+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
@@ -20,14 +21,14 @@ Lanzamientos
| | 2.8.0 | Corrección de errores y lanzamiento de mejoras |
| | 2.7.0 | Corrección de errores y lanzamiento de mejoras |
| | 2.6.0 | Corrección de errores y lanzamiento de mejoras |
-| | 2.5.0 | Corrección de errores y lanzamiento de mejoras |
+| | 2.5.0 | bug fix and enhancement release |
| | 2.4.3 | bug fix and enhancement release |
| | 2.4.2 | bug fix and minor enhancement release |
| | 2.4.1 | includes important security fixes - users are urged to upgrade asap |
| | 2.4.0 | includes attack mode, adv fuzzing, adv scan options and much more |
| | 2.3.1 | bug fix release |
| | 2.3.0 | includes browser side events, extended authentication, non-std app support and much more |
-| | 2.2.2 | Lanzamiento con corrección de errores |
+| | 2.2.2 | bug fix release |
| | 2.2.1 | bug fix release |
| | 2.2.0 | includes enhanced scripting, Zest and Plug-n-Hack support |
| | 2.1.0 | bug fix and minor enhancement release |
@@ -36,7 +37,7 @@ Lanzamientos
| | 1.4.0 | includes syntax highlighting, fuzzdb integration, enhanced XSS scanner and plugable extensions |
| | 1.3.4 | bug fix and usability release |
| | 1.3.3 | Lanzamiento con corrección de errores |
-| | 1.3.2 | Lanzamiento con corrección de errores |
+| | 1.3.2 | bug fix release |
| | 1.3.1 | bug fix release |
| | 1.3.0 | includes fuzzing, a new API, full internationalisation and beanshell integration |
| | 1.2.0 | includes memory leak fixes and invoking applications |
diff --git a/addOns/help_es_ES/src/main/javahelp/contents/start/features/api.html b/addOns/help_es_ES/src/main/javahelp/contents/start/features/api.html
index 22594bab..cba2d52f 100644
--- a/addOns/help_es_ES/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_es_ES/src/main/javahelp/contents/start/features/api.html
@@ -24,11 +24,46 @@ API
Las futuras versiones de ZAP aumentarán la funcionalidad disponible a través de la API.
+
-Véase también
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
| |
-Resumen de IU | Para una vista general sobre la interfaz de usuario |
+UI Overviewfor an overview of the user interface |
| |
API Overview | for an overview of the API |
| |
diff --git a/addOns/help_es_ES/src/main/javahelp/contents/start/features/features.html b/addOns/help_es_ES/src/main/javahelp/contents/start/features/features.html
index c39d21e8..b3c9e7f3 100644
--- a/addOns/help_es_ES/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_es_ES/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Caracteristicas
|
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_es_ES/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_es_ES/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_es_ES/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_es_ES/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_es_ES/src/main/javahelp/contents/ui/dialogs/options/api.html
index cd1a3df9..d4c79689 100644
--- a/addOns/help_es_ES/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_es_ES/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -9,9 +9,9 @@
Pantalla de opciones de la API
-Esta pantalla permite configurar las API opciones:
+This screen allows you to configure the API options:
-
Habilitado
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -20,62 +20,78 @@ Web UI Enabled
If enabled then the API Web UI is available to all machines that are able to access ZAP's proxies that expose the API.
To access the API Web UI point your browser to the host and port that ZAP is listening on.
-Sólo seguro
+Secure Only
-Si está habilitado, entonces la API sólo estará disponible a través de HTTPS. De lo contrario estará disponible a través de HTTP y HTTPS.
+If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
-Clave API
+
-Una clave que debe especificarse en los API 'actions' y algunas operaciones de 'other'.
-La clave API se utiliza para evitar que sitios maliciosos tengan acceso a la API de ZAP.
-Se recomienda que establezca una clave a menos que utilice ZAP en un entorno completamente aislado.
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
+
API Key
+
+A key that must be specified on all API 'actions' and some 'other' operations.
+The API key is used to prevent malicious sites from accessing the ZAP API.
+It is strongly recommended that you set a key unless you are using ZAP in a completely isolated environment.
-Direcciones permitidas utilizar para usar la API
+Addresses permitted to use the API
-Por defecto sólo la máquina que Zap está ejecutando es capaz de acceder a la API de ZAP.
-Puedes permitir el acceso de otras máquinas a la API al agregar patrones de regex adecuados.
-Sólo debe agregar las direcciones IP que usted confía.
-Tenga en cuenta que la API ZAP también ahora revisa el encabezado de host, por lo también debe ser una de las direcciones permitidas.
+By default only the machine ZAP is running on is able to access the ZAP API.
+You can allow other machines access to the API by adding suitable regex patterns.
+You should only add IP addresses that you trust.
+Note that the ZAP API also now checks the host header, so that must also be one of the permitted addresses.
-Desactivar API key
+Disable the API Key
-Al seleccionar esta opción deshabilita el API key.
-No es recomendable salvo que utilice ZAP en un ambiente totalmente aislado, ya que permite sitios maliciosos acceder a la API de ZAP.
+Selecting this option disables the API key.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.
-No requieren una clave de API para operaciones seguras
+Do not require an API key for safe operations
-Si habilita la clave de la API no es necesaria para vistas u otras operaciones que se consideran 'safe', en otras palabras las operaciones que no hacen cambios a ZAP.
-Este tipo de operaciones da acceso a datos de ZAP como alertas, mensajes y rutas de archivos de sistema.
-También puede ser utilizados por aplicaciones web para detectar la presencia de ZAP.
+If enabled then the API key is not required for Views or Other operations that are considered 'safe', in other words operations that do not make any changes to ZAP.
+Such operations do however give access to ZAP data such as alert, messages, and file system paths.
+They can also be used by web applications to detect the presence of ZAP.
-Informe de errores de permiso vía API
+Report permission errors via API
-Si está habilitado, entonces ZAP informe de errores de permiso a través de la API, que puede ser utilizado por aplicaciones web para detectar la presencia de ZAP.
-Esto no es un problema serio en un ambiente seguro pero si usas ZAP contra sitios potencialmente dañinos entonces usted debe no habilitarla.
+If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP.
+This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.
-Detalles del informe de error a través de API
+Report error details via API
-Si se selecciona esta opción más detalles del error se devuelven mediante la API.
-No es recomendable excepto para propósitos de depuración como estos mensajes de error pueden tener fugas de información a sitios maliciosos.
-Tenga en cuenta que los detalles del error completo siempre se escriben en el archivo de registro ZAP.
+If this option is selected then more error details are returned via the API.
+This is not recommended except for debugging purposes as these error messages can leak information to malicious sites.
+Note that the full error details are always written to the ZAP log file.
-Autorrelleno API key en el UI API
+Autofill API key in the API UI
-Si se selecciona esta opción el API key automáticamente está incluido en la API de interfaz de usuario.
-No es recomendable salvo que utilice ZAP en un ambiente totalmente aislado, ya que permite sitios maliciosos acceder a la API Key de ZAP.
+If this option is selected then the API key is automatically included in the API UI.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API Key.
-Activar JSONP
+Enable JSONP
-Al seleccionar esta opción permite el formato JSONP.
-Esto puede ser útil para algunos usos, pero generalmente no se recomienda ya que incrementa el área de superficie de ataque ZAP, es decir las características que un sitio malintencionado puede abusar.
-Si está activado JSONP todas las operaciones de la API usando JSONP (incluidas las vistas) requerirá el API key para evitar que sitios maliciosos tengan acceso a información confidencial mantenida por ZAP, como claves de sesión.
+Selecting this option enables the JSONP format.
+This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
+If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-Vease también
+See also
diff --git a/addOns/help_es_ES/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_es_ES/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 35dfdd0c..b13c8d9d 100644
--- a/addOns/help_es_ES/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_es_ES/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -27,8 +27,8 @@ Opciones de JMV
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Sistema Operativo Mac: ~/Library/Application Support/ZAP
diff --git a/addOns/help_es_ES/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_es_ES/src/main/javahelp/contents/ui/tlmenu/help.html
index 746c54d3..5f9509e6 100644
--- a/addOns/help_es_ES/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_es_ES/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,21 +10,24 @@
El menú de ayuda
Este menú da acceso al cuadro de diálogo de "acerca" y su archivo de ayuda.
-Acerca de OWASP ZAP
+About ZAP
Eso mostrará el cuadro de diálogo de "acerca de".
Información de soporte...
Muestra un cuadro de diálogo que contiene información que es util para solucionar problemas o buscar soporte. Tales como:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
-Esto comprueba si está ejecutando la última versión de ZAP.
+This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
-Muestra este archivo de ayuda.
+Desktop ZAP User Guide
+Displays this help file.
Note that add-ons can add additional menu items.
diff --git a/addOns/help_es_ES/src/main/javahelp/index.xml b/addOns/help_es_ES/src/main/javahelp/index.xml
index 236acf40..7fcaf0f5 100644
--- a/addOns/help_es_ES/src/main/javahelp/index.xml
+++ b/addOns/help_es_ES/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_es_ES/src/main/javahelp/toc.xml b/addOns/help_es_ES/src/main/javahelp/toc.xml
index 8b0a85fb..abc38cf4 100644
--- a/addOns/help_es_ES/src/main/javahelp/toc.xml
+++ b/addOns/help_es_ES/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/cmdline.html b/addOns/help_fa_IR/src/main/javahelp/contents/cmdline.html
index 079bcc27..c890e16d 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Command Line
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/credits.html b/addOns/help_fa_IR/src/main/javahelp/contents/credits.html
index 583f9d68..446786d3 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/credits.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Extended Team
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Extended Team
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Extended Team
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Extended Team
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Extended Team
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/intro.html b/addOns/help_fa_IR/src/main/javahelp/contents/intro.html
index 07a12c99..376f9bc0 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/intro.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
See also
External links
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_fa_IR/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_fa_IR/src/main/javahelp/contents/releases/2.3.0.html
index 3ec00868..eeada990 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bosnian
@@ -66,7 +66,7 @@ New UI options
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/releases/releases.html b/addOns/help_fa_IR/src/main/javahelp/contents/releases/releases.html
index 90d754bd..45b49932 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Releases
The following releases have been made:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/start/features/api.html b/addOns/help_fa_IR/src/main/javahelp/contents/start/features/api.html
index a07931c7..542e5340 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/start/features/api.html
@@ -28,6 +28,41 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
+
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
See also
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/start/features/features.html b/addOns/help_fa_IR/src/main/javahelp/contents/start/features/features.html
index 646bf588..090bbd59 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Features
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_fa_IR/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_fa_IR/src/main/javahelp/contents/ui/dialogs/options/api.html
index 0b106bdf..5d8261a9 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -11,7 +11,7 @@ Options API screen
This screen allows you to configure the API options:
-
فعال شده
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_fa_IR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_fa_IR/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_fa_IR/src/main/javahelp/contents/ui/tlmenu/help.html
index 05dca827..13178573 100644
--- a/addOns/help_fa_IR/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_fa_IR/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_fa_IR/src/main/javahelp/index.xml b/addOns/help_fa_IR/src/main/javahelp/index.xml
index db385825..01179c98 100644
--- a/addOns/help_fa_IR/src/main/javahelp/index.xml
+++ b/addOns/help_fa_IR/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_fa_IR/src/main/javahelp/toc.xml b/addOns/help_fa_IR/src/main/javahelp/toc.xml
index 23cb5443..61aabe2e 100644
--- a/addOns/help_fa_IR/src/main/javahelp/toc.xml
+++ b/addOns/help_fa_IR/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/cmdline.html b/addOns/help_fil_PH/src/main/javahelp/contents/cmdline.html
index 93953b4c..777cbe13 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Linya ng Utos
Para patakbuhin ang ZAP sa pamamagitan ng linya ng utos, kailangan mong mahanap ang panimulang script ng ZAP.
Mga Bintana:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\Zap.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Mga Opsyon
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/credits.html b/addOns/help_fil_PH/src/main/javahelp/contents/credits.html
index 1ea9c1f5..bb0af782 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/credits.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ Pinalawig na Grupo ng ZAP
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ Pinalawig na Grupo ng ZAP
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ Pinalawig na Grupo ng ZAP
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ Pinalawig na Grupo ng ZAP
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ Pinalawig na Grupo ng ZAP
Lokalisasyon ng ZAP
-Ang lokalisasyon ng ZAP ay inoorganisa gamit ang https://crowdin.com/project/owasp-zap
+Ang lokalisasyon ng ZAP ay inoorganisa gamit ang https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/intro.html b/addOns/help_fil_PH/src/main/javahelp/contents/intro.html
index c5235260..fce9c34a 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/intro.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -47,7 +47,6 @@
Tingnan din sa
Ang mga panlabas na mga link
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_fil_PH/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_fil_PH/src/main/javahelp/contents/releases/2.3.0.html
index 2657e4ea..364b20c3 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ Ang lalo pang pagsuporta ng API
Ang pagpapahaba ng API upang suportahan ang mas higit pang pagpapatakbo ng ZAP.
Ang pang-international na tulong ng payl
-Ang pang-international na tulong ng payl at ang nasa proseso ng katauhan ng pagsasalin ng maraming mga salita sa pamamagitan ng https://crowdin.com/project/owasp-zap-help. Kung ang pag gamit mo ng ZAP sa isa ng mga maraming salita na sinuportahan namin, pagkatapos ang mga tulong ng file ay kabilang ang lahat ng paggamit ng pagsasalin para sa wikang iyon habang binabalik ang default sa Ingles para sa mga kataga na hindi pa naisalin.
+Ang pang-international na tulong ng payl at ang nasa proseso ng katauhan ng pagsasalin ng maraming mga salita sa pamamagitan ng https://crowdin.com/project/zap-help. Kung ang pag gamit mo ng ZAP sa isa ng mga maraming salita na sinuportahan namin, pagkatapos ang mga tulong ng file ay kabilang ang lahat ng paggamit ng pagsasalin para sa wikang iyon habang binabalik ang default sa Ingles para sa mga kataga na hindi pa naisalin.
