OWASP ZAP 2.4.0 - Penetration Testing Tool for Testing Web Applications

Wednesday, April 15, 2015


ZAP is an OWASP Flagship project, and is currently the most active open source web application security tool.

For a quick introduction to the new release see this video:



Some of the most significant changes include:

‘Attack’ Mode

A new ‘attack’ mode has been added that means that applications that you have specified are in scope are actively scanned as they are discovered.

Advanced Fuzzing

A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time, as well as introducing new attack payloads including the option to use scripts for generating the payloads as well as pre and post attack manipulation and analysis.

Scan Policies

Scan policies define exactly which rules are run as part of an active scan.
They also define how these rules run influencing how many requests are made and how likely potential issues are to be flagged.
The new Scan Policy Manager dialog allows you to create, import and export as many scan policies as you need. You select any scan policy when you start an active scan and also specify the one used by the new attack mode.
Scan policy dialog boxes allow sorting by any column, and include a quality column (indicating if individual scanners are Release, Beta, or Alpha quality).

Scan Dialogs with Advanced Options

New Active Scan and Spider dialogs have replaced the increasing number of right click 'Attack' options. These provide easy access to all of the most common options and optionally a wide range of advanced options.

Hiding Unused Tabs

By default only the essential tabs are now shown when ZAP starts up.
The remaining tabs are revealed when they are used (e.g. for the spider and active scanner) or when you display them via the special tab on the far right of each window with the green '+' icon. This special tab disappears if there are no hidden tabs.
Tabs can be closed via a small 'x' icon which is shown when the tab is selected.
Tabs can also be 'pinned' using a small 'pin' icon that is also shown when the tab is selected - pinned tabs will be shown when ZAP next starts up.

New Add-ons

Two significant new ‘alpha’ quality add-ons are available:
  • Access Control Testing: adds the ability to automate many aspects of access control testing.
  • Sequence Scanning: adds the ability to scan 'sequences' of web pages, in other words pages that must be visited in a strict order in order to work correctly.
These can both be downloaded from the ZAP Marketplace.

New Scan Rules

A number of significant new ‘alpha’ quality scanners are available:
  • Relative Path Confusion: Allows ZAP to scan for issues that may result in XSS, by detecting if the browser can be fooled into interpreting HTML as CSS.
  • Proxy Disclosure: Allows ZAP to detect forward and reverse proxies between the ZAP instance and the origin web server / application server.
  • Storability / Cacheability: Allows ZAP to passively determine whether a page is storable by a shared cache, and whether it can be served from that cache in response to a similar request. This is useful from both a privacy and application performance perspective. The scanner follows RFC 7234.
Support has also been added for Direct Web Remoting as an input vector for all scan rules.

Changed Scan Rules

  • External Redirect: This plugin’s ID has been changed from 30000 to 20019, in order to more closely align with the established groupings. (This change may be of importance to **API Users**). Additionally some minor changes have been implemented to prevent collisions between injected values and in-page content, and improve performance. (Issues: 1529 and 1569)
  • Session ID in URL Rewrite: This plugin has been updated with a minimum length check for the value of the parameters it looks for. A false positive condition was raised related to this plugin (Issue 1396) whereby sID=5 would trigger a finding. Minimum length for session IDs as this plugin interprets them is now eight (8) characters.
  • Client Browser Cache: The active scan rule TestClientBrowserCache has been removed. Checks performed by the passive scan rule CacheControlScanner have been slightly modified. (Issue 1499)

More User Interface Changes

  • The ZAP splash screen is back: It now includes new graphics, a tips & tricks module, and loading/progress info.
  • The active scan dialog show the real plugin’s progress status based on the number of nodes that need to be scanned.
  • There is a new session persistence options dialog that prompts the user for their preferred settings at startup (you can choose to “Remember” the option and not be asked again).
  • For all Alerts the Risk field (False Positive, Suspicious, Warning) has been replaced with a more appropriately defined Confidence field (False Positive, Low, Medium, High, or Confirmed).
  • Timestamps are now optionally available for the output tab.

Extended API Support

The API now supports the spidering and active scanning or multiple targets concurrently, the management of scan policies as well as even more of the ZAP functionality.

Internationalized Help Add-ons

The help files are internationalized via https://crowdin.net/project/owasp-zap-help.
If you use ZAP in one of the many languages we support, then look on the ZAP Marketplace to see if the help files for that language are available. These will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.

Release Notes

See the Release Notes (https://code.google.com/p/zaproxy/wiki/HelpReleases2_4_0) for a full list of all of the changes included in this release.




Subscribe via e-mail for updates!