tool ZAP Dev Team - 16 - bruteforce-beta-16.zap + 17 + bruteforce-beta-17.zap beta - <h3>Added</h3> -<ul> -<li>Support for menu weights (Issue 8369).</li> -</ul> -<h3>Changed</h3> -<ul> -<li>Update minimum ZAP version to 2.15.0.</li> -<li>Maintenance changes.</li> -</ul> -<h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Help content typos.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/bruteforce-v16/bruteforce-beta-16.zap - SHA-256:01c8d25f1ef05dfc85d0feadbff38f7891f859d088a81041e6fca59be5e74cd0 + https://github.com/zaproxy/zap-extensions/releases/download/bruteforce-v17/bruteforce-beta-17.zap + SHA-256:4c5828447d69da32e450e65a6b082284b56538383d5cf4036b743805115a9a90 https://www.zaproxy.org/docs/desktop/addons/forced-browse/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 553638 - 2.15.0 + 2025-01-09 + 552468 + 2.16.0 @@ -504,20 +554,25 @@ Call Home Handles all of the calls to ZAP services. ZAP Dev Team - 0.13.0 - callhome-release-0.13.0.zap + 0.14.0 + callhome-release-0.14.0.zap release - <h3>Added</h3> + <h3>Changed</h3> +<ul> +<li>Update minimum ZAP version to 2.16.0.</li> +</ul> +<h3>Added</h3> <ul> -<li>Tech stats to telemetry.</li> +<li>Network stats to telemetry.</li> +<li>Sequence stats to telemetry.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/callhome-v0.13.0/callhome-release-0.13.0.zap - SHA-256:b0b9ed9e68fee11fceac339a49c96e7f21e1a377270dde08ada65aecd795454f + https://github.com/zaproxy/zap-extensions/releases/download/callhome-v0.14.0/callhome-release-0.14.0.zap + SHA-256:100870954c18d9f9c9ed2db5348eb069262a7c177bfbe158355c1b20e9fa5cef https://www.zaproxy.org/docs/desktop/addons/call-home/ https://github.com/zaproxy/zap-extensions/ - 2024-09-02 - 322396 - 2.15.0 + 2025-01-09 + 322668 + 2.16.0 client @@ -569,29 +624,25 @@ Common Library A common library, for use by other add-ons. ZAP Dev Team - 1.29.0 - commonlib-release-1.29.0.zap + 1.30.0 + commonlib-release-1.30.0.zap release - <h3>Changed</h3> -<ul> -<li>Dependency updates.</li> -<li>Let the Value Generator add-on provide the custom values through this add-on (Issue 8016).</li> -</ul> -<h3>Added</h3> + <h3>Added</h3> <ul> -<li>Policy tags for use with scan rules and the new Scan Policies add-on.</li> +<li>Add solutions to Insufficient Process Validation vulnerability (Issue 8056).</li> </ul> -<h3>Fixed</h3> +<h3>Changed</h3> <ul> -<li>Be more lenient with the input used for providing values, to prevent exceptions.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Improve solution and add more references to 'Information Leakage' vulnerability (Issue 8056).</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.29.0/commonlib-release-1.29.0.zap - SHA-256:423202fc2597edb5fa172f00dd2d6411f8ea5ec6405f08f07257e11d0f9bba07 + https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.30.0/commonlib-release-1.30.0.zap + SHA-256:f178d4e48506fda85a70faf9346fc67fe0c895b98469dd02579b04b4c39c3dbc https://www.zaproxy.org/docs/desktop/addons/common-library/ https://github.com/zaproxy/zap-extensions/ - 2024-12-23 - 15145366 - 2.15.0 + 2025-01-09 + 15146336 + 2.16.0 communityScripts @@ -731,20 +782,20 @@ to find and add subdomains to the Sites Tree.</li> Database Provides database engines and related infrastructure. ZAP Dev Team - 0.6.0 - database-alpha-0.6.0.zap + 0.7.0 + database-alpha-0.7.0.zap alpha - <h3>Added</h3> + <h3>Changed</h3> <ul> -<li>Allow to access persistence manager of the database.