Ang isang salita na may kabuluhang halaga ng isinalin na tulong ng pahina na kabilang:
- Ang Bosnian
@@ -65,7 +65,7 @@ Ang bagong mga opsyon ng UI
Ang karagdagang pagpapatakbo ng paglipat ng mga add-on
Karamihan sa mga pangunahing pagpapatakbo ay nailipat sa mga add-on kung saan ay nagpapahintulot sa atin na maghatid ng mga update sa pamamagitan ng ZAP ng pamilihan sa halip na nangangailangan ng mga bagong buong mga inilabas.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
Bago at mas pinaganda na aktibo at pasibong pag-iskan ng mga patakaran
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/releases/releases.html b/addOns/help_fil_PH/src/main/javahelp/contents/releases/releases.html
index 2d34b458..07c53d57 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Ang mga inilabas
Ang mga sumusunod ng mga inilabas na ginawa:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/start/features/api.html b/addOns/help_fil_PH/src/main/javahelp/contents/start/features/api.html
index a824b194..ed9e4229 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/start/features/api.html
@@ -26,11 +26,46 @@ Ang API
Future versions of ZAP will increase the functionality available via the APi.
+
-Maaari ring tingnan sa
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
| |
-Ang pangkalahatang-Ideya ng UI | para sa isang pangkalahatang ideya ng mga gumagamit ng interface |
+UI Overviewfor an overview of the user interface |
| |
API Overview | for an overview of the API |
| |
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/start/features/features.html b/addOns/help_fil_PH/src/main/javahelp/contents/start/features/features.html
index 9533b6ff..13114c16 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Mga Tampok
|
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_fil_PH/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_fil_PH/src/main/javahelp/contents/ui/dialogs/options/api.html
index ba53b227..1b87875d 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -9,9 +9,9 @@
Ang mga opsyon ng API sa iskrin
-Ang iskrin na ito ay pinahihintulutan ka na makumpigura ang API na mga Opsyon:
+This screen allows you to configure the API options:
-
Ang pagpapagana
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -20,62 +20,78 @@ Web UI Enabled
If enabled then the API Web UI is available to all machines that are able to access ZAP's proxies that expose the API.
To access the API Web UI point your browser to the host and port that ZAP is listening on.
-Siguruhin lamang
+Secure Only
-Kung pinagana pagkatapos ang API ay magagamit lamang sa pamamagitan ng mga HTTPS. sakabialng bansa ito ay maaaring magamit sa pamamagitan ng parehong HTTP at HTTPS.
+If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
-Ang API key
+
-Ang isang key na dapat ay matukoy sa lahat ng mga 'aksyon' ng API at sa 'ibang' mga operasyon.
-Ang key ng API ay ginagamit para maiwasan ang mga sayt na malisyoso mula sa pag-access ng ZAP ng API.
-Ito ay mahigpit na inirerekomenda na ikaw ay maglalagay ng isang key maliban ikaw ay gumagamit ng ZAP sa isang kuumpletong magkahiwalay na kapaligiran.
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
+
API Key
+
+A key that must be specified on all API 'actions' and some 'other' operations.
+The API key is used to prevent malicious sites from accessing the ZAP API.
+It is strongly recommended that you set a key unless you are using ZAP in a completely isolated environment.
-Ang mga pinahihintukutang mga address sa paggamit ng API
+Addresses permitted to use the API
-Sa pamamagitan ng default ang makina ng ZAP ay tumatakbo na maaaring ma-access ang ZAP ng API.
-Pinahihintulutan ka na gamitin ang lahat ng makina sa pag-access ng API sa pamamagitan ng pagdagdag ng nababagay na mga huwaran ng regex.
-Dapat lamang na ikaw ay magdagdag ng kahit isang IP address na iyong pinagkakatiwalaan.
-Paalala na ang ZAP API na ngayon ay nagsisiyasat sa host ng header, Kaya ay dapat rin maging isa ang mga napahintulutang mga address.
+By default only the machine ZAP is running on is able to access the ZAP API.
+You can allow other machines access to the API by adding suitable regex patterns.
+You should only add IP addresses that you trust.
+Note that the ZAP API also now checks the host header, so that must also be one of the permitted addresses.
-Ang hindi pagpapagana sa API key
+Disable the API Key
-Ang pagpili sa opsyon na ito na na huwag gamitin ang key ng API.
-Ito ay hindi nirerekomenda maliban kung ikaw ay gumagamit ng ZAP sa isang kompletong hiwalay na kapaligiran, ay ito ay pinapayagan ng mga malisyosong sayt para ma-access ang ZAP ng API.
+Selecting this option disables the API key.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.
-Ang isang ApI key ay hindi kinakailngan para sa mga operasyon na ligtas
+Do not require an API key for safe operations
-Kung ang API ay pinagana pagkatapos ang key ng API ay hindi kinakailangan para makita o Iba pang mga operasyon na itinuturing na 'ligtas', sa ibang mga salita ng mga operasyon na walang gagawing mga pagbabago sa ZAP.
-Gayon ang mga ginawa ng operasyon maliban sa ibinigay na pag-access ng ZAP ng datos bilang alerto, mga mensahe, at mga daan ng sistema ng payl.
-Maaari rin nilang gamitin sa pamamagitan ng web na application upang makita ang presensya ng ZAP.
+If enabled then the API key is not required for Views or Other operations that are considered 'safe', in other words operations that do not make any changes to ZAP.
+Such operations do however give access to ZAP data such as alert, messages, and file system paths.
+They can also be used by web applications to detect the presence of ZAP.
-Pag-ulat ng mga permiso ng mga mali sa pamamagitan ng API
+Report permission errors via API
-Kung pagaganahin pagkatapos ang ZAP ay mag-uulat ng permiso sa pamamagitn ng API, kung alin ang maaaring gamitin sa pamamagitan ng mga application ng web para matukoy ang presensya ng Zap.
-Ito ay hindi isang seryosong problema sa isang ligtas na kapaligiran pero kung ikaw ay gumagamit ng ZAP laban sa potensyal na malisyosong mga sayt pagkatapos dapat mong hindi paganahin ito.
+If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP.
+This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.
-Ang pag-ulat ng maling mga detalye sa pamamagitan ng API
+Report error details via API
-Kapag itong opsyon ay napinili pagkatapos ang mga detalye ng mali ay bumalik sa pamamagitan ng API.
-Ito ay hindi nirerekomenda maliban sa mga layunin ng pagde-debugg bilang ang maling mensahe na ito ay maaaring kumalat ang impormasyon sa mga sayt na malisyoso.
-Paalala na ang buong maling detalye ay laging nakasulat sa mga log na ZAP na payl.
+If this option is selected then more error details are returned via the API.
+This is not recommended except for debugging purposes as these error messages can leak information to malicious sites.
+Note that the full error details are always written to the ZAP log file.
-Ang autofill ng API key sa mga API UI
+Autofill API key in the API UI
-Kung ang opsyon na ito ay pinili pagkatapos ang API key ay awtomatikong kasama sa mga API UI.
-Hindi ito inirerekomenda hanggat ikaw ay gumamit ng ZAP sa isang kompletong nakahiwalay na kapaligiran, bilang ito ay nagpapahintulot sa mga malisyosong mga sayt para makatakbo ang ZAP ng API key.
+If this option is selected then the API key is automatically included in the API UI.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API Key.
-Ang JSONP ay paganahin
+Enable JSONP
-Ang pagpili sa opsyon na ito ng pagpapatakbo ng JSONP na format.
-Ito ay magiging kapakipakinabang para sa ibang mga apilikasyon, subalit ito ay hindi inirerekomenda sa pangkalahatan bilang ito ay nagpapalaki sa ZAP attack ng ibabaw na lugar, ie ang mga tampok na iang isang malisyosong sayt ay inaabuso.
-Kung pinatakbo ang JASONP pagkatapos ang lahat ng mga operasyon ng API gamit ang JSONP (kasama ang mga view) agn API key ay kinakailngan upang ang mga malisyosong mga sayt ay maisawan mula sa pagpapatakbo ng sensitibong impormasyon na pinanatili sa pamamagitan ng ZAP, gayong bilang mga key ng sesyon.
+Selecting this option enables the JSONP format.
+This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
+If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-Tignan din sa
+See also
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_fil_PH/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 94e71a4b..3ea620d4 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -27,8 +27,8 @@ Mga Opsyon ng JVM
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_fil_PH/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_fil_PH/src/main/javahelp/contents/ui/tlmenu/help.html
index f097df8d..26119784 100644
--- a/addOns/help_fil_PH/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_fil_PH/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,21 +10,24 @@
Ang Menu na Tagatulong
Ang menu na to ay nagbibigay ng karapatan sa 'tungkol' dyalogo at ito ay tulong na file.
-Tungkol sa OWASP ZAP
+About ZAP
Ipinapakita nito ang 'tungkol' dyalogo.
Pansuportang Info...
Nagpapakita ng isang dyalogo na naglalaman ng impormasyon na siyang kapaki-pakinabang pagdating sa paghahanap ng mali o suporta sa paghahanap. Tulad ng:
Bersyon, naka-install na mga add-on at bersyon, systema ng operasyon, bersyon ng java, lokal na info, at Panimulang ng daan ng ZAP Directory.
Ang impormasyong ito ay maaring kopyahin at i-paste.
-Ang dyalogo ay may kasamang "Bukas" button, kung saan ay ipinagpalagay na ang OS ay sumusuporta sa mga kinakailangang tungkulin, na siyang magbubukas sa Panimula ng ZAP Directory
-(para sa mga tala at kumpigurasyon na mga files) kapag nag-click.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
-Ito ang nagsusuri upang makita kung ikaw ay nagpapatakbo ng pinakabagong bersyon ng ZAP.
+This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
-Nagpapakita nitong tagatulong na file.
+Desktop ZAP User Guide
+Displays this help file.
Note that add-ons can add additional menu items.
diff --git a/addOns/help_fil_PH/src/main/javahelp/index.xml b/addOns/help_fil_PH/src/main/javahelp/index.xml
index a03921b6..85e5c244 100644
--- a/addOns/help_fil_PH/src/main/javahelp/index.xml
+++ b/addOns/help_fil_PH/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_fil_PH/src/main/javahelp/toc.xml b/addOns/help_fil_PH/src/main/javahelp/toc.xml
index d1ad5261..dccb88f7 100644
--- a/addOns/help_fil_PH/src/main/javahelp/toc.xml
+++ b/addOns/help_fil_PH/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/cmdline.html b/addOns/help_fr_FR/src/main/javahelp/contents/cmdline.html
index 079bcc27..c890e16d 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Command Line
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/credits.html b/addOns/help_fr_FR/src/main/javahelp/contents/credits.html
index 21a27a03..81e51899 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/credits.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP équipe étendue
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP équipe étendue
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP équipe étendue
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP équipe étendue
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP équipe étendue
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/intro.html b/addOns/help_fr_FR/src/main/javahelp/contents/intro.html
index 47d141de..ddd3a027 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/intro.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -48,7 +48,6 @@
Voir aussi
External links
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_fr_FR/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_fr_FR/src/main/javahelp/contents/releases/2.3.0.html
index c25de46f..dc61c097 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Langues avec une quantité importante de traduire les pages d'aide comprennent:
- Bosniaque
@@ -66,7 +66,7 @@ New UI options
Plus de fonctionnalités déplacé d'add-ons
Plus de la fonctionnalité de base a été déplacé dans add-ons qui nous permet de livrer des mises à jour de manière dynamique via le ZAP Marché, plutôt que d'exiger des nouveaux rejets.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
Nouveau et amélioré active et passive de la numérisation des règles
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/releases/releases.html b/addOns/help_fr_FR/src/main/javahelp/contents/releases/releases.html
index ed2c47f8..ef8f34fa 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Versions
Les versions suivantes ont été faites :
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/start/features/api.html b/addOns/help_fr_FR/src/main/javahelp/contents/start/features/api.html
index 4db08b9a..c2caafa8 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/start/features/api.html
@@ -28,11 +28,46 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
-Voir aussi
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
| |
-Aperçu de l'interface utilisateur | pour un aperçu de l'interface utilisateur |
+UI Overviewfor an overview of the user interface |
| |
API Overview | for an overview of the API |
| |
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/start/features/features.html b/addOns/help_fr_FR/src/main/javahelp/contents/start/features/features.html
index 6b2b9f10..389b3f88 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Fonctionnalités
|
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_fr_FR/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_fr_FR/src/main/javahelp/contents/ui/dialogs/options/api.html
index c73938b5..5d8261a9 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -11,7 +11,7 @@ Options API screen
This screen allows you to configure the API options:
-
Actif
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
@@ -70,12 +86,12 @@ Enable JSONP
This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-Voir aussi
+See also
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_fr_FR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_fr_FR/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_fr_FR/src/main/javahelp/contents/ui/tlmenu/help.html
index b9fe6c2e..1cda943e 100644
--- a/addOns/help_fr_FR/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_fr_FR/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_fr_FR/src/main/javahelp/index.xml b/addOns/help_fr_FR/src/main/javahelp/index.xml
index db385825..01179c98 100644
--- a/addOns/help_fr_FR/src/main/javahelp/index.xml
+++ b/addOns/help_fr_FR/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_fr_FR/src/main/javahelp/toc.xml b/addOns/help_fr_FR/src/main/javahelp/toc.xml
index 73e7989f..95e9cf0a 100644
--- a/addOns/help_fr_FR/src/main/javahelp/toc.xml
+++ b/addOns/help_fr_FR/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/cmdline.html b/addOns/help_hi_IN/src/main/javahelp/contents/cmdline.html
index 079bcc27..c890e16d 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Command Line
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/credits.html b/addOns/help_hi_IN/src/main/javahelp/contents/credits.html
index 583f9d68..446786d3 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/credits.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Extended Team
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Extended Team
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Extended Team
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Extended Team
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Extended Team
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/intro.html b/addOns/help_hi_IN/src/main/javahelp/contents/intro.html
index 07a12c99..376f9bc0 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/intro.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
See also
External links
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_hi_IN/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_hi_IN/src/main/javahelp/contents/releases/2.3.0.html
index dc8d13d0..0c9957c1 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bosnian
@@ -66,7 +66,7 @@ New UI options
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/releases/releases.html b/addOns/help_hi_IN/src/main/javahelp/contents/releases/releases.html
index 90d754bd..45b49932 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Releases
The following releases have been made:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/start/features/api.html b/addOns/help_hi_IN/src/main/javahelp/contents/start/features/api.html
index a07931c7..542e5340 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/start/features/api.html
@@ -28,6 +28,41 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
+
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
See also
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/start/features/features.html b/addOns/help_hi_IN/src/main/javahelp/contents/start/features/features.html
index 645af91a..663a7d3b 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Features
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_hi_IN/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_hi_IN/src/main/javahelp/contents/ui/dialogs/options/api.html
index ae7edf98..5d8261a9 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_hi_IN/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_hi_IN/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_hi_IN/src/main/javahelp/contents/ui/tlmenu/help.html
index 05dca827..13178573 100644
--- a/addOns/help_hi_IN/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_hi_IN/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_hi_IN/src/main/javahelp/index.xml b/addOns/help_hi_IN/src/main/javahelp/index.xml
index db385825..01179c98 100644
--- a/addOns/help_hi_IN/src/main/javahelp/index.xml
+++ b/addOns/help_hi_IN/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_hi_IN/src/main/javahelp/toc.xml b/addOns/help_hi_IN/src/main/javahelp/toc.xml
index 9fc7eb44..997d47b8 100644
--- a/addOns/help_hi_IN/src/main/javahelp/toc.xml
+++ b/addOns/help_hi_IN/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/cmdline.html b/addOns/help_hu_HU/src/main/javahelp/contents/cmdline.html
index 079bcc27..c890e16d 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Command Line
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/credits.html b/addOns/help_hu_HU/src/main/javahelp/contents/credits.html
index f964b748..89c80f33 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/credits.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Extended Team
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Extended Team
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Extended Team
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Extended Team
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Extended Team
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/intro.html b/addOns/help_hu_HU/src/main/javahelp/contents/intro.html
index 07a12c99..376f9bc0 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/intro.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
See also
External links
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_hu_HU/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_hu_HU/src/main/javahelp/contents/releases/2.3.0.html
index 7f781ee2..95f08257 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bosnian
@@ -66,7 +66,7 @@ New UI options
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/releases/releases.html b/addOns/help_hu_HU/src/main/javahelp/contents/releases/releases.html
index 566ee4c5..090400fb 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Kiadások
A következő kiadások jelentek meg:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/start/features/api.html b/addOns/help_hu_HU/src/main/javahelp/contents/start/features/api.html
index a07931c7..542e5340 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/start/features/api.html
@@ -28,6 +28,41 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
+
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
See also
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/start/features/features.html b/addOns/help_hu_HU/src/main/javahelp/contents/start/features/features.html
index a4c5ed12..93ff9c1a 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Features
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_hu_HU/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_hu_HU/src/main/javahelp/contents/ui/dialogs/options/api.html
index b81a96e7..5d8261a9 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -11,7 +11,7 @@ Options API screen
This screen allows you to configure the API options:
-
Engedélyezve
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_hu_HU/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 998708e3..a0705174 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_hu_HU/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_hu_HU/src/main/javahelp/contents/ui/tlmenu/help.html
index 05dca827..13178573 100644
--- a/addOns/help_hu_HU/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_hu_HU/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_hu_HU/src/main/javahelp/index.xml b/addOns/help_hu_HU/src/main/javahelp/index.xml
index d2663648..5d40ab33 100644
--- a/addOns/help_hu_HU/src/main/javahelp/index.xml
+++ b/addOns/help_hu_HU/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_hu_HU/src/main/javahelp/toc.xml b/addOns/help_hu_HU/src/main/javahelp/toc.xml
index fe90d43d..1224b089 100644
--- a/addOns/help_hu_HU/src/main/javahelp/toc.xml
+++ b/addOns/help_hu_HU/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/cmdline.html b/addOns/help_id_ID/src/main/javahelp/contents/cmdline.html
index 7cc5ec93..6cb16c8e 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Baris Perintah
Untuk menjalankan ZAP via garis perintah, anda akan perlu untuk mencari skrip memulai ke ZAP.
