Releases: zaproxy/zap-extensions
Releases · zaproxy/zap-extensions
Common Library version 1.9.0
Changed
- Maintenance changes.
Active scanner rules version 46
Changed
- Maintenance changes.
Fixed
- Fix Cross Site Scripting (Reflected) scan rule false negatives introduced in previous version.
Active scanner rules (beta) version 40
Changed
- Hidden File Finder scan rule, content checking has been added for .svn/entries as well as detection for wc.db.
- Use Network add-on to detect/serve HttPoxy scan rule requests.
- Maintenance changes.
- The CSRF Token scan rule will now raise alerts as Medium risk (Issue 7021).
Fixed
- Adapted Cloud Metadata Attack scan rule to use Custom Pages and active scan analyzer to help reduce false positives in certain cases (Issue 7033).
- Generic Padding Oracle scan rule will no longer raise an alert for validation fields when the error response contains expected error patterns (Issue 6183).
- Hidden File Finder no longer follows redirects when sending requests for potential hidden files which should make it less false positive prone (Issue 7036).
Active scanner rules version 45
Changed
- Remote OS Command Injection rule now has more information in the Other Info field to differentiate feedback-based or time-based tests
- Path Traversal scan rule, updated the regex for case 5 to be case-insensitive when searching for Error or Exception in content body.
- Maintenance changes.
Fixed
- Server Side Code Injection scan rule, prevent use of zero when injecting ASP multiplication to avoid false positives (Issue 7107).
- External Redirect scan rule to detect redirects with dots deny listed.
- Cross Site Scripting (Reflected) scan rule will no longer raise an alert for unsuccessful JavaScript string injections (Issue 1641).
WebSockets version 25
Changed
- Update minimum ZAP version to 2.11.1.
- Update the reference links used in the Username IDOR passive scan script.
- Reset the name of the connection threads when not actively used.
Fixed
- Fix exception when manually reconnecting to the server.
- Stop properly when shutting down.
Passive scanner rules version 39
Added
- Alert refs for the alerts which use them (10020 and 10032).
Changed
- Moved the detail information in Content Security Policy Rule to the otherInfo field and added alertRef ids.
- Address false positive condition for Timestamp Disclosure scan rule when values are percentages (Issue 7057).
- Update Cache-control scan rule name, description, and solution to make it more clear that there are cases in which caching is reasonable. Reduced risk to Info (Issue 6462).
- Maintenance changes.
- The CSRF Token scan rule will now raise alerts as Medium risk and Low confidence (Issue 7021).
Fixed
- CSP scan rule will now alert in situations where default-src contains 'unsafe-inline' or is not defined (Issue 7120). In certain situations this may mean a marked increase in CSP related Alerts.
- A typo was corrected in the CSP scan rule which was causing invalid assessment of "connect-src" directives.
Import/Export version 0.1.0
Changed
- Reduce logging and display a warning dialog when unable to read files being imported (Issue 7081).
- Promoted to Beta.
Added
- Importing a file of URLs or HAR is now displayed in the progress panel provided via commonlib.
- Automation Framework (Issue 7078).
Common Library version 1.8.0
Added
- A generic component for displaying progress, such as when importing an openapi definition (Issue 6783).
Changed
- Maintenance changes.
Windows WebDrivers version 36
Changed
- Update ChromeDriver to 99.0.4844.51.
MacOS WebDrivers version 36
Changed
- Update ChromeDriver to 99.0.4844.51.