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/database-v0.6.0/database-alpha-0.6.0.zap - SHA-256:63b9318b4fd82652bd45e84b59d38747e8825af17534061fada5bab504131e4f + https://github.com/zaproxy/zap-extensions/releases/download/database-v0.7.0/database-alpha-0.7.0.zap + SHA-256:12e4a7bb69aa5d7fa359da44406f5dfcd085cdc77110244cc5f1a38dfeee11d4 https://www.zaproxy.org/docs/desktop/addons/database/ https://github.com/zaproxy/zap-extensions/ - 2024-09-17 - 23094122 - 2.15.0 + 2025-01-09 + 23094350 + 2.16.0 dev @@ -784,20 +835,20 @@ to find and add subdomains to the Sites Tree.</li> Diff Displays a dialog showing the differences between 2 requests or responses. It uses diffutils and diff_match_patch ZAP Dev Team - 16 - diff-beta-16.zap + 17 + diff-beta-17.zap beta - <h3>Updated</h3> + <h3>Changed</h3> <ul> -<li>Add-on help content.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/diff-v16/diff-beta-16.zap - SHA-256:36baf1f731573c3ef0d7657403b7d789a4be2fe5ae59f9b18c112726d0c8cc0e + https://github.com/zaproxy/zap-extensions/releases/download/diff-v17/diff-beta-17.zap + SHA-256:6629fdcd55e509dfaf1e1004204b3dca5a75bfb1593c11bd8281bd7c7fd367b9 https://www.zaproxy.org/docs/desktop/addons/diff/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 679075 - 2.15.0 + 2025-01-09 + 693148 + 2.16.0 @@ -812,20 +863,20 @@ to find and add subdomains to the Sites Tree.</li> Directory List v1.0 List of directory names to be used with Forced Browse or Fuzzer add-on. ZAP Dev Team - 8 - directorylistv1-release-8.zap + 9 + directorylistv1-release-9.zap release <h3>Changed</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/directorylistv1-v8/directorylistv1-release-8.zap - SHA-256:8f5eb460d8c57a7a26566b7b653c8557a875d40245ad6bb4ad0cdef60b56ea18 + https://github.com/zaproxy/zap-extensions/releases/download/directorylistv1-v9/directorylistv1-release-9.zap + SHA-256:71e5b57bcf89774267375426f2e67f789cf13a4b69c97c8946a325fa321d18ce https://www.zaproxy.org/docs/desktop/addons/directory-list-v1.0/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 961163 - 2.15.0 + 2025-01-09 + 961164 + 2.16.0 directorylistv2_3 @@ -884,32 +935,24 @@ to find and add subdomains to the Sites Tree.</li> DOM XSS Active scanner rule DOM XSS Active scanner rule Aabha Biyani, ZAP Dev Team - 20 - domxss-release-20.zap + 21 + domxss-release-21.zap release <h3>Changed</h3> <ul> -<li>Address deprecation warnings with newer Selenium version (4.27).</li> -<li>Include the whole HTTP message in the raised alerts.</li> -<li>Include the steps to reproduce the DOM XSS in the other info of the alert.</li> -<li>Do not request URLs explicitly excluded from the context or global excludes</li> -<li>Depend on newer version of Common Library add-on.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> <h3>Fixed</h3> <ul> -<li>Address false negatives through query parameters.</li> -</ul> -<h3>Added</h3> -<ul> -<li>Standardized Scan Policy related alert tags on the rule.</li> +<li>Handle exceptions while obtaining the XPath of an element.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/domxss-v20/domxss-release-20.zap - SHA-256:69a551db6553a16462faa63a04c232ec56f80c0db1d37b0f6dccf9dc02d8db7f + https://github.com/zaproxy/zap-extensions/releases/download/domxss-v21/domxss-release-21.zap + SHA-256:4902e5d519c7b4a68441d9fb3ae2edc1df3d1c4086333a2e4844279e65ea96ec https://www.zaproxy.org/docs/desktop/addons/dom-xss-active-scan-rule/ https://github.com/zaproxy/zap-extensions/ - 2024-12-23 - 275082 - 2.15.0 + 2025-01-09 + 284336 + 2.16.0 @@ -932,25 +975,25 @@ to find and add subdomains to the Sites Tree.