Windows:
-C:\File Program (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Pilihan
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/credits.html b/addOns/help_id_ID/src/main/javahelp/contents/credits.html
index c429f8ac..f4ee8ea0 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/credits.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Diperpanjang Tim
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Diperpanjang Tim
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Diperpanjang Tim
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Diperpanjang Tim
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Diperpanjang Tim
Lokalisasi ZAP
-Lokalisasi ZAP yang diorganisir melalui https://crowdin.com/project/owasp-zap
+Lokalisasi ZAP yang diorganisir melalui https://crowdin.com/project/zaproxy
| | Orang Azerbaijan | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/intro.html b/addOns/help_id_ID/src/main/javahelp/contents/intro.html
index 3903128b..5e1c1aed 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/intro.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
Lihat juga
Tautan eksternal
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_id_ID/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_id_ID/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_id_ID/src/main/javahelp/contents/releases/2.3.0.html
index 1a231746..f5345812 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/releases/2.3.0.html
@@ -47,7 +47,7 @@ Macam-macam dorongan API
API telah diperpanjang untuk mendorong lebih banyak fungsionalitas ZAP.
Internasionalisasi file bantuan
-File bantuan telah Internasionalisasi dan sekarang sedang dalam proses diterjemahkan ke dalam berbagai bahasa lain melalui https://crowdin.com/project/owasp-zap-help. Jika Anda menggunakan ZAP di salah satu bahasa dari berbagai bahasa yang kami dukung, maka file bantuan akan mencakup semua terjemahan yang tersedia untuk bahasa tersebut sementara kembali semula ke bahasa Inggris untuk frasa yang belum diterjemahkan.
+File bantuan telah Internasionalisasi dan sekarang sedang dalam proses diterjemahkan ke dalam berbagai bahasa lain melalui https://crowdin.com/project/zap-help. Jika Anda menggunakan ZAP di salah satu bahasa dari berbagai bahasa yang kami dukung, maka file bantuan akan mencakup semua terjemahan yang tersedia untuk bahasa tersebut sementara kembali semula ke bahasa Inggris untuk frasa yang belum diterjemahkan.
Bahasa dengan jumlah yang besar diterjemahkan ke halaman bantuan yang diterjemahkan termasuk:
- Bahasa Bosnia
@@ -67,7 +67,7 @@ Pilihan-pilihan baru UI
Fungsionalitas lain yang dipindahkan ke pengaya
Lebih banyak fungsi inti yang telah dipindahkan kedalam pengaya yang mana mengizinkan kita untuk kirim pembaharuan secara dinamik melalui pasar ZAP daripada membutuhkan pelepasan penuh yang baru.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
Aturan pemindaian aktif dan pasif yang baru dan lebih baik
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/releases/releases.html b/addOns/help_id_ID/src/main/javahelp/contents/releases/releases.html
index b26153ad..964559fb 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Rilis
Rilis-rilis berikut telah dibuat:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/start/features/api.html b/addOns/help_id_ID/src/main/javahelp/contents/start/features/api.html
index fcca7d6f..cda199e4 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/start/features/api.html
@@ -25,11 +25,46 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
-Lihat juga
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
| |
-Ikhtisar UI | sebagai ikhtisar dari antarmuka pengguna |
+UI Overviewfor an overview of the user interface |
| |
API Overview | for an overview of the API |
| |
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/start/features/features.html b/addOns/help_id_ID/src/main/javahelp/contents/start/features/features.html
index 7bd07696..aa7ab20f 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Fitur
|
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_id_ID/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_id_ID/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_id_ID/src/main/javahelp/contents/ui/dialogs/options/api.html
index 9de30fab..71f5d05a 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -9,9 +9,9 @@
Pilihan layar API
-Layar ini memungkinkan anda untuk mengkonfigurasi API pilihan:
+This screen allows you to configure the API options:
-
Aktifkan
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -20,62 +20,78 @@ Web UI Enabled
If enabled then the API Web UI is available to all machines that are able to access ZAP's proxies that expose the API.
To access the API Web UI point your browser to the host and port that ZAP is listening on.
-Hanya aman
+Secure Only
-Jika diaktifkan maka API hanya tersedia melalui HTTPS. Jika tidak maka akan tersedia melalui keduanya HTTP dan HTTPS.
+If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
-Kunci API
+
-Kunci yang harus ditentukan pada semua 'tindakan' API dan juga beberapa operasi 'lainnya'.
-Kunci API digunakan untuk mencegah situs berbahaya yang mengakses API ZAP.
-Sangat disarankan agar anda menetapkan kunci kecuali jika anda menggunakan ZAP di lingkungan yang benar-benar terisolasi.
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
+
API Key
+
+A key that must be specified on all API 'actions' and some 'other' operations.
+The API key is used to prevent malicious sites from accessing the ZAP API.
+It is strongly recommended that you set a key unless you are using ZAP in a completely isolated environment.
-Alamat diizinkan menggunakan API
+Addresses permitted to use the API
-Secara default hanya mesin ZAP yang sedang berjalan yang mampu mengakses API ZAP.
-Anda dapat mengizinkan mesin lain untuk mengakses API dengan menambahkan pola regex yang sesuai.
-Anda hanya perlu menambahkan alamat IP yang anda percayai.
-Perhatikan bahwa API ZAP juga sekarang memeriksa header host, jadi itu juga harus menjadi salah satu alamat yang diizinkan.
+By default only the machine ZAP is running on is able to access the ZAP API.
+You can allow other machines access to the API by adding suitable regex patterns.
+You should only add IP addresses that you trust.
+Note that the ZAP API also now checks the host header, so that must also be one of the permitted addresses.
-Nonaktifkan Kunci API
+Disable the API Key
-Memilih opsi ini menonaktifkan tombol API.
-Ini tidak direkomendasikan kecuali jika anda menggunakan ZAP di lingkungan yang benar-benar terisolasi, karena dapat memungkinkan situs berbahaya mengakses API ZAP.
+Selecting this option disables the API key.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.
-Jangan memerlukan kunci API untuk pengoperasian yang aman
+Do not require an API key for safe operations
-Jika diaktifkan maka kunci API itu tidak diperlukan untuk tampilan atau operasi lain yang dianggap 'aman', dengan kata lain operasi yang tidak membuat perubahan pada ZAP.
-Namun operasi seperti itu memberi akses ke data ZAP seperti jalur peringatan, pesan, dan berkas jalur sistem.
-Mereka juga dapat digunakan pada aplikasi web untuk mendeteksi keberadaan ZAP.
+If enabled then the API key is not required for Views or Other operations that are considered 'safe', in other words operations that do not make any changes to ZAP.
+Such operations do however give access to ZAP data such as alert, messages, and file system paths.
+They can also be used by web applications to detect the presence of ZAP.
-Laporkan kesalahan izin melalui API
+Report permission errors via API
-Jika diaktifkan maka ZAP akan melaporkan kesalahan izin melalui API, yang dapat digunakan oleh aplikasi web untuk mendeteksi keberadaan ZAP.
-Ini bukanlah masalah serius di lingkungan yang aman namun jika anda menggunakan ZAP ini terhadap situs yang berpotensi kejahatan maka anda tidak boleh mengaktifkannya.
+If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP.
+This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.
-Laporkan detail kesalahan melalui API
+Report error details via API
-Jika pilihan ini dipilih maka akan lebih banyak rincian kesalahan yang dikembalikan melalui API.
-Ini tidak dapat direkomendasikan kecuali untuk tujuan debugging karena pesan kesalahan ini bisa membocorkan informasi ke situs yang berbahaya.
-Perhatikan bahwa rincian kesalahan penuh ini selalu ditulis pada berkas ZAP log.
+If this option is selected then more error details are returned via the API.
+This is not recommended except for debugging purposes as these error messages can leak information to malicious sites.
+Note that the full error details are always written to the ZAP log file.
-Kunci API Isi Otomatis di UI API
+Autofill API key in the API UI
-Jika pilihan ini dipilih maka kunci API itu secara otomatis disertakan dalam UI API.
-Ini tidak direkomendasikan kecuali jika anda menggunakan ZAP di lingkungan yang benar-benar terisolasi, karena memungkinkan situs yang berbahaya untuk mengakses Kunci API ZAP.
+If this option is selected then the API key is automatically included in the API UI.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API Key.
-Aktifkan JSONP
+Enable JSONP
-Memilih pilihan ini mengaktifkan format JSONP.
-Ini dapat berguna untuk beberapa aplikasi, tapi secara umum tidak disarankan karena akan meningkatkan daerah permukaan serangan ZAP, yaitu fitur yang dapat disalahgunakan oleh situs yang jahat.
-Jika JSONP itu diaktifkan maka semua operasi API yang menggunakan JSONP (termasuk tampilan) akan membutuhkan kunci API untuk mencegah situs berbahaya yang mengakses informasi sensitif yang dikelola oleh ZAP, seperti kunci sesi.
+Selecting this option enables the JSONP format.
+This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
+If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-Lihat juga
+See also
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_id_ID/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index d5e28812..6add4cf9 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ Pilihan JVM
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_id_ID/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_id_ID/src/main/javahelp/contents/ui/tlmenu/help.html
index ddff4eea..4971e460 100644
--- a/addOns/help_id_ID/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_id_ID/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,21 +10,24 @@
Sebuah menu Pertolongan
Ini menu yang memberi akses ke dialog 'about' dan ini membantu berkas.
-Tentang OWASP ZAP
+About ZAP
Ini menampilkan sebuah dialog 'about'.
Info Dukungan...
Menampilkan dialog yang mengandungi informasi yang berguna saat mengatasi masalah atau mencari dukungan. Seperti:
Versi, add-on dan versi yang dipasang, sistem operasi, versi java, info lokal, dan jalan Petunjuk Beranda ZAP.
Informasi ini bisa disalin dan ditempel.
-Dialog tersebut mencakup tombol "Open", yang mengasumsikan OS mendukung fungsi yang diperlukan, akan membuka Petunjuk BerandaZAP
-(untuk log atau berkas konfigurasi) saat diklik.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
-Ini memeriksa untuk melihat jika kamu sedang menjalankan versi terbaru dari ZAP.
+This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
-Menampilkan ini membantu berkas.
+Desktop ZAP User Guide
+Displays this help file.
