ZAP 2.5.0 is now available: https://github.com/zaproxy/zaproxy/wiki/Downloads
This release contains a large number of enhancements and fixes which are detailed in the release notes: https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_5_0
API changesThere have been some API changes which are not backwards compatible, and the reason for the version change to 2.5. These are detailed in the release notes.
The API has also been extended to cover even more of the functionality in ZAP, including full access to the statistics.
The Java API is no longer packaged with this release.
You can download the latest version from: https://github.com/zaproxy/zap-api-java/releases
It will also be available on Maven Central:
- GroupId: ‘org.zaproxy’
- ArtifactId: ‘zap-clientapi’
- Version: ‘1.0.0’
Daemon obeys ModeZAP now obeys the mode setting when running as a headless daemon.
Spider subtree optionThe spider now has an option to constrain it to a specific subtree. This allows you to explore one part of an application without having to cover all of it.
StatisticsZAP now maintains a wide range of statistics which can be invaluable for understanding what is really happening when interacting with large applications.
These are available via the API and can also be sent to a Statsd server.
For more information see https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsStats
DockerThe stable and weekly docker images now allow you to run the ZAP Desktop UI in a browser.
This means that you can run ZAP without having to install Java.
For more details see https://github.com/zaproxy/zaproxy/wiki/WebSwing
The Docker images also include the ‘ZAP Baseline’ script.
This runs the ZAP spider against the specified target for (by default) 1 minute and then waits for the passive scanning to complete before reporting the results.
This means that the script does not perform any actual 'attacks' and will run for a relatively short period of time (a few minutes at most).
This script is intended to be ideal to run in a CI/CD environment, even against production sites.
For more details see https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
Thank you to everyone who contributed to this release.
To keep up to date with ZAP related news follow @zaproxy on twitter.