</li> Encoder Adds encode/decode/hash dialog and support for scripted processors as well ZAP Dev Team - 1.5.0 - encoder-release-1.5.0.zap + 1.6.0 + encoder-release-1.6.0.zap release - <h3>Added</h3> + <h3>Changed</h3> <ul> -<li>Support for menu weights (Issue 8369)</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> -<h3>Changed</h3> +<h3>Added</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> -<li>Maintenance changes.</li> +<li>A predefined processor &quot;ASCify&quot; which converts text removing accents/diacritics/ligatures (perhaps not fully, due to operation in compatibility mode) leaving only ASCII characters.</li> +<li>Predefined processors for encoding and decoding Morse Code.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/encoder-v1.5.0/encoder-release-1.5.0.zap - SHA-256:5914245314d1c9eba1892097318c089aef9d89e107bf61745093924e4591d632 + https://github.com/zaproxy/zap-extensions/releases/download/encoder-v1.6.0/encoder-release-1.6.0.zap + SHA-256:1d8194472413b02de94f14db73e5cf6ebfad3b73ab35679cb166217f585713e8 https://www.zaproxy.org/docs/desktop/addons/encode-decode-hash/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 470124 - 2.15.0 + 2025-01-09 + 477920 + 2.16.0 @@ -994,24 +1037,34 @@ to find and add subdomains to the Sites Tree.</li> Import/Export Import and Export functionality ZAP Dev Team & thatsn0tmysite - 0.12.0 - exim-beta-0.12.0.zap + 0.13.0 + exim-beta-0.13.0.zap beta - <h3>Changed</h3> + <h3>Added</h3> <ul> -<li>Improved HTTP 1.1 traffic detection in PCAP files</li> +<li>Add Automation Framework job to export data (e.g. HAR, URLs).</li> +<li>Support for Sites Tree export and prune.</li> +</ul> +<h3>Changed</h3> +<ul> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Update dependency.</li> +<li>Maintenance changes.</li> </ul> <h3>Fixed</h3> <ul> -<li>Count invalid messages as tasks done toward progress when importing HARs.</li> +<li>Import HAR entry sent and elapsed time.</li> +<li>Duplicate or missing &quot;Save URLs...&quot; entries in the Export menu.</li> +<li>The &quot;Save All URLs...&quot; export option was saving only the selected URLs.</li> +<li>Correct bundled dependencies to avoid conflicts with core logging libraries.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/exim-v0.12.0/exim-beta-0.12.0.zap - SHA-256:290a834250748f885ba57f7c54ca662bdc065057341dea2486baba4f9b7379cf + https://github.com/zaproxy/zap-extensions/releases/download/exim-v0.13.0/exim-beta-0.13.0.zap + SHA-256:c2322edb3c5a29e2a844a36ba23e3f5d8202c77d16610a323b6ff3b69914eb7c https://www.zaproxy.org/docs/desktop/addons/import-export/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 3019308 - 2.15.0 + 2025-01-09 + 940208 + 2.16.0 @@ -1042,41 +1095,53 @@ to find and add subdomains to the Sites Tree.</li> Value Generator This Value Generator Add-on allows a user to define field names and values to be used when submitting values to an app. Fields can be added, modified, enabled/disabled, and deleted. ZAP Dev Team - 6.6.0 - formhandler-beta-6.6.0.zap + 6.7.0 + formhandler-beta-6.7.0.zap beta <h3>Changed</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Depend on Common Library add-on, to provide the default/custom values to the other add-ons (Issue 8016).</li> +</ul> +<h3>Fixed</h3> +<ul> +<li>Fixed an issue in the help which may cause images to be displayed inline impacting the flow of the text.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/formhandler-v6.6.0/formhandler-beta-6.6.0.zap - SHA-256:a9dd593ce8fc116ce0ea9545db734d0ab166a452edac3857985ce3e8b14a108b + https://github.com/zaproxy/zap-extensions/releases/download/formhandler-v6.7.0/formhandler-beta-6.7.0.zap + SHA-256:2adb0a7f60f7c43861cdeac14d0d72cde139abcaf12fdd6cb82cf4739e52bd81 https://www.zaproxy.org/docs/desktop/addons/value-generator/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 2126686 - 2.15.0 + 2025-01-09 + 2128203 + 2.16.0 + + + + commonlib + >= 1.29.0 & < 2.0.0 + + + fuzz Fuzzer Advanced fuzzer for manual testing ZAP Dev Team - 13.14.0 - fuzz-beta-13.14.0.zap + 13.15.0 + fuzz-beta-13.15.0.zap beta <h3>Changed</h3> <ul> -<li>Maintenance changes.