Note that add-ons can add additional menu items.
diff --git a/addOns/help_id_ID/src/main/javahelp/index.xml b/addOns/help_id_ID/src/main/javahelp/index.xml
index 9597b8d3..ae6298d0 100644
--- a/addOns/help_id_ID/src/main/javahelp/index.xml
+++ b/addOns/help_id_ID/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_id_ID/src/main/javahelp/toc.xml b/addOns/help_id_ID/src/main/javahelp/toc.xml
index 578636ba..9aa90ab8 100644
--- a/addOns/help_id_ID/src/main/javahelp/toc.xml
+++ b/addOns/help_id_ID/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/cmdline.html b/addOns/help_it_IT/src/main/javahelp/contents/cmdline.html
index 079bcc27..c890e16d 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Command Line
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/credits.html b/addOns/help_it_IT/src/main/javahelp/contents/credits.html
index 583f9d68..446786d3 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/credits.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Extended Team
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Extended Team
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Extended Team
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Extended Team
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Extended Team
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/intro.html b/addOns/help_it_IT/src/main/javahelp/contents/intro.html
index 07a12c99..376f9bc0 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/intro.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
See also
External links
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_it_IT/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_it_IT/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_it_IT/src/main/javahelp/contents/releases/2.3.0.html
index 61efc4e1..0fe021f7 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bosnian
@@ -66,7 +66,7 @@ New UI options
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/releases/releases.html b/addOns/help_it_IT/src/main/javahelp/contents/releases/releases.html
index 90d754bd..45b49932 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Releases
The following releases have been made:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/start/features/api.html b/addOns/help_it_IT/src/main/javahelp/contents/start/features/api.html
index a07931c7..542e5340 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/start/features/api.html
@@ -28,6 +28,41 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
+
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
See also
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/start/features/features.html b/addOns/help_it_IT/src/main/javahelp/contents/start/features/features.html
index 45e46216..c5eef078 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Features
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_it_IT/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_it_IT/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_it_IT/src/main/javahelp/contents/ui/dialogs/options/api.html
index ad4c5d0f..5d8261a9 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -11,7 +11,7 @@ Options API screen
This screen allows you to configure the API options:
-
Abilitato
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_it_IT/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_it_IT/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_it_IT/src/main/javahelp/contents/ui/tlmenu/help.html
index 05dca827..13178573 100644
--- a/addOns/help_it_IT/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_it_IT/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_it_IT/src/main/javahelp/index.xml b/addOns/help_it_IT/src/main/javahelp/index.xml
index db385825..01179c98 100644
--- a/addOns/help_it_IT/src/main/javahelp/index.xml
+++ b/addOns/help_it_IT/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_it_IT/src/main/javahelp/toc.xml b/addOns/help_it_IT/src/main/javahelp/toc.xml
index 10e412eb..f2cd0e5d 100644
--- a/addOns/help_it_IT/src/main/javahelp/toc.xml
+++ b/addOns/help_it_IT/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/cmdline.html b/addOns/help_ja_JP/src/main/javahelp/contents/cmdline.html
index c4f57a12..4dff0dbb 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ コマンドライン
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/credits.html b/addOns/help_ja_JP/src/main/javahelp/contents/credits.html
index 4a66b9ef..874bc8de 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/credits.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP 拡張チーム
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP 拡張チーム
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP 拡張チーム
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP 拡張チーム
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP 拡張チーム
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/intro.html b/addOns/help_ja_JP/src/main/javahelp/contents/intro.html
index 48c04f6d..11079e56 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/intro.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
関連情報
外部リンク
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_ja_JP/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_ja_JP/src/main/javahelp/contents/releases/2.3.0.html
index 79c412ef..b029b0f1 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ 多くの API サポート
The API has been extended to support even more of the ZAP functionality.
ヘルプ ファイルの国際化
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- ボスニア語
@@ -66,7 +66,7 @@ 新しい UI オプション
多くの機能をアドオンに移動
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
新しく、改善された動的・静的スキャンルール
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/releases/releases.html b/addOns/help_ja_JP/src/main/javahelp/contents/releases/releases.html
index 61f9ed05..91103bd7 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ リリース
以下のリリースが行われました。
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/start/features/api.html b/addOns/help_ja_JP/src/main/javahelp/contents/start/features/api.html
index 0b7d4e34..ec4a2a66 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/start/features/api.html
@@ -27,11 +27,46 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
-関連情報
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
| |
-UIの概要 | ユーザー インターフェイスの概要について |
+UI Overviewfor an overview of the user interface |
| |
API Overview | for an overview of the API |
| |
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/start/features/features.html b/addOns/help_ja_JP/src/main/javahelp/contents/start/features/features.html
index e57a69c9..8e0f80b2 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ 特徴:
|
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_ja_JP/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_ja_JP/src/main/javahelp/contents/ui/dialogs/options/api.html
index 8bc3f1d3..8be57ad5 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -9,9 +9,9 @@
オプションAPI画面
-この画面が設定できるのは API オプションです。
+This screen allows you to configure the API options:
-
有効
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
@@ -70,12 +86,12 @@ Enable JSONP
This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-関連情報
+See also
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_ja_JP/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_ja_JP/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_ja_JP/src/main/javahelp/contents/ui/tlmenu/help.html
index de42c57a..ee10a2f6 100644
--- a/addOns/help_ja_JP/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_ja_JP/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
ヘルプメニュー
このメニューは「about」ダイアログとヘルプファイルへのアクセスをする事が出来ます。
-About OWASP ZAP
+About ZAP
「about」ダイアログを表示します。
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_ja_JP/src/main/javahelp/index.xml b/addOns/help_ja_JP/src/main/javahelp/index.xml
index 854d45fd..03438414 100644
--- a/addOns/help_ja_JP/src/main/javahelp/index.xml
+++ b/addOns/help_ja_JP/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_ja_JP/src/main/javahelp/toc.xml b/addOns/help_ja_JP/src/main/javahelp/toc.xml
index 7e3df073..41a422e6 100644
--- a/addOns/help_ja_JP/src/main/javahelp/toc.xml
+++ b/addOns/help_ja_JP/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/cmdline.html b/addOns/help_ms_MY/src/main/javahelp/contents/cmdline.html
index 079bcc27..c890e16d 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Command Line
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/credits.html b/addOns/help_ms_MY/src/main/javahelp/contents/credits.html
index 583f9d68..446786d3 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/credits.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Extended Team
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Extended Team
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Extended Team
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Extended Team
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Extended Team
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/intro.html b/addOns/help_ms_MY/src/main/javahelp/contents/intro.html
index 07a12c99..376f9bc0 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/intro.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
See also
External links
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_ms_MY/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_ms_MY/src/main/javahelp/contents/releases/2.3.0.html
index 4311b3aa..e2a055e2 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bosnian
@@ -66,7 +66,7 @@ New UI options
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/releases/releases.html b/addOns/help_ms_MY/src/main/javahelp/contents/releases/releases.html
index 90d754bd..45b49932 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Releases
The following releases have been made:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/start/features/api.html b/addOns/help_ms_MY/src/main/javahelp/contents/start/features/api.html
index a07931c7..542e5340 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/start/features/api.html
@@ -28,6 +28,41 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
+
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
See also
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/start/features/features.html b/addOns/help_ms_MY/src/main/javahelp/contents/start/features/features.html
index 645af91a..663a7d3b 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Features
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_ms_MY/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_ms_MY/src/main/javahelp/contents/ui/dialogs/options/api.html
index ae7edf98..5d8261a9 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_ms_MY/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_ms_MY/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_ms_MY/src/main/javahelp/contents/ui/tlmenu/help.html
index 05dca827..13178573 100644
--- a/addOns/help_ms_MY/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_ms_MY/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_ms_MY/src/main/javahelp/index.xml b/addOns/help_ms_MY/src/main/javahelp/index.xml
index db385825..01179c98 100644
--- a/addOns/help_ms_MY/src/main/javahelp/index.xml
+++ b/addOns/help_ms_MY/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_ms_MY/src/main/javahelp/toc.xml b/addOns/help_ms_MY/src/main/javahelp/toc.xml
index 9fc7eb44..997d47b8 100644
--- a/addOns/help_ms_MY/src/main/javahelp/toc.xml
+++ b/addOns/help_ms_MY/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/cmdline.html b/addOns/help_pl_PL/src/main/javahelp/contents/cmdline.html
index 0b8076bf..415977d0 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Wiersz polecenia
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/credits.html b/addOns/help_pl_PL/src/main/javahelp/contents/credits.html
index 538baddb..19769983 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/credits.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Extended Team
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Extended Team
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Extended Team
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Extended Team
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Extended Team
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/intro.html b/addOns/help_pl_PL/src/main/javahelp/contents/intro.html
index ec8ca582..562285ef 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/intro.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -48,7 +48,6 @@
Zobacz również
Linki zewnętrzne
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_pl_PL/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_pl_PL/src/main/javahelp/contents/releases/2.3.0.html
index a532a443..df81cdd5 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bośniacki
@@ -66,7 +66,7 @@ New UI options
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/releases/releases.html b/addOns/help_pl_PL/src/main/javahelp/contents/releases/releases.html
index 37be75a9..0ebf02a4 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Wydania
The following releases have been made:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/start/features/api.html b/addOns/help_pl_PL/src/main/javahelp/contents/start/features/api.html
index e88500ae..542e5340 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/start/features/api.html
@@ -28,8 +28,43 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
-Zobacz również
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
| |
UI Overview | for an overview of the user interface |
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/start/features/features.html b/addOns/help_pl_PL/src/main/javahelp/contents/start/features/features.html
index de174351..7026a73b 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Features
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_pl_PL/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_pl_PL/src/main/javahelp/contents/ui/dialogs/options/api.html
index e397f9cf..5d8261a9 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -11,7 +11,7 @@ Options API screen
This screen allows you to configure the API options:
-
Aktywne
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -24,7 +24,23 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
-Klucz API
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
The API key is used to prevent malicious sites from accessing the ZAP API.
@@ -70,7 +86,7 @@ Enable JSONP
This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-Zobacz również
+See also
| |
UI Overview | for an overview of the user interface |
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_pl_PL/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_pl_PL/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_pl_PL/src/main/javahelp/contents/ui/tlmenu/help.html
index e5a8125f..177d5ec9 100644
--- a/addOns/help_pl_PL/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_pl_PL/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_pl_PL/src/main/javahelp/index.xml b/addOns/help_pl_PL/src/main/javahelp/index.xml
index 33f098df..99a3d199 100644
--- a/addOns/help_pl_PL/src/main/javahelp/index.xml
+++ b/addOns/help_pl_PL/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_pl_PL/src/main/javahelp/toc.xml b/addOns/help_pl_PL/src/main/javahelp/toc.xml
index ba140963..31de2eaa 100644
--- a/addOns/help_pl_PL/src/main/javahelp/toc.xml
+++ b/addOns/help_pl_PL/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/cmdline.html b/addOns/help_pt_BR/src/main/javahelp/contents/cmdline.html
index 81a13c12..8e096d3e 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Linha de comando
Para rodar o ZAP por linha de comando, você precisa localizar o script de inicialização do ZAP.
Windows:
-C:\Arquivos de Programas (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Opções
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/credits.html b/addOns/help_pt_BR/src/main/javahelp/contents/credits.html
index f1ad492e..98df920c 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/credits.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ Equipe Extensa
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ Equipe Extensa
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ Equipe Extensa
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ Equipe Extensa
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ Equipe Extensa
Tradução do ZAP
-A tradução do ZAP é organizada em: https://crowdin.com/project/owasp-zap
+A tradução do ZAP é organizada em: https://crowdin.com/project/zaproxy
| | Azeri (Azerbaijão) | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/intro.html b/addOns/help_pt_BR/src/main/javahelp/contents/intro.html
index 28abbd40..d3799dd0 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/intro.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -47,7 +47,6 @@
Leia também
Links externos
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_pt_BR/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_pt_BR/src/main/javahelp/contents/releases/2.3.0.html
index f9355b42..92838ddb 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ Mais suporte à API
A API foi estendida para apoiar ainda mais as funcionalidades do ZAP.
Arquivo de help internacionalizado
-O arquivo de ajuda foi internacionalizado e está em processo de tradução para muitos outros idiomas via https://crowdin.com/project/owasp-zap-help. Se você usar o ZAP em um dos vários idiomas que oferecemos, os arquivos de ajuda incluirão todas as traduções disponíveis para aquele idioma, voltando ao inglês para as frases que ainda não foram traduzidas.
+O arquivo de ajuda foi internacionalizado e está em processo de tradução para muitos outros idiomas via https://crowdin.com/project/zap-help. Se você usar o ZAP em um dos vários idiomas que oferecemos, os arquivos de ajuda incluirão todas as traduções disponíveis para aquele idioma, voltando ao inglês para as frases que ainda não foram traduzidas.
Os idiomas com uma quantidade significativa de páginas de ajuda traduzidas incluem:
- Português do Brasil
@@ -65,7 +65,7 @@ Novas opções de interface do usuário
Mais funcionalidades para os Complementos
Mais um pouco da funcionalidade do núcleo do ZAM foi movida para os complementos, o que nos permite entregar atualizações dinamicamente via ZAP Marketplace, em vez de exigir novos releases completos.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
Regras de varredura ativa e passiva novas e melhoradas
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/releases/releases.html b/addOns/help_pt_BR/src/main/javahelp/contents/releases/releases.html
index 1a55c2a1..47b75e66 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Releases
Estes são os releases publicados:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/start/features/api.html b/addOns/help_pt_BR/src/main/javahelp/contents/start/features/api.html
index 60a5c87a..c2bfcfea 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/start/features/api.html
@@ -24,11 +24,46 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
-Leia também
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
| |
-Visão geral da interface do usuário | uma visão geral da interface do usuário |
+UI Overviewfor an overview of the user interface |
| |
API Overview | for an overview of the API |
| |
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/start/features/features.html b/addOns/help_pt_BR/src/main/javahelp/contents/start/features/features.html
index 66aa0c9b..aaf45e1b 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Recursos
|
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_pt_BR/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_pt_BR/src/main/javahelp/contents/ui/dialogs/options/api.html
index ba51c08b..e22ff918 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -9,9 +9,9 @@
Tela de opções da API
-Esta tela permite que você configure as opções da API:
+This screen allows you to configure the API options:
-
Habilitado
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -20,63 +20,78 @@ Web UI Enabled
If enabled then the API Web UI is available to all machines that are able to access ZAP's proxies that expose the API.
To access the API Web UI point your browser to the host and port that ZAP is listening on.
-Apenas em Segurança
+Secure Only
-Se ativado, a API só estará disponível via HTTPS. Caso contrário, ele estará disponível via HTTP e HTTPS.
+If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
-Chave API
+
-Uma chave que deve ser especificada em todas as 'ações' da API e algumas 'outras' operações.
-
-A chave API é usada para evitar que sites maliciosos acessem a API ZAP.
-É altamente recomendável que você defina uma chave, a menos que esteja usando ZAP em um ambiente completamente isolado.
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
+
API Key
+
+A key that must be specified on all API 'actions' and some 'other' operations.
+The API key is used to prevent malicious sites from accessing the ZAP API.
+It is strongly recommended that you set a key unless you are using ZAP in a completely isolated environment.
-Endereços permitidos para usar a API
+Addresses permitted to use the API
-Por padrão, apenas a máquina em que o ZAP está sendo executado é capaz de acessar a API ZAP.
