This month saw one of the biggest changes to ZAP since it was launched in 2010 - the move to a brand new foundation!
We have also published a new questionnaire to find out what you think we should focus our development efforts on - so please fill this in.
And despite all of the migration work there have been several other very significant changes this month, so read on…
Highlights
ZAP Move to SSP from OWASP
The (very) big news this month was the move from OWASP to the Software Security Project.
The move means that we now have doubled the number of people able to work on ZAP full time, from 1 to 2 😁
A lot of effort this month has focused on rebranding and moving away from some of the OWASP accounts we were using.
The following URLs, services, and defaults have changed:
Docker Hub
The official ZAP Docker images are now in the Software Security Project Docker Hub Organisation. The OWASP links should continue to work but we recommend you change to use the new ones ASAP.
Note that you can also pull the ZAP Docker images from GitHub Container Registry.
Crowdin
The Crowdin projects used for translating ZAP have changed to:
- https://crowdin.com/project/zaproxy for translating the Desktop
- https://crowdin.com/project/zap-help for translating the Desktop Help
API Clients
The Python API client is now: https://pypi.org/project/zaproxy/
WebSwing Default Certificate Names
The certificates ZAP creates when launching Webswing have changed to:
- zap_root_ca.crt - the public ZAP Root CA certificate
- zap_root_ca.key - the private ZAP Root CA certificate
ZAP on Winget
ZAP is now available via Winget - the official Microsoft Windows Package Manager.
Community Scripts Tips (and Tricks)
A blog post was published drawing attention to the new section added to the community-scripts repository - please submit your ideas and usage tips for ZAP and its add-ons here.
ZAP Development Focus Questionnaire
A blog post was published highlighting the new ZAP questionnaire - this is your chance to influence what we, the ZAP Core Team, focus our efforts on. Thank you to everyone who has already completed it (the current results are very revealing!) and if you have not completed it then please do so ASAP!
GraalJS Classloader Fix
We have had an ongoing problem with the GraalVM JavaScript add-on which meant that it was not possible to reference classes in ZAP add-ons. This significantly impacted its usefulness.
The good news is that following a fix in the GraalVM code and some core changes this is no longer a problem! Note that as we have to make core changes, this fix will only work in the nightly and weekly (from next week) releases until 2.14.0 is released.
API Support for File Transfers
The latest weekly release supports the ability to upload and download files to and from ZAP via the API. For more details see this post on the ZAP User Group.
GitHub Pulse
Here are some statistics for the two main ZAP repositories:
zaproxy
Excluding merges, 7 authors have pushed 39 commits to main and 39 commits to all branches. On main, 133 files have changed and there have been 1,677 additions and 47,904 deletions.
zap-extensions
Excluding merges, 8 authors have pushed 74 commits to main and 74 commits to all branches. On main, 657 files have changed and there have been 8,390 additions and 2,731 deletions.
A total of 192 PRs were merged on the ZAP repos.
Ongoing Work
2.14.0 Release
We are actively working on getting ZAP 2.14.0 ready for release. You can track the progress in the 2.14.0 Milestone.
Google Summer of Code
Both of the Google Summer of Code projects are progressing well and we hope to be able to release new add-ons for them soon.
New Supporters
As per the blog: ZAP is Joining the Software Security Project the Software Security Project is now sponsoring both myself and Ricardo to work full time on ZAP!
Please find a list of all our supporters on the Supporters page.
New Contributors
A very warm welcome to the people who started to contribute to ZAP in the last 2 months (we did not have an update blog post last month)
- Patrick Double double16
- Laurent Laubin - Quarkslab
- Shershon A J Shershon25
Website Updates
The following new pages were added:
- Alert: Access Control Issue - Improper Authentication
- Alert: Access Control Issue - Improper Authorization
- Blog: ZAP is Joining the Software Security Project
- Blog: ZAP is Available via Winget
- Blog: Community - Tips and Tricks
- Blog: What Should We Focus On?
- FAQ: Why does ZAP Access Out of Scope Domains?
The following pages had significant changes:
- FAQ: How can you speed up scans?
- Authentication: Documented SSO Solutions/
Released add-ons - Full Changelog
In August 2023, we released updated versions of 10 add-ons:
Common Library (v1.16.0)
Added
- Provide Jackson parsing library, to reuse the library in other add-ons (Issue 7961).
Changed
- Maintenance changes.
Linux WebDrivers (v58)
Changed
- Update ChromeDriver to 115.0.5790.170.
Linux WebDrivers (v59)
Changed
- Update ChromeDriver to 116.0.5845.96.
MacOS WebDrivers (v58)
Changed
- Update ChromeDriver to 115.0.5790.170.
MacOS WebDrivers (v59)
Changed
- Update ChromeDriver to 116.0.5845.96.
Report Generation (v0.24.0)
Changed
- Maintenance changes.
- The following reports now include “Other Info” for alerts:
- Traditional HTML Report
- Traditional HTML Report with requests and responses
- Traditional Markdown Report
- Traditional PDF Report
- Depend on Common Library add-on to reuse libraries (Issue 7961).
- Update program name in reports.
Retire.js (v0.25.0)
Changed
- Updated with upstream retire.js pattern changes.
- Maintenance changes.
Wappalyzer - Technology Detection (v21.23.0)
Changed
- Maintenance changes.
- Update minimum ZAP version to 2.13.0.
- Updated with upstream Wappalyzer icon and pattern changes.
Windows WebDrivers (v57)
Changed
- Update ChromeDriver to 115.0.5790.170.
Windows WebDrivers (v58)
Changed
- Update ChromeDriver to 116.0.5845.96.