Releases: zaproxy/zap-extensions
Releases · zaproxy/zap-extensions
Windows WebDrivers version 128
Changed
- Update ChromeDriver to 134.0.6998.35.
MacOS WebDrivers version 128
Changed
- Update ChromeDriver to 134.0.6998.35.
Linux WebDrivers version 128
Changed
- Update ChromeDriver to 134.0.6998.35.
Technology Detection version 21.45.0
Changed
- Updated with enthec upstream icon and pattern changes.
Retire.js version 0.45.0
Changed
- Updated with upstream retire.js pattern changes.
- Make Alert's Description, Solution, and References generic, and provide finding specific details via Other Info.
Report Generation version 0.38.0
Fixed
- Themes are once again properly taken into account when generating reports (Issue 8854).
Added
- Allow report data to be cleaned up after the report generation.
- Allow reports to read HTTP messages through the report helper.
Passive scanner rules (beta) version 43
Changed
- Replace usage of CWE-200 for the In Page Banner Information Leak scan rule (Issue 8731).
- Add support for 'credentialless' COEP value in the Insufficient Site Isolation Against Spectre Vulnerability scan rule (Issue 8840).
Passive scanner rules (alpha) version 44
Changed
- Update minimum ZAP version to 2.16.0.
- Maintenance changes.
- Replace usage of CWE-200 for the Base64 Disclosure scan rule (Issue 8730).
Passive scanner rules version 63
Fixed
- Refactored Loosely Scoped Cookie to comply with the latest RFC standards and streamline the loosely scoped cookie check (Issue 8863).
- The Absence of Anti-CSRF Tokens scan rule now only considers forms with GET method at Low Threshold. (Forms submitted via GET, not forms delivered via GET.)
- The Information Disclosure - Suspicious Comments scan rule:
- Should now be less false positive prone on JavaScript findings (Issues 6622 & 6736).
- Now skips obvious font requests even if their content type is text/html or text related.
- Updated Timestamp Disclosure Scan Rule to skip JavaScript files when Alert Threshold is set to High (Issue 8380).
Changed
- Replace usage of CWE-200 for the following rules (Issue 8712):
- Application Error Disclosure (Issue 8716)
- HTTP Server Response Header
- Hash Disclosure
- Information Disclosure - Debug Error Messages
- Information Disclosure - Sensitive Information in HTTP Referrer Header
- Information Disclosure - Sensitive Information in URL
- Information Disclosure - Suspicious Comments
- Private IP Disclosure
- Server Leaks Information via "X-Powered-By" HTTP Response Header
- Session ID in URL Rewrite
- Timestamp Disclosure
- X-Backend-Server Header Information Leak
- X-ChromeLogger-Data (XCOLD) Header Information Leak
- X-Debug-Token Information Leak
- Removed lack of "report-uri" or "plugin-types" from "CSP: Wildcard Directive" alerts when missing. plugin-types is deprecated and report-uri has no impact for this issue. (Issue 8700)
Network version 0.21.0
Fixed
- Ensure message properties are kept mutable even in case of connection close.