-Você pode permitir que outras máquinas acessem a API adicionando padrões regex adequados.
-Você só deve adicionar endereços IP em que confia.
-Observe que a API ZAP agora também verifica o cabeçalho do hospedeiro(host), de modo que também deve ser um dos endereços permitidos.
+By default only the machine ZAP is running on is able to access the ZAP API.
+You can allow other machines access to the API by adding suitable regex patterns.
+You should only add IP addresses that you trust.
+Note that the ZAP API also now checks the host header, so that must also be one of the permitted addresses.
-Desative a chave de API
+Disable the API Key
-Selecionar esta opção desativa a chave API.
-Isso não é recomendado, a menos que você esteja usando ZAP em um ambiente completamente isolado, pois permite que sites maliciosos acessem a API ZAP.
+Selecting this option disables the API key.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.
-Não requer uma chave de API para operações seguras
+Do not require an API key for safe operations
-Se ativada, a chave API não é necessária para visualizações ou outras operações consideradas 'seguras', em outras palavras, operações que não fazem nenhuma alteração no ZAP.
-No entanto, essas operações fornecem acesso aos dados ZAP, como alertas, mensagens e caminhos do sistema de arquivos.
-Eles também podem ser usados por aplicativos da web para detectar a presença de ZAP.
+If enabled then the API key is not required for Views or Other operations that are considered 'safe', in other words operations that do not make any changes to ZAP.
+Such operations do however give access to ZAP data such as alert, messages, and file system paths.
+They can also be used by web applications to detect the presence of ZAP.
-Reportar erros de permissão via API
+Report permission errors via API
-Se ativado, o ZAP relatará erros de permissão por meio da API, que pode ser usado por aplicativos da web para detectar a presença de ZAP.
-Este não é um problema sério em um ambiente seguro, mas se você estiver usando o ZAP contra sites potencialmente maliciosos, você não deve habilitá-lo.
+If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP.
+This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.
-Reportar detalhes do erro via API
+Report error details via API
-Se esta opção for selecionada, mais detalhes do erro serão retornados por meio da API.
-Isso não é recomendado, exceto para fins de depuração, pois essas mensagens de erro podem vazar informações para sites maliciosos.
-Observe que todos os detalhes do erro são sempre gravados no arquivo de log ZAP.
+If this option is selected then more error details are returned via the API.
+This is not recommended except for debugging purposes as these error messages can leak information to malicious sites.
+Note that the full error details are always written to the ZAP log file.
-Chave de API de preenchimento automático na IU da API
+Autofill API key in the API UI
-Se esta opção for selecionada, a chave API será incluída automaticamente na IU da API.
-Isso não é recomendado, a menos que você esteja usando ZAP em um ambiente completamente isolado, pois permite que sites mal-intencionados acessem a chave ZAP API.
+If this option is selected then the API key is automatically included in the API UI.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API Key.
-Ativar JSONP
+Enable JSONP
-Selecionar esta opção ativa o formato JSONP.
-Isso pode ser útil para alguns aplicativos, mas geralmente não é recomendado, pois aumenta a área de superfície de ataque ZAP, ou seja, os recursos que um site malicioso pode abusar.
-Se JSONP estiver ativado, todas as operações de API usando JSONP (incluindo visualizações) exigirão a chave de API para evitar que sites maliciosos acessem informações confidenciais mantidas pelo ZAP, como chaves de sessão.
+Selecting this option enables the JSONP format.
+This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
+If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-Veja também
+See also
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_pt_BR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 38c19bee..2a59fe64 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -27,8 +27,8 @@ Opções da JVM
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_pt_BR/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_pt_BR/src/main/javahelp/contents/ui/tlmenu/help.html
index b86a9594..7c3ba68b 100644
--- a/addOns/help_pt_BR/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_pt_BR/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,24 @@
O menu de ajuda
Este menu dá acesso à caixa de diálogo 'Sobre' e a este arquivo de ajuda.
-Sobre o OWASP ZAP
+About ZAP
Isto exibe o diálogo 'Sobre'.
Informação de Suporte...
Abre uma caixa de diálogo que contém informações que são úteis quando resolvendo problemas ou procurando suporte. Como:
Versão, complementos instalados e versões, sistema operacional, versão do Java, informações de localização e diretório de instalação do ZAP.
Esta informação pode ser copiada e colada.
-A caixa de diálogo tem um botão "Abrir" que, quando clicado e se suportado pelo SO, abrirá o diretório de instalação do ZAP (para logs e arquivos de configuração).
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
-Isto verifica se você estiver executando a versão mais recente do ZAP.
+This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
-Exibe este arquivo de ajuda.
+Desktop ZAP User Guide
+Displays this help file.
Note that add-ons can add additional menu items.
diff --git a/addOns/help_pt_BR/src/main/javahelp/index.xml b/addOns/help_pt_BR/src/main/javahelp/index.xml
index 706cdcaf..eede3500 100644
--- a/addOns/help_pt_BR/src/main/javahelp/index.xml
+++ b/addOns/help_pt_BR/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_pt_BR/src/main/javahelp/toc.xml b/addOns/help_pt_BR/src/main/javahelp/toc.xml
index 5978e411..cc003ed7 100644
--- a/addOns/help_pt_BR/src/main/javahelp/toc.xml
+++ b/addOns/help_pt_BR/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/cmdline.html b/addOns/help_ro_RO/src/main/javahelp/contents/cmdline.html
index 079bcc27..c890e16d 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Command Line
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/credits.html b/addOns/help_ro_RO/src/main/javahelp/contents/credits.html
index 583f9d68..446786d3 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/credits.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Extended Team
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Extended Team
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Extended Team
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Extended Team
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Extended Team
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/intro.html b/addOns/help_ro_RO/src/main/javahelp/contents/intro.html
index 07a12c99..376f9bc0 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/intro.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
See also
External links
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_ro_RO/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_ro_RO/src/main/javahelp/contents/releases/2.3.0.html
index a87c95e5..e6d875cb 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bosnian
@@ -66,7 +66,7 @@ New UI options
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/releases/releases.html b/addOns/help_ro_RO/src/main/javahelp/contents/releases/releases.html
index 90d754bd..45b49932 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Releases
The following releases have been made:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/start/features/api.html b/addOns/help_ro_RO/src/main/javahelp/contents/start/features/api.html
index a07931c7..542e5340 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/start/features/api.html
@@ -28,6 +28,41 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
+
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
See also
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/start/features/features.html b/addOns/help_ro_RO/src/main/javahelp/contents/start/features/features.html
index 0ad9f60d..75edf23d 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Features
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_ro_RO/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_ro_RO/src/main/javahelp/contents/ui/dialogs/options/api.html
index 036d4e15..5d8261a9 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -11,7 +11,7 @@ Options API screen
This screen allows you to configure the API options:
-
Activat
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_ro_RO/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_ro_RO/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_ro_RO/src/main/javahelp/contents/ui/tlmenu/help.html
index 05dca827..13178573 100644
--- a/addOns/help_ro_RO/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_ro_RO/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_ro_RO/src/main/javahelp/index.xml b/addOns/help_ro_RO/src/main/javahelp/index.xml
index db385825..01179c98 100644
--- a/addOns/help_ro_RO/src/main/javahelp/index.xml
+++ b/addOns/help_ro_RO/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_ro_RO/src/main/javahelp/toc.xml b/addOns/help_ro_RO/src/main/javahelp/toc.xml
index 18fe7972..ffdb93bd 100644
--- a/addOns/help_ro_RO/src/main/javahelp/toc.xml
+++ b/addOns/help_ro_RO/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/cmdline.html b/addOns/help_ru_RU/src/main/javahelp/contents/cmdline.html
index 2b2f0290..fad61377 100644
--- a/addOns/help_ru_RU/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ командная строка
Чтобы запустить ZAP через командную строку, вам нужно будет найти сценарий запуска ZAP.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Примечание: Параметры командной строки не используются исполняемым файлом ( zap.exe) только bat файл.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh будет ниже каталога, в котором был установлен ZAP.
@@ -49,6 +49,7 @@ Параметры
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/credits.html b/addOns/help_ru_RU/src/main/javahelp/contents/credits.html
index abf9fc7b..387fd6f1 100644
--- a/addOns/help_ru_RU/src/main/javahelp/contents/credits.html
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ Расширенная команда ZAP
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ Расширенная команда ZAP
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ Расширенная команда ZAP
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ Расширенная команда ZAP
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ Расширенная команда ZAP
Локализация ZAP
-Локализация ZAP осуществляется через https://crowdin.com/project/owasp-zap
+Локализация ZAP осуществляется через https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/intro.html b/addOns/help_ru_RU/src/main/javahelp/contents/intro.html
index addaa66c..fc387dd3 100644
--- a/addOns/help_ru_RU/src/main/javahelp/contents/intro.html
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/intro.html
@@ -3,15 +3,15 @@
-Руководство пользователя OWASP ZAP Desktop
+The ZAP Desktop User Guide
-Руководство пользователя OWASP ZAP Desktop
+ZAP Desktop User Guide
-Добро пожаловать в Руководство пользователя настольного прокси-сервера OWASP Zed Attack (ZAP).
-Это доступно как в виде контекстной справки в ZAP, так и в Интернете по адресу
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
+This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
ZAP - это простой в использовании интегрированный инструмент тестирования на проникновение для поиска уязвимостей в веб-приложениях.
@@ -50,8 +50,7 @@
Смотрите также
внешние ссылки
Официальные видео
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_ru_RU/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_ru_RU/src/main/javahelp/contents/releases/2.3.0.html
index 254918e8..8ed0cb36 100644
--- a/addOns/help_ru_RU/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ Дополнительная поддержка API
API был расширен для поддержки еще большей функциональности ZAP.
Internationalized help file
-Файл справки был интернационализирован и находится в процессе перевода на многие другие языки через https://crowdin.com/project/owasp-zap-help. Если вы используете ZAP на одном из многих языков, которые мы поддерживаем, то файлы справки будут включать все доступные переводы для этого языка, в то время как по умолчанию обратно на английский язык для фраз, которые еще не были переведены.
+Файл справки был интернационализирован и находится в процессе перевода на многие другие языки через https://crowdin.com/project/zap-help. Если вы используете ZAP на одном из многих языков, которые мы поддерживаем, то файлы справки будут включать все доступные переводы для этого языка, в то время как по умолчанию обратно на английский язык для фраз, которые еще не были переведены.
Языки со значительным количеством переведенных справочных страниц включают:
- Боснийский
@@ -66,7 +66,7 @@ Новые параметры пользовательского интер
Больше функций перенесено в дополнения
Большая часть основной функциональности была перемещена в дополнения, которые позволяют нам динамически доставлять обновления через Zap Marketplace, а не требовать новых полных выпусков.
-Сюда входят языковые пакеты, поэтому переводы, сделанные в пользовательском интерфейсе ZAP через https://crowdin.com/project/owasp-zap, можно загрузить в ZAP или даже установить автоматически.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
Новые и улучшенные правила активного и пассивного сканирования
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/releases/releases.html b/addOns/help_ru_RU/src/main/javahelp/contents/releases/releases.html
index 69c1cc96..d8ec04e9 100644
--- a/addOns/help_ru_RU/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Релизы
Сделаны следующие релизы:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
@@ -18,7 +19,7 @@ Релизы
| | 2.10.0 | 10 year anniversary bug fix and enhancement release |
| | 2.9.0 | исправление ошибки и выпуск улучшения |
| | 2.8.0 | исправление ошибки и выпуск улучшения |
-| | 2.7.0 | исправление ошибки и выпуск улучшения |
+| | 2.7.0 | bug fix and enhancement release |
| | 2.6.0 | bug fix and enhancement release |
| | 2.5.0 | bug fix and enhancement release |
| | 2.4.3 | bug fix and enhancement release |
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/start/features/api.html b/addOns/help_ru_RU/src/main/javahelp/contents/start/features/api.html
index c225fa91..b206fd82 100644
--- a/addOns/help_ru_RU/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/start/features/api.html
@@ -28,11 +28,46 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
-Смотрите также
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
Смотрите также
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_ru_RU/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_ru_RU/src/main/javahelp/contents/ui/dialogs/options/api.html
index 3b3803d2..a487199b 100644
--- a/addOns/help_ru_RU/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -9,73 +9,89 @@
Экран API опций
-Этот экран позволяет вам настроить API опции
+This screen allows you to configure the API options:
-
Включено
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
-Веб-интерфейс включен
+Web UI Enabled
If enabled then the API Web UI is available to all machines that are able to access ZAP's proxies that expose the API.
To access the API Web UI point your browser to the host and port that ZAP is listening on.
-Только безопасный
+Secure Only
-Если этот параметр включен, API будет доступен только через HTTPS. В противном случае он будет доступен как по HTTP, так и по HTTPS.
+If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
-Ключ API
+
-Ключ, который необходимо указывать для всех «действий» API и некоторых «других» операций.
-Ключ API используется для предотвращения доступа вредоносных сайтов к ZAP API.
-Настоятельно рекомендуется установить ключ, если вы не используете ZAP в полностью изолированной среде.
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
+
API Key
+
+A key that must be specified on all API 'actions' and some 'other' operations.
+The API key is used to prevent malicious sites from accessing the ZAP API.
+It is strongly recommended that you set a key unless you are using ZAP in a completely isolated environment.
-Адреса, которым разрешено использовать API
+Addresses permitted to use the API
-По умолчанию только компьютер, на котором запущен ZAP, может получить доступ к ZAP API.
-Вы можете разрешить другим машинам доступ к API, добавив подходящие шаблоны регулярных выражений.
-Вам следует добавлять только те IP-адреса, которым вы доверяете.
-Обратите внимание, что ZAP API теперь также проверяет заголовок хоста, поэтому он также должен быть одним из разрешенных адресов.
+By default only the machine ZAP is running on is able to access the ZAP API.
+You can allow other machines access to the API by adding suitable regex patterns.
+You should only add IP addresses that you trust.
+Note that the ZAP API also now checks the host header, so that must also be one of the permitted addresses.
-Отключить ключ API
+Disable the API Key
-Выбор этого параметра отключает ключ API.
-Это не рекомендуется, если вы не используете ZAP в полностью изолированной среде, поскольку это позволяет вредоносным сайтам получать доступ к ZAP API.
+Selecting this option disables the API key.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.
-Не требуется ключ API для безопасной работы
+Do not require an API key for safe operations
-Если этот параметр включен, ключ API не требуется для представлений или других операций, которые считаются «безопасными», другими словами, для операций, которые не вносят никаких изменений в ZAP.