</li> -<li>Replace library used for regex payload generation, to address performance and compatibility issues.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/fuzz-v13.14.0/fuzz-beta-13.14.0.zap - SHA-256:259c116cf914cd20477447251da5da7c11b847b52dd80389c6fa208866851f48 + https://github.com/zaproxy/zap-extensions/releases/download/fuzz-v13.15.0/fuzz-beta-13.15.0.zap + SHA-256:d8171808ac8e04395575aeca0f11469c79d93fa8e4327b8c7a82f4d0fd6119da https://www.zaproxy.org/docs/desktop/addons/fuzzer/ https://github.com/zaproxy/zap-extensions/ - 2024-10-07 - 2011237 - 2.15.0 + 2025-01-09 + 2014110 + 2.16.0 @@ -1153,51 +1218,40 @@ to find and add subdomains to the Sites Tree.</li> Getting Started with ZAP Guide A short Getting Started with ZAP Guide ZAP Dev Team - 18 - gettingStarted-release-18.zap + 19 + gettingStarted-release-19.zap release <h3>Changed</h3> <ul> -<li>Rebrand to ZAP by Checkmarx.</li> +<li>Update Getting Started Guide for 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/gettingStarted-v18/gettingStarted-release-18.zap - SHA-256:8253e27e7fd43ecc2baad50c0488c5678cf9885b5db3ce12c327c8fc5e34277c + https://github.com/zaproxy/zap-extensions/releases/download/gettingStarted-v19/gettingStarted-release-19.zap + SHA-256:74ca76fbe518917005828d3b4f4392d8d91b5e11d1d6517a1ae9fc19f16bfd9b https://www.zaproxy.org/docs/desktop/addons/getting-started-guide/ https://github.com/zaproxy/zap-extensions/ - 2024-09-24 - 968579 - 2.15.0 + 2025-01-09 + 968572 + 2.16.0 graaljs GraalVM JavaScript Provides the GraalVM JavaScript engine for ZAP scripting. ZAP Dev Team - 0.8.0 - graaljs-alpha-0.8.0.zap + 0.9.0 + graaljs-alpha-0.9.0.zap alpha - <h3>Added</h3> -<ul> -<li>Document the engine name in the help page.</li> -</ul> -<h3>Changed</h3> -<ul> -<li>Maintenance changes.</li> -<li>Update script templates: + <h3>Changed</h3> <ul> -<li>authentication/Authentication default template GraalJS.js - remove outdated example code.</li> -<li>httpsender/AddZapHeader GraalJS.js - fix runtime error (Issue 8611) and update documentation.</li> -<li>httpsender/HttpSender default template GraalJS.js - update documentation.</li> -</ul> -</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/graaljs-v0.8.0/graaljs-alpha-0.8.0.zap - SHA-256:9821e4e66d0a5d6c84a4208e06b2b4eaf6c7962802618b8ec22a4c0e65b1d198 + https://github.com/zaproxy/zap-extensions/releases/download/graaljs-v0.9.0/graaljs-alpha-0.9.0.zap + SHA-256:8abec96df1ff90177953d5fffd4dfd57228c1a8d8e140a521e81ea80a256ca19 https://www.zaproxy.org/docs/desktop/addons/graalvm-javascript/ https://github.com/zaproxy/zap-extensions/ - 2024-09-24 - 24531423 - 2.15.0 + 2025-01-09 + 24540532 + 2.16.0 @@ -1216,25 +1270,40 @@ to find and add subdomains to the Sites Tree.</li> GraphQL Support Inspect and attack GraphQL endpoints. ZAP Dev Team - 0.25.0 - graphql-alpha-0.25.0.zap + 0.26.0 + graphql-alpha-0.26.0.zap alpha <h3>Changed</h3> <ul> -<li>Dependency updates.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Depend on newer version of Common Library add-on (Issue 8016).</li> +<li>Maintenance changes.</li> +</ul> +<h3>Added</h3> +<ul> +<li>Fingerprinting checks for the following engines: +<ul> +<li>pg_graphql</li> +<li>tailcall</li> +<li>Hot Chocolate</li> +<li>Inigo</li> +</ul> +</li> +<li>Support for importing an introspection query response from a file (Issue 8569).