OWASP ZAP w2020-02-24 released: pentesting tool for finding vulnerabilities in web applications

The OWASP Zed Attack Proxy (ZAP) is easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Some of ZAP’s features:

• Open source
• Cross-platform
• Easy to install (just requires java 1.7)
• Completely free (no paid for ‘Pro’ version)
• Ease of use a priority
• Comprehensive help pages
• Fully internationalized
• Translated into a dozen languages
• Community-based, with involvement, actively encouraged
• Under active development by an international team of volunteers

Some of ZAP’s functionality:

• Intercepting Proxy
• Traditional and AJAX spiders
• Automated scanner
• Passive scanner
• Forced browsing
• Fuzzer
• Dynamic SSL certificates
• Smartcard and Client Digital Certificates support
• Web sockets support
• Support for a wide range of scripting languages
• Plug-n-Hack support
• Authentication and session support
• Powerful REST-based API
• Automatic updating option
• Integrated and growing marketplace of add-ons

OWASP ZAP w2020-02-24 has been released.

Changelog

Session Management Scripts

It’s now possible to define scripts which handle non standard or more complex session management.
Session Management scripts have full access to the authentication request and response and can define custom mandatory and optional parameters. An example session management script for OWASP Juice shop is provided.

Active Scan Filter

It’s now possible to filter requests in Active Scan. Below are the supported criteria’s:

• HTTP method
• Status code
• Tags
• URL pattern

Custom Global/Script Variables

It’s now possible for scripts to share custom global/script variables, which can be of any type not just strings, for example, lists, maps, GUI models.
In JavaScript they are accessed/set as follows:

var ScriptVars = Java.type("org.zaproxy.zap.extension.script.ScriptVars")

ScriptVars.setScriptCustomVar(this.context, "var.name", {x: 1, y: 3})
print(ScriptVars.getScriptCustomVar(this.context, "var.name").y) // Prints 3

ScriptVars.setGlobalCustomVar("var.name", ["A", "B", "C", "D"])
print(ScriptVars.getGlobalCustomVar("var.name")[2]) // Prints C

 

 

 

 

 

Scan Rule Promotions

The following scan rules have been promoted:

Passive Scan Rules – Release

• Cookie Without SameSite Attribute
• Cross Domain Misconfiguration
• Information Disclosure: In URL
• Information Disclosure: Referrer
• Information Disclosure: Suspicious Comments
• Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
• Timestamp Disclosure
• Username Hash Found
• X-AspNet-Version Response Header Scanner
• X-Debug-Token Information

Filters Classes Removal

The classes/code for Filters functionality, deprecated since ZAP 2.4.0, has been removed. Add-ons that still use that will stop working.

Changes in Bundled Libraries

The following libraries were removed:

• JDOM
• Diff Utils

no longer in use by core, add-ons should bundle the library, if needed. The following libraries were updated:

• Bouncy Castle, 1.61 → 1.64
• Commons BeanUtils, 1.9.3 → 1.9.4
• Commons Codec, 1.12 → 1.13
• Commons CSV, 1.6 → 1.7
• Commons Text, 1.6 → 1.8
• HSQLDB, 2.4.1 → 2.5.0
• Nashorn Sandbox, 0.1.25 → 0.1.26
• RSyntaxTextArea, 3.0.3 → 3.0.4
• SQLite JDBC, 3.27.2.1 → 3.28.0

Enhancements

• Issue 2016 : Choose a unique port in the GUI if theres a clash
• Issue 2619 : Allow add-ons to declare/bundle its dependencies
• Issue 3358 : Enhancement: Options Panel Filter
• Issue 3402 : Share custom variables between scripts
• Issue 3491 : Feature-Request: Select Multiple Contexts
• Issue 4963 : Allow to specify the URI of the login page
• Issue 5278 : Ability to filter what requests the Active Scans run against
• Issue 5303 : API calls for adding and changing alerts
• Issue 5436 : Add new languages to context tech
• Issue 5464 : Deprecate Context.getIndex and implement Context.getId
• Issue 5466 : Add utility methods to Alert class
• Issue 5550 : Load additional local proxies with defaults
• Issue 5563 : Include Import/Online menus in Options > Keyboard
• Issue 5598 : Revise site certificate validity period to 825d
• Issue 5614 : Manual Request Editor Icon
• Issue 5630 : Support session management scripts
• Issue 5656 : Add Base64url to Encoder/Decoder Tool
• Issue 5667 : Improve permissions and space handling when saving/exporting
• Issue 5671 : Check for updates in daemon mode
• Issue 5672 : Do not prompt to accept the license on first start
• Issue 5680 : Update dependencies
• Issue 5681 : Remove unused dependencies
• Issue 5691 : Expose Context details to passive scan rules
• Issue 5696 : Expose Context techset directly to passive scan rules
• Issue 5723 : AntiCSRF Tokens Add New Defaults
• Issue 5756 : HttpHeader provide List variant for getHeaders(String)
• Issue 5774 : Allow to enable/disable all passive tags through the API
• Issue 5779 : MacOS DMG – switch back to HFS+
• Issue 5782 : Update default user agent
• Issue 5785 : Add tooltip listing all proxies to the footer Primary Proxy label
• Issue 5795 : Handle quoted URL in meta refresh

Bug fixes

• Issue 1164 : Manual “Resend” sets cookies on response
• Issue 4003 : Issues when using ‘low memory’ mode.
• Issue 5427 : Update HTTP Protocol Version in Manual Request Editor
• Issue 5449 : API not responding – Internal Error
• Issue 5452 : Do not remove resource bundle of other extensions
• Issue 5486 : Fix counting error in Statistics
• Issue 5487 : Add saved scripts of registered script type
• Issue 5490 : Anti-CSRF tokens not encoded in authentication requests
• Issue 5491 : Auth request without request-target from auth script causes exceptions
• Issue 5492 : Improve error handling when creating scan policies
• Issue 5518 : ZAP might not use outgoing proxy authentication credentials
• Issue 5585 : ZAP 2.8.1 hanging on kali
• Issue 5613 : Cope with missing token in auth POST data
• Issue 5619 : The -configfile option can fail with arrays
• Issue 5622 : Consistent SessionTracking Button Sync
• Issue 5624 : Alert parameter might not be properly loaded
• Issue 5636 : script.js never served on localhost
• Issue 5704 : Wait for add-ons to be installed
• Issue 5743 : Find + Cancel buttons are neither centered nor flush right
• Issue 5744 : Improve labels of Search menu items
• Issue 5780 : Don’t display messages when deleting them
• Issue 5783 : Disable JAR caching by default
• Issue 5794 : Correct MailTo pattern for RegexAutoTagScanner

Download

OWASP ZAP Tutorial

Copyright (C) yhawke, thc202, psiinon