-Однако такие операции предоставляют доступ к данным ZAP, таким как предупреждения, сообщения и пути к файловой системе.
-Они также могут использоваться веб-приложениями для обнаружения ZAP.
+If enabled then the API key is not required for Views or Other operations that are considered 'safe', in other words operations that do not make any changes to ZAP.
+Such operations do however give access to ZAP data such as alert, messages, and file system paths.
+They can also be used by web applications to detect the presence of ZAP.
-Сообщать об ошибках разрешений через API
+Report permission errors via API
-Если этот параметр включен, ZAP будет сообщать об ошибках разрешений через API, который может использоваться веб-приложениями для обнаружения присутствия ZAP.
-Это не является серьезной проблемой в безопасной среде, но если вы используете ZAP против потенциально вредоносных сайтов, вам не следует включать его.
+If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP.
+This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.
-Сообщать подробности об ошибках через API
+Report error details via API
-Если выбран этот параметр, через API возвращается более подробная информация об ошибке.
-Это не рекомендуется, за исключением целей отладки, поскольку эти сообщения об ошибках могут привести к утечке информации на вредоносные сайты.
-Обратите внимание, что полные сведения об ошибке всегда записываются в файл журнала ZAP.
+If this option is selected then more error details are returned via the API.
+This is not recommended except for debugging purposes as these error messages can leak information to malicious sites.
+Note that the full error details are always written to the ZAP log file.
-Ключ API автозаполнения в пользовательском интерфейсе API
+Autofill API key in the API UI
-Если выбран этот параметр, ключ API автоматически включается в пользовательский интерфейс API.
-Это не рекомендуется, если вы не используете ZAP в полностью изолированной среде, поскольку это позволяет вредоносным сайтам получать доступ к ключу ZAP API.
+If this option is selected then the API key is automatically included in the API UI.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API Key.
-Включить JSONP
+Enable JSONP
-Выбор этого параметра включает формат JSONP.
-Это может быть полезно для некоторых приложений, но обычно не рекомендуется, поскольку увеличивает площадь атаки ZAP, то есть функции, которыми может злоупотреблять вредоносный сайт.
-Если JSONP включен, то для всех операций API с использованием JSONP (включая представления) потребуется ключ API, чтобы предотвратить доступ вредоносных сайтов к конфиденциальной информации, поддерживаемой ZAP, такой как ключи сеанса.
+Selecting this option enables the JSONP format.
+This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
+If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-Смотрите также
+See also
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_ru_RU/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index dbe1154e..502e702f 100644
--- a/addOns/help_ru_RU/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ Параметры JVM
В отличие от других параметров ZAP, они хранятся в файле. .ZAP_JVM.properties в каталоге ZAP пользователя по умолчанию,
что зависит от используемой ОС, например:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_ru_RU/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_ru_RU/src/main/javahelp/contents/ui/tlmenu/help.html
index 7fc88e14..5f490a49 100644
--- a/addOns/help_ru_RU/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_ru_RU/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,21 +10,24 @@
Меню справки
Это меню дает доступ к диалоговому окну «о программе» и этому файлу справки.
-Об OWASP ZAP
+About ZAP
Это отобразило диалоговое окно «об».
Информация о поддержке ...
Отображает диалоговое окно, содержащее информацию, полезную при устранении неполадок или поиске поддержки. Такие как:
Версия, установленные надстройки и версии, операционная система, версия Java, информация о локали и путь к домашнему каталогу ZAP.
Эту информацию можно копировать и вставлять.
-В диалоговом окне есть кнопка «Открыть», которая, при условии, что ОС поддерживает необходимые функции, откроет домашний каталог ZAP.
-(для журналов или файлов конфигурации) при нажатии.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
-Это проверяет, используете ли вы последнюю версию ZAP.
+This checks to see if you are running the latest version of ZAP.
-Руководство пользователя ZAP Desktop
-Отображает этот файл справки.
+Desktop ZAP User Guide
+Displays this help file.
Обратите внимание, что надстройки могут добавлять дополнительные пункты меню.
diff --git a/addOns/help_ru_RU/src/main/javahelp/index.xml b/addOns/help_ru_RU/src/main/javahelp/index.xml
index b0c0a98c..b8f1dce5 100644
--- a/addOns/help_ru_RU/src/main/javahelp/index.xml
+++ b/addOns/help_ru_RU/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_ru_RU/src/main/javahelp/toc.xml b/addOns/help_ru_RU/src/main/javahelp/toc.xml
index 84182e1a..0c619f4b 100644
--- a/addOns/help_ru_RU/src/main/javahelp/toc.xml
+++ b/addOns/help_ru_RU/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/cmdline.html b/addOns/help_sr_CS/src/main/javahelp/contents/cmdline.html
index 079bcc27..c890e16d 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Command Line
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/credits.html b/addOns/help_sr_CS/src/main/javahelp/contents/credits.html
index 583f9d68..446786d3 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/credits.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Extended Team
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Extended Team
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Extended Team
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Extended Team
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Extended Team
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/intro.html b/addOns/help_sr_CS/src/main/javahelp/contents/intro.html
index 07a12c99..376f9bc0 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/intro.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
See also
External links
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_sr_CS/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_sr_CS/src/main/javahelp/contents/releases/2.3.0.html
index 6c4290db..28342863 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bosnian
@@ -66,7 +66,7 @@ New UI options
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/releases/releases.html b/addOns/help_sr_CS/src/main/javahelp/contents/releases/releases.html
index 90d754bd..45b49932 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Releases
The following releases have been made:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/start/features/api.html b/addOns/help_sr_CS/src/main/javahelp/contents/start/features/api.html
index a07931c7..542e5340 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/start/features/api.html
@@ -28,6 +28,41 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
+
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
See also
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/start/features/features.html b/addOns/help_sr_CS/src/main/javahelp/contents/start/features/features.html
index d9c61e54..f420c93d 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Features
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_sr_CS/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_sr_CS/src/main/javahelp/contents/ui/dialogs/options/api.html
index ae7edf98..5d8261a9 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_sr_CS/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_sr_CS/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_sr_CS/src/main/javahelp/contents/ui/tlmenu/help.html
index 05dca827..13178573 100644
--- a/addOns/help_sr_CS/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_sr_CS/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_sr_CS/src/main/javahelp/index.xml b/addOns/help_sr_CS/src/main/javahelp/index.xml
index db385825..01179c98 100644
--- a/addOns/help_sr_CS/src/main/javahelp/index.xml
+++ b/addOns/help_sr_CS/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_sr_CS/src/main/javahelp/toc.xml b/addOns/help_sr_CS/src/main/javahelp/toc.xml
index e90e7f28..04b6bf18 100644
--- a/addOns/help_sr_CS/src/main/javahelp/toc.xml
+++ b/addOns/help_sr_CS/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/cmdline.html b/addOns/help_tr_TR/src/main/javahelp/contents/cmdline.html
index e8a89fa2..a13b4493 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Komut Satırı
Komut satırı aracılığıyla ZAP'i çalıştırmak için, Zap başlatma komutlarını bulmanız gerekir.
Windows:
-C: \ Program Dosyaları (x86) \ OWASP \ Zed Attack Proxy \ zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/ Uygulamalar / OWASP \ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Seçenekler
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/credits.html b/addOns/help_tr_TR/src/main/javahelp/contents/credits.html
index f0ba2605..9e96cbae 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/credits.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP' ın Geniş Ekibi
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP' ın Geniş Ekibi
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP' ın Geniş Ekibi
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP' ın Geniş Ekibi
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP' ın Geniş Ekibi
ZAP Yerelleştirme
-ZAP yerelleştirme aracılığıyla organize edilmiştir https://crowdin.com/project/owasp-zap
+ZAP yerelleştirme aracılığıyla organize edilmiştir https://crowdin.com/project/zaproxy
| | Azerbaycanca | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/intro.html b/addOns/help_tr_TR/src/main/javahelp/contents/intro.html
index d1e0b74a..f69c4243 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/intro.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -47,7 +47,6 @@
Ayrıca bakınız
Dış bağlantılar
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_tr_TR/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_tr_TR/src/main/javahelp/contents/releases/2.3.0.html
index 409e51df..0a26f025 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/releases/2.3.0.html
@@ -47,7 +47,7 @@ Daha fazla API desteği
ZAP işlevselliğini daha fazla desteklemek için API genişletildi.
Uluslararası yardım dosyası
-Yardım dosyası uluslararası bir üründü ve şu yoluyla birçok başka dile tercüme edildi https://crowdin.com/project/owasp-zap-help. ZAP'ı desteklediğimiz birçok dilden birinde kullanırsanız, yardım dosyaları o dile ait tüm çevirileri içerecek ve henüz çevrilmemiş cümleler için İngilizce'ye geri dönülmesini sağlayacaktır.
+Yardım dosyası uluslararası bir üründü ve şu yoluyla birçok başka dile tercüme edildi https://crowdin.com/project/zap-help. ZAP'ı desteklediğimiz birçok dilden birinde kullanırsanız, yardım dosyaları o dile ait tüm çevirileri içerecek ve henüz çevrilmemiş cümleler için İngilizce'ye geri dönülmesini sağlayacaktır.
Dillerle beraber önemli çeviri miktarı yardımcı sayfalarda dahil edilir:
- Boşnakça
@@ -67,7 +67,7 @@ Yeni arayüz seçenekleri
Daha işlevsel değişim ekle
Temel işlevlerin daha fazlası eklentilere taşındı, bu da yeni tam sürüm gerektirmeden ZAP Pazaryeri yoluyla dinamik olarak güncelleme sunmamızı sağlar.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
Yeni ve gelişmiş aktif ve pasif tarama kuralları
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/releases/releases.html b/addOns/help_tr_TR/src/main/javahelp/contents/releases/releases.html
index e1c8daf0..493798c8 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Sürümler
Aşağıdaki sürümler yapıldı:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/start/features/api.html b/addOns/help_tr_TR/src/main/javahelp/contents/start/features/api.html
index 6ee82cfc..af4577a6 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/start/features/api.html
@@ -24,11 +24,46 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
-Ayrıca bakınız
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
| |
-UI Genel Bakış | kullanıcı arayüzüne genel bakış için |
+UI Overviewfor an overview of the user interface |
| |
API Overview | for an overview of the API |
| |
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/start/features/features.html b/addOns/help_tr_TR/src/main/javahelp/contents/start/features/features.html
index bfcb91e5..9b18b018 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Özellikler
|
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_tr_TR/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_tr_TR/src/main/javahelp/contents/ui/dialogs/options/api.html
index 334122ad..e032b77b 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -9,9 +9,9 @@
API seçenekler ekranı
-Bu ekran şunu yapılandırmanıza izin verir API seçenekler:
+This screen allows you to configure the API options:
-
Etkin
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -20,62 +20,78 @@ Web UI Enabled
If enabled then the API Web UI is available to all machines that are able to access ZAP's proxies that expose the API.
To access the API Web UI point your browser to the host and port that ZAP is listening on.
-Yalnızca Güvenli
+Secure Only
-Etkinse o zaman API sadece HTTPS üzerinden geçerli olacak. Aksi halde HTTP ve HTTPS'in ikisi üzerinden geçerli olacak.
+If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
-API Anahtarı
+
-Tüm API 'işlemleri' ve bazı 'diğer' işlemlerde belirtilmesi gereken bir anahtar.
-API anahtarı, kötü amaçlı sitelerin ZAP API'sine erişmesini önlemek için kullanılır.
-Tamamen yalıtılmış bir çevrede ZAP kullanmadıkça bir anahtar ayarlamanız şiddetle tavsiye edilir.
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
+
API Key
+
+A key that must be specified on all API 'actions' and some 'other' operations.
+The API key is used to prevent malicious sites from accessing the ZAP API.
+It is strongly recommended that you set a key unless you are using ZAP in a completely isolated environment.
-API'yı kullanmasına izin verilen adresler
+Addresses permitted to use the API
-Varsayılan olarak yalnızca çalışan ZAP makinası ZAP API'ye erişebilir.
-Uygun regex kalıpları ekleyerek diğer makinelere API'ye erişime izin verebilirsiniz.
-Yalnızca güvendiğiniz IP adreslerini eklemelisiniz.
-ZAP API'sinin ana makine üstbilgisini de kontrol ettiğini ve izin verilen adreslerden biri olması gerektiğini unutmayın.
+By default only the machine ZAP is running on is able to access the ZAP API.
+You can allow other machines access to the API by adding suitable regex patterns.
+You should only add IP addresses that you trust.
+Note that the ZAP API also now checks the host header, so that must also be one of the permitted addresses.
-API Anahtarını devre dışı bırak
+Disable the API Key
-Bu seçeneği belirlemek API anahtarını devre dışı bırakır.
-ZAP'ı tamamen izole edilmiş bir ortamda kullanmadıkça kötü amaçlı sitelerin ZAP uygulamasına erişmesine izin verdiğinden dolayı önerilmez.
+Selecting this option disables the API key.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.
-Güvenli işlemler için API anahtarı gerekmez
+Do not require an API key for safe operations
-Eğer etkinleştirilirse 'güvenli' olarak görülen Görüntülemeler ve Diğer işlemler, diğer bir deyişle ZAP'ta herhangi bir değişiklik meydana getirmeyen işlemler için API anahtarı gerekmez.
-Bu tür işlemler, uyarı, mesajlar ve dosya sistemi yolları gibi ZAP verilerine erişebilirler.
-ZAP'ın varlığını saptamak için web uygulamaları tarafından da kullanılabilirler.
+If enabled then the API key is not required for Views or Other operations that are considered 'safe', in other words operations that do not make any changes to ZAP.
+Such operations do however give access to ZAP data such as alert, messages, and file system paths.
+They can also be used by web applications to detect the presence of ZAP.
-İzin hatalarını API üzerinden bildir
+Report permission errors via API
-Eğer etkinleştirilirse ZAP, ZAP'ın varlığını belirlemek için internet ağı eklentileri tarafından kullanılabilen API aracılığıyla izin hatalarını raporlayacak.
-Bu güvenli bir ortamda ciddi bir sorun değildir, ancak potansiyel olarak kötü amaçlı sitelere karşı ZAP kullanıyorsanız, etkinleştirmemelisiniz.
+If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP.
+This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.
-Hata ayrıntılarını API aracılığıyla raporla
+Report error details via API
-Bu seçenek seçilirse API üzerinden daha fazla hata ayrıntısı döndürülür.
