Authentication Improvements
The Authentication Help blog post introduced a new add-on focused on making ZAP authentication easier.
The initial release just included support for authentication request identification and automatic configuration but the blog post also explained that future plans include:
- Header based session handling - a new session management method which will support an arbitrary number of headers based on data from the authentication response.
- Session handling detection - automatically detecting common session management methods.
- Session handling configuration - automatically configuring ZAP to handle session management in a similar way to the authentication handling above.
- Verification detection - reporting a set of URLs that appear to be suitable for authentication verification.
- Verification configuration - automatically configuring ZAP to handle authentication verification.
A PR for Header based session management has already been submitted and is in review: #4374
Another blog post: Authentication using Selenium (which strictly speaking was in February😉) detailed how to set up ZAP to handle complex authentication for a modern web app.
Jump to History ID
The core was updated to add an option to jump to a specific request in the History table using the ID. This is available via the context menu in the History table and using the CTRL + ALT + J keyboard combination. It is available in the latest weekly release.
OWASP Global AppSec Dublin
OWASP Global AppSec Dublin will be running from Feb 13-16 (2 days training, 2 days conf).
I’m going so if you are too then please let me know - I’d love to catch up with ZAP users and contributors!
I’ll be at the conference on 15th only (probably on or around the Jit stand) but also at the Jit & Semgrep Happy Hour on Feb 14th 5pm-8pm.
You’re all invited, but book a ticket if you want to come along as they are likely to all go quickly!
Stats
Statistics from the 2 main ZAP repos.
zaproxy
Excluding merges, 5 authors have pushed 10 commits to main and 10 commits to all branches. On main, 210 files have changed and there have been 1,630 additions and 1,414 deletions.
zap-extensions
Excluding merges, 6 authors have pushed 47 commits to main and 47 commits to all branches. On main, 500 files have changed and there have been 5,837 additions and 2,774 deletions.
Ongoing Work
HTTP/2 Support
As explained in the 2022 Review HTTP/2 Support is complete in the weekly releases and will be included in the next full ZAP release.
As such it will be removed from this section from next month.
Authentication
The authentication improvements already made are detailed above. Future changes are planned and will be detailed in the section in future months.
Selenium 4
Selenium v4 has been out for a while and we are actively working on updating ZAP to use it. There is a chance that this update could break existing scripts - more details when we have them.
Website Updates
The following new pages were added:
- Blog: Authentication Help
- Success Story: Codific
- FAQ: What is ZAP’s assurance case?
Updated Add-ons
Active scanner rules (beta) version 44
Changed
- Use lower case HTTP field names for compatibility with HTTP/2.
Fixed
- Preserve the HTTP version in the scan rules:
- Backup File Disclosure
- Bypassing 403
- Cross-Domain Misconfiguration
- Relative Path Confusion
- Source Code Disclosure - Git
- Source Code Disclosure - SVN
- Possible Username Enumeration
Linux WebDrivers version 49
Added
- Add aarch64/arm64 geckodriver (Issue 7650).
Authentication Helper version 0.1.0
Added
- Support of authentication request identification and configuration.
Windows WebDrivers version 48
Changed
- Update ChromeDriver to 109.0.5414.74.
MacOS WebDrivers version 49
Changed
- Update ChromeDriver to 109.0.5414.74.
Linux WebDrivers version 48
Changed
- Update ChromeDriver to 109.0.5414.74.
Retire.js version 0.19.0
Changed
- Updated with upstream retire.js pattern changes.
- Maintenance changes.