</li> +<li>If the Tech Detection (Wappalyzer) add-on is installed and a GraphQL engine is successfully fingerprinted, it is added to the Technology tab/data.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/graphql-v0.25.0/graphql-alpha-0.25.0.zap - SHA-256:f4e491d9f7a7ec6918bee1093f8e7c4eeed9fd58e429ce4a0baf1fb60505fbda + https://github.com/zaproxy/zap-extensions/releases/download/graphql-v0.26.0/graphql-alpha-0.26.0.zap + SHA-256:7578897dd3e517d653d779f90b1565a6cac7c6c838f4107dd44d01f6233faae8 https://www.zaproxy.org/docs/desktop/addons/graphql-support/ https://github.com/zaproxy/zap-extensions/ - 2024-09-24 - 5465649 - 2.15.0 + 2025-01-09 + 5475010 + 2.16.0 commonlib - >= 1.17.0 & < 2.0.0 + >= 1.29.0 & < 2.0.0 @@ -1646,24 +1715,20 @@ to find and add subdomains to the Sites Tree.</li> Invoke Applications Invoke external applications passing context related information such as URLs and parameters ZAP Dev Team - 15 - invoke-beta-15.zap + 16 + invoke-beta-16.zap beta <h3>Changed</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> -</ul> -<h3>Added</h3> -<ul> -<li>Support for menu weights (Issue 8369)</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/invoke-v15/invoke-beta-15.zap - SHA-256:ff93f71447e26971a540d4f5029c5a1590b661dc4a32eb386810fe91b6ae794e + https://github.com/zaproxy/zap-extensions/releases/download/invoke-v16/invoke-beta-16.zap + SHA-256:439fd2ff1d090779bc9f874696286d1685dffa7b83624254c2b92a2daa943464 https://www.zaproxy.org/docs/desktop/addons/invoke-applications/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 322369 - 2.15.0 + 2025-01-09 + 323503 + 2.16.0 @@ -1898,54 +1963,46 @@ to find and add subdomains to the Sites Tree.</li> Network Provides core networking capabilities. ZAP Dev Team - 0.19.0 - network-beta-0.19.0.zap + 0.20.0 + network-beta-0.20.0.zap beta - <h3>Changed</h3> + <h3>Added</h3> +<ul> +<li>Set the local address where (e.g. server, proxy) the request header was received.</li> +</ul> +<h3>Changed</h3> <ul> -<li>Configure the logging to prevent verbose log messages when using BC JSSE provider.</li> -<li>Improve error handling on client's unknown CA TLS alert.</li> -<li>Report available TLS providers when failed to query the TLS/SSL protocol versions.</li> -<li>Rely on the default secure random generator when creating the Root CA certificate to use the most appropriate defined by the security provider.</li> -<li>Update default user-agents.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/network-v0.19.0/network-beta-0.19.0.zap - SHA-256:68d797708fba51da2edc4dee58130057c0d85a9c73eedde008833a24693ba12b + https://github.com/zaproxy/zap-extensions/releases/download/network-v0.20.0/network-beta-0.20.0.zap + SHA-256:c1465cf14a3d9720735698808e17f79c1890d9f2931027eead65da208803ec9c https://www.zaproxy.org/docs/desktop/addons/network/ https://github.com/zaproxy/zap-extensions/ - 2024-12-23 - 28128362 - 2.15.0 + 2025-01-09 + 28127964 + 2.16.0 oast OAST Support Allows you to exploit out-of-band vulnerabilities ZAP Dev Team - 0.20.0 - oast-beta-0.20.0.zap + 0.21.0 + oast-beta-0.21.0.zap beta - <h3>Added</h3> -<ul> -<li>API support.</li> -<li>Raise alerts for OAST interactions that happened in other sessions.</li> -<li>Options to trim the OAST permanent database.</li> -</ul> -<h3>Changed</h3> -<ul> -<li>Depend on newer version of Database add-on.</li> -</ul> -<h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Address warnings when using BOAST payloads.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Maintenance changes.</li> +<li>Include the handler and source when logging interactions not found in the permanent database.