-Bu hata mesajları kötü niyetli sitelere bilgi sızdırdığından hata ayıklama amacı dışında bu önerilmez.
-Tam hata ayrıntılarının daima ZAP günlük dosyasına yazıldığını unutmayın.
+If this option is selected then more error details are returned via the API.
+This is not recommended except for debugging purposes as these error messages can leak information to malicious sites.
+Note that the full error details are always written to the ZAP log file.
-API kullanıcı arayüzünde otomatik doldurma API anahtarı
+Autofill API key in the API UI
-Bu seçenek seçilirse, API anahtarı API kullanıcı arayüzüne otomatik olarak dahil edilir.
-Kötü amaçlı sitelere ZAP API Anahtarına erişim izni verdiğinden dolayı ZAP'ı tamamen izole edilmiş bir çevrede kullanmıyorsanız bu tavsiye edilmez.
+If this option is selected then the API key is automatically included in the API UI.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API Key.
-JSONP'yi etkinleştir
+Enable JSONP
-Bu seçeneğin seçilmesi JSONP formatını etkinleştirir.
-Bu bazı uygulamalar için kullanışlı olabilir fakat ZAP saldırı yüzey alanını arttırdığı yani kötü amaçlı siteler kötüye kullanabileceği için bir özellik olduğu için genellikle tavsiye edilmez.
-Eğer JSONP etkinleştirilmişse, JSONP (görünümler dahil) kullanan tüm API işlemleri zararlı sitelerin ZAP tarafından korunan hassas bilgilere (örneğin, oturum tuşları gibi) erişmesini önlemek için API anahtarını gerektirir.
+Selecting this option enables the JSONP format.
+This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
+If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-Ayrıca bakınız
+See also
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_tr_TR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 523fc67c..c4bee5c2 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -28,8 +28,8 @@ JVM Seçenekleri
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_tr_TR/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_tr_TR/src/main/javahelp/contents/ui/tlmenu/help.html
index c15e87f0..e626d791 100644
--- a/addOns/help_tr_TR/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_tr_TR/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,19 +10,23 @@
Yardım Menüsü
Bu menü 'hakkında' diyaloğuna ve bu yardım dosyasına erişim sağlar.
-OWASP ZAP Hakkında
+About ZAP
Bu 'hakkında' diyaloğunu gösterdi.
Destek Bilgisi...
Sorun giderirken ya da destek ararken kullanışlı olabilecek bilgi içeren bir diyalog gösterir. Mesela:
Versiyon, yüklü eklentiler ve versiyonlar, işletim sistemi, java versiyonu ve ZAP Ana Dizin yolu. Bu bilgi kopyalanabilir ve yapıştırılabilir.
-Bu diyalog, işletim sisteminin gerekli işlevselliği desteklediğini varsayarsak, tıklandığında ZAP Ana Dizini'ni (log'lar veya yapılandırma dosyaları için) açacak bir "Aç" butonu içermektedir.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
-Bu ZAP'ın en son sürümünü kullanıp kullanmadığınızı kontrol eder.
+This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
-Bu yardım dosyasını görüntüler.
+Desktop ZAP User Guide
+Displays this help file.
Note that add-ons can add additional menu items.
diff --git a/addOns/help_tr_TR/src/main/javahelp/index.xml b/addOns/help_tr_TR/src/main/javahelp/index.xml
index 5e493efc..bd155bf2 100644
--- a/addOns/help_tr_TR/src/main/javahelp/index.xml
+++ b/addOns/help_tr_TR/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_tr_TR/src/main/javahelp/toc.xml b/addOns/help_tr_TR/src/main/javahelp/toc.xml
index bde71d2a..ae86456c 100644
--- a/addOns/help_tr_TR/src/main/javahelp/toc.xml
+++ b/addOns/help_tr_TR/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/cmdline.html b/addOns/help_ur_PK/src/main/javahelp/contents/cmdline.html
index 079bcc27..c890e16d 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ Command Line
To run ZAP via the command line, you will need to locate the ZAP startup script.
Windows:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ Options
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/credits.html b/addOns/help_ur_PK/src/main/javahelp/contents/credits.html
index 583f9d68..446786d3 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/credits.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP Extended Team
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP Extended Team
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP Extended Team
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP Extended Team
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP Extended Team
ZAP Localization
-ZAP localization is organized via https://crowdin.com/project/owasp-zap
+ZAP localization is organized via https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/intro.html b/addOns/help_ur_PK/src/main/javahelp/contents/intro.html
index 07a12c99..376f9bc0 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/intro.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -49,7 +49,6 @@
See also
External links
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_ur_PK/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_ur_PK/src/main/javahelp/contents/releases/2.3.0.html
index 5fcea445..ae1efd98 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ More API support
The API has been extended to support even more of the ZAP functionality.
Internationalized help file
-The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/owasp-zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
+The help file has been internationalized and is in the process of being translated into many other languages via https://crowdin.com/project/zap-help. If you use ZAP in one of the many languages we support, then the help files will include all of the available translations for that language while defaulting back to English for phrases that have not yet been translated.
Languages with a significant amount of translated help pages include:
- Bosnian
@@ -66,7 +66,7 @@ New UI options
More functionality moved to add-ons
More of the core functionality has been moved into add-ons which allows us to deliver updates dynamically via the ZAP Marketplace rather than requiring new full releases.
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
New and improved active and passive scanning rules
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/releases/releases.html b/addOns/help_ur_PK/src/main/javahelp/contents/releases/releases.html
index 90d754bd..45b49932 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ Releases
The following releases have been made:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/start/features/api.html b/addOns/help_ur_PK/src/main/javahelp/contents/start/features/api.html
index a07931c7..542e5340 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/start/features/api.html
@@ -28,6 +28,41 @@ API
Future versions of ZAP will increase the functionality available via the APi.
+
+
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
See also
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/start/features/features.html b/addOns/help_ur_PK/src/main/javahelp/contents/start/features/features.html
index 91d01d47..1b6be2f2 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ Features
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_ur_PK/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_ur_PK/src/main/javahelp/contents/ui/dialogs/options/api.html
index ae7edf98..5d8261a9 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -24,6 +24,22 @@ Secure Only
If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
+
+
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
API Key
A key that must be specified on all API 'actions' and some 'other' operations.
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_ur_PK/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 757b635c..673e2bc9 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_ur_PK/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_ur_PK/src/main/javahelp/contents/ui/tlmenu/help.html
index 05dca827..13178573 100644
--- a/addOns/help_ur_PK/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_ur_PK/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_ur_PK/src/main/javahelp/index.xml b/addOns/help_ur_PK/src/main/javahelp/index.xml
index db385825..01179c98 100644
--- a/addOns/help_ur_PK/src/main/javahelp/index.xml
+++ b/addOns/help_ur_PK/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_ur_PK/src/main/javahelp/toc.xml b/addOns/help_ur_PK/src/main/javahelp/toc.xml
index ff604f1b..793ef9d1 100644
--- a/addOns/help_ur_PK/src/main/javahelp/toc.xml
+++ b/addOns/help_ur_PK/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/cmdline.html b/addOns/help_zh_CN/src/main/javahelp/contents/cmdline.html
index 6e57e39e..0fe6e396 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/cmdline.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/cmdline.html
@@ -11,10 +11,10 @@ 命令行
要通过命令行运行ZAP,您需要找到ZAP启动脚本。
Windows版本:
-C:\Program Files (x86)\OWASP\Zed Attack Proxy\zap.bat
+C:\Program Files (x86)\ZAP\Zed Attack Proxy\zap.bat
Note: The command line options are not used by the executable (zap.exe) only the bat file.
Mac:
-/Applications/OWASP\ ZAP.app/Contents/Java/zap.sh
+/Applications/ZAP.app/Contents/Java/zap.sh
Linux:
zap.sh will be below the directory where ZAP was installed.
@@ -49,6 +49,7 @@ 选项
| | -addonlist | List all of the installed add-ons |
| | -script <script> | Run the specified script (file system path) if command line/daemon, or just load it if GUI |
| | -suppinfo | Outputs details relevant for support and troubleshooting (to the console/standard out). Such as: ZAP version, java version, installed add-ons and version, locale info, operating system, etc. |
+| | -sbomzip <path> | Creates a zip file containing all of the available SBOMs |
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/credits.html b/addOns/help_zh_CN/src/main/javahelp/contents/credits.html
index 5969d9e2..7b4e5f3d 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/credits.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/credits.html
@@ -57,6 +57,8 @@ ZAP扩展团队
| | ciceroff |
| | Jonathan Claudius (@claudijd) |
| | Adrian Clay |
+| | Kyle Cooper (@FiveOFive) |
+| | Gustavo Covas (@gustavocovas) |
| | Baptiste Crépin - AXA Group Security |
| | Johanna Curiel |
@@ -95,6 +97,7 @@ ZAP扩展团队
| | Daiki Ichinose (@mahoyaya) |
| | Taras Ivashchenko, OWASP Russia |
+| | Shershon A J (Shershon25) |
| | Eswarprasath Jayaraman (ejayaraman) |
| | Jon (@flibustier) |
| | Tan Jin (@tjtanjin) |
@@ -121,6 +124,7 @@ ZAP扩展团队
| | Lars Kristensen |
| | Erik de Kuijper (@edkpr) |
+| | Laurent Laubin - Quarkslab |
| | Gwilym Lewis – Appsecco |
| | Sajeeb Lohani (sml555) - Bulletproof ZDS |
| | Dejan Lukan (eleanor) |
@@ -169,7 +173,7 @@ ZAP扩展团队
| | Dobin Rutishauser - Compass Security AG |
| | Bunyanuch Saengnet |
-| | Najam Ul Saqib (@njmulsqb) |
+| | Najam Ul Saqib (@cybersoldier) |
| | Goran Sarenkapa (JordanGS) |
| | Karan Preet Singh Sasan (@preetkaran20) |
| | Pranav Saxena (@pranavsaxena17) |
@@ -219,7 +223,7 @@ ZAP扩展团队
ZAP本地化
-ZAP本地化是通过 https://crowdin.com/project/owasp-zap
+ZAP本地化是通过 https://crowdin.com/project/zaproxy
| | Azerbaijanian | Rashad Aliyev www.microphp.com |
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/intro.html b/addOns/help_zh_CN/src/main/javahelp/contents/intro.html
index 3d01de50..381af7e8 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/intro.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/intro.html
@@ -3,14 +3,14 @@
-The OWASP ZAP Desktop User Guide
+The ZAP Desktop User Guide
-OWASP ZAP Desktop User Guide
+ZAP Desktop User Guide
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.
This is available both as context sensitive help within ZAP and online at
https://www.zaproxy.org/docs/desktop/
@@ -47,7 +47,6 @@
请参阅
外部链接
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/releases/2.14.0.html b/addOns/help_zh_CN/src/main/javahelp/contents/releases/2.14.0.html
new file mode 100644
index 00000000..4b9fc481
--- /dev/null
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/releases/2.14.0.html
@@ -0,0 +1,156 @@
+
+
+
+
+
+ Release 2.14.0
+
+
+
+Release 2.14.0
+
+This is a bug fix and enhancement release.
+
+These release notes do not include all of the changes included in add-ons updated since 2.13.0.
+
+This release was made possible thanks to our Platinum Sponsor, the Software Security Project.
+
+Some of the more significant enhancements include:
+
+
Rebranding and Docker Hub Move
+
+ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.
+
+As part of that move the official ZAP Docker images are being published to the
+Software Security Project Docker Hub Organisation.
+The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.
+
+Note that you can also pull the ZAP Docker images from GitHub Container Registry.
+
+
Host Header Manipulation
+
+Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time!
+
+The Break, Manual Request and Requester dialogs all have a new "Update Host Header" button.
+This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.
+
+ZAPit
+
+This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified.
+
+For more details see the ZAPit help page
+
+API File Transfers
+
+You can now upload and download files to and from ZAP via the API.
+Note that this feature is disabled by default as a security measure.
+
+For more details, including how to enable it, see the API help page.
+
+Graal JS Add-on Access
+
+Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support.
+Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.
+
+These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP.
+Note that existing Nashorn scripts may need changes to work with Graal JS.
+
+
Postman Support
+
+ZAP can now import Postman collections thanks to the new Postman add-on.
+
+SBOMs
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+
+For more details see the Software Bill of Materials help page.
+
+ZAP API OpenAPI Definition
+
+An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients.
+This definition is planned to be kept up to date for the latest core and add-on releases.
+
+Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.
+
+
ZAP Browser Extensions
+
+The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: https://github.com/zaproxy/browser-extension
+
+These are included in the new Client Side Integration add-on which supports:
+
+* Browser Recording
+* Streaming client side events to ZAP
+
+This is not (yet) included in the main ZAP releases so you will need to download it from the
+Marketplace.
+
+Dependency Updates
+
+As usual the release includes dependency updates.
+
+The following libraries were updated:
+
+
+ - Commons Lang, 3.12.0 → 3.13.0
+ - Flatlaf 3.1.1 → 3.2.1
+ - RSyntaxTextArea, 3.3.3 → 3.3.4
+
+
+The following library was added:
+
+ - Log4j JUL Adapter 2.20.0
+
+
+Add-Ons
+New Add-Ons
+The following add-ons are included by default in this release for the first time:
+
+
+Updated Add-Ons
+All of the add-ons included by default have been updated since the last full release.
