Skip to content
Compare
Choose a tag to compare
@zapbot zapbot released this 01 Jul 08:42
· 26 commits to main since this release
d27928f

Added

  • extender/arpSyndicateSubdomainDiscovery.js - uses the API of ARPSyndicate's Subdomain Center
    to find and add subdomains to the Sites Tree.
  • passive/JavaDisclosure.js - Passive scan for Java error messages leaks
  • httpsender/RsaEncryptPayloadForZap.py - A script that encrypts requests using RSA
  • selenium/FillOTPInMFA.js - A script that fills the OTP in MFA
  • authentication/KratosApiAuthentication.js - A script to authenticate with Kratos using the API flow
  • authentication/KratosBrowserAuthentication.js - A script to authenticate with Kratos using the browser flow

Changed

  • Update minimum ZAP version to 2.15.0.
  • Use Prettier to format all JavaScript scripts.
  • Update the following scripts to implement the getMetadata() function with revised metadata:
    • active/Cross Site WebSocket Hijacking.js
    • active/cve-2019-5418.js
    • active/gof_lite.js
    • active/JWT None Exploit.js
    • active/SSTI.js
    • passive/clacks.js
    • passive/CookieHTTPOnly.js
    • passive/detect_csp_notif_and_reportonly.js
    • passive/detect_samesite_protection.js
    • passive/f5_bigip_cookie_internal_ip.js
    • passive/find base64 strings.js
    • passive/Find Credit Cards.js
    • passive/Find Emails.js
    • passive/Find Hashes.js
    • passive/Find HTML Comments.js
    • passive/Find IBANs.js
    • passive/Find Internal IPs.js
    • passive/find_reflected_params.py
    • passive/HUNT.py
    • passive/Mutliple Security Header Check.js
    • passive/google_api_keys_finder.js
    • passive/JavaDisclosure.js
    • passive/Report non static sites.js
    • passive/RPO.js
    • passive/s3.js
    • passive/Server Header Disclosure.js
    • passive/SQL injection detection.js
    • passive/Telerik Using Poor Crypto.js
    • passive/Upload form discovery.js
    • passive/X-Powered-By_header_checker.js
  • httpsender/Alert on Unexpected Content Types.js now checks for common content-types (json, xml, and yaml) more consistently.
  • targeted/request_to_xml.js no longer uses deprecated method to show the message in the editor dialogue.