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/oast-v0.20.0/oast-beta-0.20.0.zap - SHA-256:93d0384912c9d64127e02b3114e82596406548f8b8152223fe5f0407cdff923e + https://github.com/zaproxy/zap-extensions/releases/download/oast-v0.21.0/oast-beta-0.21.0.zap + SHA-256:397c614b2a668fb26c6b327c489ee1b6c580440d90ca966e7ce33811ee1dad60 https://www.zaproxy.org/docs/desktop/addons/oast-support/ https://github.com/zaproxy/zap-extensions/ - 2024-09-17 - 844324 - 2.15.0 + 2025-01-09 + 904504 + 2.16.0 @@ -1964,51 +2021,47 @@ to find and add subdomains to the Sites Tree.</li> Online menus ZAP Online menu items ZAP Dev Team - 13 - onlineMenu-release-13.zap + 14 + onlineMenu-release-14.zap release <h3>Changed</h3> <ul> -<li>Update minimum ZAP version to 2.15.0.</li> +<li>Update minimum ZAP version to 2.16.0.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/onlineMenu-v13/onlineMenu-release-13.zap - SHA-256:c605e10c7c38c525d5dfe14f026fe6e11a26fb1055e681b51fd2e5bd576d5e1d + https://github.com/zaproxy/zap-extensions/releases/download/onlineMenu-v14/onlineMenu-release-14.zap + SHA-256:da47b95478c008545f403ffc20640c12c6215211e93727118f0854a2e40c5794 https://www.zaproxy.org/docs/desktop/addons/online-menu/ https://github.com/zaproxy/zap-extensions/ - 2024-05-07 - 208613 - 2.15.0 + 2025-01-09 + 208647 + 2.16.0 openapi OpenAPI Support Imports and spiders OpenAPI definitions. ZAP Dev Team plus Joanna Bona, Nathalie Bouchahine, Artur Grzesica, Mohammad Kamar, Markus Kiss, Michal Materniak, Marcin Spiewak, and SDA SE Open Industry Solutions - 43 - openapi-beta-43.zap + 44 + openapi-beta-44.zap beta - <h3>Added</h3> -<ul> -<li>Allow to import the OpenAPI definitions with a user (Issue 7739).</li> -<li>Honour context exclusions when importing (Issue 8021).</li> -</ul> -<h3>Fixed</h3> + <h3>Changed</h3> <ul> -<li>Allow to select the contexts of the Automation Framework plan when configuring the job.</li> -<li>Correctly handle empty context name in the Automation Framework job.</li> +<li>Update minimum ZAP version to 2.16.0.</li> +<li>Depend on newer version of Common Library add-on (Issue 8016).</li> +<li>Fields with default or missing values are omitted for the <code>openapi</code> job in saved Automation Framework plans.</li> </ul> - https://github.com/zaproxy/zap-extensions/releases/download/openapi-v43/openapi-beta-43.zap - SHA-256:f72b0061547ec3e72f6e9e3ec83a86c730e48208788acf10b690fa456866ef73 + https://github.com/zaproxy/zap-extensions/releases/download/openapi-v44/openapi-beta-44.zap + SHA-256:e0c15ccdf49c083b6992bc3ef0175e1aa24bc32912ec3dbdcc7b71beafe46a46 https://www.zaproxy.org/docs/desktop/addons/openapi-support/ https://github.com/zaproxy/zap-extensions/ - 2024-09-23 - 11513623 - 2.15.0 + 2025-01-09 + 11575879 + 2.16.0 commonlib - >= 1.26.0 & < 2.0.0 + >= 1.29.0 & < 2.0.0 diff --git a/build.gradle.kts b/build.gradle.kts index 94636de..cec02d1 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -87,13 +87,13 @@ spotless { val noAddOnsZapVersions = "ZapVersions.xml" val devZapVersions = "ZapVersions-dev.xml" -val nameLatestZapVersions = "ZapVersions-2.15.xml" +val nameLatestZapVersions = "ZapVersions-2.16.xml" val latestZapVersions = file(nameLatestZapVersions) val ghUser = GitHubUser("zapbot", "12745184+zapbot@users.noreply.github.com", System.getenv("ZAPBOT_TOKEN")) val adminRepo = GitHubRepo("zaproxy", "zap-admin", rootDir) -val addOnsZapVersions = files(devZapVersions, latestZapVersions, "ZapVersions-2.16.xml") +val addOnsZapVersions = files(devZapVersions, latestZapVersions) val defaultChecksumAlgorithm = "SHA-256" tasks {