+
+Enhancements
+
+- Issue 1926 : Remove Alerts for defined Context through ZAP API
+- Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
+- Issue 7607 : Allow to download/upload files through the ZAP API
+- Issue 7951 : Validate API parameter names
+- Issue 7984 : Allow to display script without focusing
+- Issue 7988 : Use short name for home dir in Windows
+- Issue 8012 : Move vulnerability data to Common Library add-on
+- Issue 8033 : Add/use Log4j JUL adapter
+- Issue 8040 : Add prompt text to search input fields
+- Issue 8042 : Find: use focus owner
+- Issue 8043 : Update Download Icon
+- Issue 8050 : Allow to select a script node without focusing
+- Issue 8067 : Allow to disable modification of multiple options
+- Issue 8070 : Prevent concurrent usage of ZAP home
+- Issue 8089 : Break: Allow host header manipulation
+- Issue 8101 : Extend ScanEventPublisher to support params
+- Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
+- Issue 8118 : Record config stats
+
+
+Bug fixes
+
+- Issue 7353 : Header `If-None-Match: *` removed for PUT requests
+- Issue 7960 : Graal.js engine might fail to load/access add-on classes
+- Issue 8013 : Use add-on class loader for interface from script
+- Issue 8028 : Set the view to `ExtensionAdaptor` sooner
+- Issue 8055 : Include country name for duplicated languages
+- Issue 8068 : Use the current database body size values
+- Issue 8111 : Raw HTML displayed in options panels for search matches
+
+
+
+See Also
+
+| | Introduction | the introduction to ZAP |
+| | Releases | the full set of releases |
+| | Credits | the people and groups who have made this release possible |
+
+
+
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/releases/2.3.0.html b/addOns/help_zh_CN/src/main/javahelp/contents/releases/2.3.0.html
index f67acd74..f1fb16fc 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/releases/2.3.0.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/releases/2.3.0.html
@@ -46,7 +46,7 @@ 更多API的支持
API已经扩展到支持更多的ZAP功能。
国际化的帮助文档
-该帮助文档已被国际化,而且它正在被翻译成许多其他语言的过程中: https://crowdin.com/project/owasp-zap-help。 如果您使用我们支持的多种语言之一的ZAP,那么帮助文档将包含该语言的所有可用翻译,而对于尚未翻译的短语则默认为英语显示。
+该帮助文档已被国际化,而且它正在被翻译成许多其他语言的过程中: https://crowdin.com/project/zap-help。 如果您使用我们支持的多种语言之一的ZAP,那么帮助文档将包含该语言的所有可用翻译,而对于尚未翻译的短语则默认为英语显示。
具有大量已经翻译的帮助页面的语言包括:
- 波斯尼亚语
@@ -65,7 +65,7 @@ 新的UI选项
更多的功能移动到附加组件
更多的核心功能已经被转移到附加组件中,允许我们通过ZAP 市场动态地提供更新,而不需要新的完整版本。
-This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/owasp-zap can be downloaded within ZAP or even automatically installed.
+This includes the language packs, so translations made to the ZAP UI via https://crowdin.com/project/zaproxy can be downloaded within ZAP or even automatically installed.
新的和改进的主动和被动扫描规则
Many of the release status active and passive scanning rules have been improved. There are new alpha and beta status rules and many rules have been promoted from alpha to beta and from beta to release status.
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/releases/releases.html b/addOns/help_zh_CN/src/main/javahelp/contents/releases/releases.html
index 2104d194..65042a29 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/releases/releases.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/releases/releases.html
@@ -11,6 +11,7 @@ 版本发布
已经发布了以下版本:
+| | 2.14.0 | bug fix and enhancement release |
| | 2.13.0 | bug fix and enhancement release |
| | 2.12.0 | ten thousand star bug fix and enhancement release |
| | 2.11.1 | includes an important security fix - users are urged to upgrade asap |
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/start/features/api.html b/addOns/help_zh_CN/src/main/javahelp/contents/start/features/api.html
index 489ad957..93775bcc 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/start/features/api.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/start/features/api.html
@@ -27,11 +27,46 @@ 接口
Future versions of ZAP will increase the functionality available via the APi.
+
-请参阅
+Many API endpoints allow you to load or save files to and from the file system.
+
+The core API also supports uploading and downloading files, but this is disabled by default as a security measure.
+If an attacker is able to access the ZAP API then with this feature enabled they would be able to upload their own script to
+ZAP and then run it. ZAP scripts run with the same permissions as ZAP and so this is full remote code execution access.
+
+To enable file transfer you will need to have an API key set and to enable it via the
+Options API screen.
+You can also enable file transfers via the command line as explained in the help for that screen.
+
+With file transfer enabled you will be able to upload text files to the
+Transfer Directory using the 'fileUpload' 'other' endpoint
+and download them from there using the 'fileDownload' 'other' endpoint.
+You can specify subdirectories (e.g. "subdir/myfile") but any attempt to upload or download a file to or from another directory
+(e.g. using "../../") will be rejected.
+The 'fileUpload' endpoint only accepts POST requests and you should use an encoding of either "multipart/form-data" or "application/x-www-form-urlencoded".
+The web UI allows you to select and upload local files.
+
+Curl example for uploading a file:
+
+curl \
+ -F fileContents=@/full/path/to/file/to/be/uploaded \
+ -F apikey=your-api-key \
+ -F fileName=destination-filename \
+ http://localhost:8080/OTHER/core/other/fileUpload/
+
+
+To download a file generated by another API endpoint you will need to specify a file name/path starting with "${XFER}".
+For example you could export a context to "${XFER}/contexts/my.context" and then download it by specifying "contexts/my.context".
+
+To upload a file to another API endpoint you need to do the reverse - first upload it, e.g. to "plans/myplan.yaml", and
+then import it via the path "${XFER}/plans/myplan.yaml".
+
+
+
See also
| |
-UI综览 | 关于用户界面的概述 |
+UI Overviewfor an overview of the user interface |
| |
API Overview | for an overview of the API |
| |
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/start/features/features.html b/addOns/help_zh_CN/src/main/javahelp/contents/start/features/features.html
index 4d9e6c4d..aded1668 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/start/features/features.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/start/features/features.html
@@ -27,6 +27,7 @@ 功能
|
| | Modes | |
| | Notes | |
| | Passive Scan | |
+| | Software Bill of Materials | |
| | Scan Policy | |
| | Scope | |
| | Scripts | |
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/start/features/sbom.html b/addOns/help_zh_CN/src/main/javahelp/contents/start/features/sbom.html
new file mode 100644
index 00000000..38f2b1ec
--- /dev/null
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/start/features/sbom.html
@@ -0,0 +1,42 @@
+
+
+
+
+
+Software Bill of Materials
+
+
+
+Software Bill of Materials
+
+ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX
+for both the ZAP core and all of the add-ons maintained by the ZAP team.
+Each SBOM will appear as a file called "bom.json" included at the root of the ZAP JARs.
+
+Note that SBOMs may not be available if you run ZAP from the source code, and some 3rd party add-ons may also not define them.
+
+
SBOM zip
+A zip file containing all of the available SBOM files can be generated via the following options.
+The ZAP core SBOM file will be called "zap-core-bom.json" and the add-on SBOM files will be called "<addon-id>-bom.json".
+
+Desktop
+The Help menu "Support Info..." dialog "Save SBOM zip..." button.
+
+Command Line
+
+The "-sbomzip" Command Line option.
+
+API
+
+The core "createSbomZip" API action.
+
+See also
+
+
+
+
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/ui/dialogs/options/api.html b/addOns/help_zh_CN/src/main/javahelp/contents/ui/dialogs/options/api.html
index a72b501a..c7cf0ef5 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/ui/dialogs/options/api.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/ui/dialogs/options/api.html
@@ -9,9 +9,9 @@
API选项屏幕
-此屏幕允许您配置 API 选项:
+This screen allows you to configure the API options:
-
启用
+Enabled
If enabled then the API is available to all machines that are able to access ZAP's proxies that expose the API.
@@ -20,62 +20,78 @@ Web UI Enabled
If enabled then the API Web UI is available to all machines that are able to access ZAP's proxies that expose the API.
To access the API Web UI point your browser to the host and port that ZAP is listening on.
-只允许安全模式
+Secure Only
-如果启用,那么API将只能通过HTTPS使用。 否则,它将通过HTTP和HTTPS提供。
+If enabled then the API will only be available via HTTPS. Otherwise it will be available via both HTTP and HTTPS.
-API密钥
+
-必须在所有API操作和一些其它操作中指定密钥。
-API密钥用于防止恶意网站访问ZAP API。
-强烈建议您设置密钥,除非您在完全隔离的环境中使用ZAP。
+If enabled then files can be transfered to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also enable this option via the command line using the parameter: -config api.filexfer=true
+
+
+
+The directory used to transfer files to and from ZAP via the API.
+This option is only available if the API key is not disabled.
+For more details see File Transfer.
+
+You can also set the Transfer Directory via the command line using: -config api.xferdir=/full/path/to/dir
+
+
API Key
+
+A key that must be specified on all API 'actions' and some 'other' operations.
+The API key is used to prevent malicious sites from accessing the ZAP API.
+It is strongly recommended that you set a key unless you are using ZAP in a completely isolated environment.
-允许使用API的地址
+Addresses permitted to use the API
-默认情况下,只有运行ZAP的计算机才能访问ZAP API。
-您可以通过添加合适的正则表达式模式来允许其它计算机访问API。
-您应该只添加您信任的IP地址。
-请注意,ZAP API现在也检查主机头,因此它也必须是允许的地址之一。
+By default only the machine ZAP is running on is able to access the ZAP API.
+You can allow other machines access to the API by adding suitable regex patterns.
+You should only add IP addresses that you trust.
+Note that the ZAP API also now checks the host header, so that must also be one of the permitted addresses.
-禁用API密钥
+Disable the API Key
-选择此选项将禁用API密钥。
-除非您在完全隔离的环境中使用ZAP,否则不建议使用ZAP,因为它允许恶意站点访问ZAP API。
+Selecting this option disables the API key.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.
-不需要用于安全操作的API密钥
+Do not require an API key for safe operations
-如果启用,那么视图或其它被视为“安全”的操作不需要API密钥,换言之,不对ZAP进行任何更改的操作。
-但是这样的操作可以访问ZAP数据,如警报,消息和文件系统路径。
-Web应用程序也可以使用它们来检测ZAP的存在。
+If enabled then the API key is not required for Views or Other operations that are considered 'safe', in other words operations that do not make any changes to ZAP.
+Such operations do however give access to ZAP data such as alert, messages, and file system paths.
+They can also be used by web applications to detect the presence of ZAP.
-通过API报告权限错误
+Report permission errors via API
-如果启用,则ZAP将通过API报告权限错误,Web应用程序可以使用该API来检测ZAP的存在。
-这在安全的环境中并不是一个严重的问题,但是如果您使用ZAP来对付潜在的恶意网站,那么您不应该启用它。
+If enabled then ZAP will report permission errors via the API, which can be used by web applications to detect the presence of ZAP.
+This is not a serious problem in a safe environment but if you are using ZAP against potentially malicious sites then you should not enable it.
-通过API报告错误详情
+Report error details via API
-如果选择此选项,则可以通过API返回更多错误详细信息。
-除了调试目的外,建议不要这样做,因为这些错误详细信息可能会将信息泄露给恶意网站。
-请注意,完整的错误详细信息总是被写入ZAP日志文件中。
+If this option is selected then more error details are returned via the API.
+This is not recommended except for debugging purposes as these error messages can leak information to malicious sites.
+Note that the full error details are always written to the ZAP log file.
-在API UI中的自动填充API密钥
+Autofill API key in the API UI
-如果选择此选项,则API密钥将自动包含在API UI中。
-除非您在完全隔离的环境中使用ZAP,否则不建议这样做,因为它允许恶意网站访问ZAP API的密钥。
+If this option is selected then the API key is automatically included in the API UI.
+This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API Key.
-启用 JSONP
+Enable JSONP
-选择此选项将启用JSONP格式。
-这对于某些应用程序非常有用,但通常不推荐使用它,因为它会增加ZAP攻击面的区域,这是恶意网站可能会滥用的功能。
-如果启用了JSONP,那么使用JSONP(包括视图)的所有API操作都需要API密钥来防止恶意网站访问通过ZAP维护的敏感信息,例如会话密钥。
+Selecting this option enables the JSONP format.
+This can be useful for some applications, but it is generally not recommended as it increases the ZAP attack surface area, ie the features that a malicious site can abuse.
+If JSONP is enabled then all API operations using JSONP (including views) will require the API key to prevent malicious sites from accessing sensitive information maintained by ZAP, such as session keys.
-另请参阅
+See also
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/ui/dialogs/options/jvm.html b/addOns/help_zh_CN/src/main/javahelp/contents/ui/dialogs/options/jvm.html
index 7c98b04a..68d0bc88 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/ui/dialogs/options/jvm.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/ui/dialogs/options/jvm.html
@@ -29,8 +29,8 @@ JVM Options
Unlike the other ZAP options these are held in the file .ZAP_JVM.properties in the user's default ZAP directory,
which depends on the OS being used, for example:
-- Windows 7/8: C:\Users\<username>\OWASP ZAP
-- Windows XP: C:\Documents and Settings\<username>\OWASP ZAP
+- Windows 7/8: C:\Users\<username>\ZAP
+- Windows XP: C:\Documents and Settings\<username>\ZAP
- Linux: ~/.ZAP
- Mac OS: ~/Library/Application Support/ZAP
diff --git a/addOns/help_zh_CN/src/main/javahelp/contents/ui/tlmenu/help.html b/addOns/help_zh_CN/src/main/javahelp/contents/ui/tlmenu/help.html
index 05dca827..13178573 100644
--- a/addOns/help_zh_CN/src/main/javahelp/contents/ui/tlmenu/help.html
+++ b/addOns/help_zh_CN/src/main/javahelp/contents/ui/tlmenu/help.html
@@ -10,20 +10,23 @@
The Help menu
This menu gives access to the 'about' dialog and this help file.
-About OWASP ZAP
+About ZAP
This displayed the 'about' dialog.
Support Info...
Displays a dialog that contains information which is useful when troubleshooting or seeking support. Such as:
Version, installed add-ons and versions, operating system, java version, locale info, and ZAP Home Directory path.
This information can be copied and pasted.
-The dialog includes an "Open" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
-(for logs or configuration files) when clicked.
+The dialog includes an "Open ZAP Home" button, which assuming the OS supports the necessary functionality, will open the ZAP Home Directory
+(for logs or configuration files) when clicked.
+The dialog includes a "Save SBOM zip..." button, which will prompt you for the name of a zip file
+which it will generate containing all of the available
+SBOM files.
Check for Updates...
This checks to see if you are running the latest version of ZAP.
-OWASP Desktop ZAP User Guide
+Desktop ZAP User Guide
Displays this help file.
diff --git a/addOns/help_zh_CN/src/main/javahelp/index.xml b/addOns/help_zh_CN/src/main/javahelp/index.xml
index db385825..01179c98 100644
--- a/addOns/help_zh_CN/src/main/javahelp/index.xml
+++ b/addOns/help_zh_CN/src/main/javahelp/index.xml
@@ -86,6 +86,7 @@
+
diff --git a/addOns/help_zh_CN/src/main/javahelp/toc.xml b/addOns/help_zh_CN/src/main/javahelp/toc.xml
index 3691d8d9..38df0f5b 100644
--- a/addOns/help_zh_CN/src/main/javahelp/toc.xml
+++ b/addOns/help_zh_CN/src/main/javahelp/toc.xml
@@ -34,6 +34,7 @@
+
@@ -119,6 +120,8 @@
+
+