Passive scanner rules version 60

Changed

• Clarified Missing Anti-clickjacking Header description.
• Depend on Passive Scanner add-on to include it by default (Issue 7959).
• Re-examine Cache-control Directives scan rule now ignores cache-control for POST method requests (Issue 8592).

Fixed

• Polyfill scan rule running slowly.
• Only scan text responses for:
  • Hash Disclosure
  • Private IP Disclosure
  • Username Hash Found
• Performance improvements for:
  • Cross-Domain JavaScript Source File Inclusion.
  • Cross-Domain Misconfiguration.

Passive Scanner version 0.0.1

Added

• Provide the Passive Rules script type (Issue 7959).
• Provide the Stats Passive Scan Rule (Issue 7959).
• Provide the scan status label (Issue 7959).
• Provide the pscan API on newer ZAP versions (Issue 7959).
• Dynamically un/load add-on passive scan rules (Issue 7959).

Network version 0.17.0

Changed

• Maintenance changes.

Fixed

• Guard against user without authentication state.
• Fix exception after regenerating the root CA cert during ZAP startup (Issue 8499).
• Use configured timeout as default.

Common Library version 1.27.0

Fixed

• Address false positives/negatives when handling cookies without name value pair separator (Issue 8613).

Call Home version 0.13.0

Added

• Tech stats to telemetry.

Automation Framework version 0.42.0

Added

• Allow to configure the structural parameters of a context (Issue 7780).

Fixed

• NPE in GUI if the technology was not specified.

Changed

• Rely on Passive Scanner add-on for the passive scan related jobs (Issue 7959).

Deprecated

• The classes of the passive scan related jobs are now deprecated and will be removed in a following release, use the classes from the Passive Scanner add-on instead (Issue 7959).

Authentication Helper version 0.15.1

Changed

• Restored stats removed in previous release as these could be used in AF tests.

Active scanner rules (beta) version 55

Changed

• The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
  • Expression Language Injection
  • Cookie Slack Detector

Fixed

• Potential false positives in the Source Code Disclosure - File Inclusion scan rule when responses are empty or the original message resulted in an error to start with (Issue 8517).
• A spacing/punctuation issue in the Cookie Slack Detector scan rule, whereby the Other Info field would not have a space after colons and before lists of cookie names.

Active scanner rules (alpha) version 48

Changed

• Update minimum ZAP version to 2.15.0.

Fixed

• Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner.
• Potential false positives in the LDAP Injection scan rule when the original message resulted in an error to start with (Issue 8519).

Windows WebDrivers version 101

Changed

• Update ChromeDriver to 128.0.6613.86.