From f51457c207d881174d1a147b04d6f8d66f0355a3 Mon Sep 17 00:00:00 2001
From: zapbot <12745184+zapbot@users.noreply.github.com>
Date: Fri, 26 Jan 2024 10:01:31 +0000
Subject: [PATCH] Release add-on(s)
Release the following add-ons:
- Active scanner rules (alpha) version 46
- Active scanner rules (beta) version 50
- Active scanner rules version 62
- Common Library version 1.22.0
- OpenAPI Support version 39
- Passive scanner rules version 55
- Selenium version 15.18.0
- Spider version 0.9.0
Signed-off-by: zapbot <12745184+zapbot@users.noreply.github.com>
---
ZapVersions-2.14.xml | 217 +++++++++++++++++++------------------------
ZapVersions-dev.xml | 217 +++++++++++++++++++------------------------
2 files changed, 196 insertions(+), 238 deletions(-)
diff --git a/ZapVersions-2.14.xml b/ZapVersions-2.14.xml
index bbd6cdfd..ab1c2a85 100644
--- a/ZapVersions-2.14.xml
+++ b/ZapVersions-2.14.xml
@@ -131,28 +131,19 @@
Active scanner rules
The release status Active Scanner rules
ZAP Dev Team
- 61
- ascanrules-release-61.zap
+ 62
+ ascanrules-release-62.zap
release
<h3>Changed</h3>
<ul>
-<li>Update reference for Server Side Include (Issue 8262)</li>
-</ul>
-<h3>Fixed</h3>
-<ul>
-<li>False positives on redirects for:
-<ul>
-<li>Cloud Metadata (Issue 7710)</li>
-<li>Hidden Files</li>
-</ul>
-</li>
+<li>The Source Code Disclosure - /WEB-INF Folder rule now includes example alert functionality for documentation generation purposes (Issue 6119).</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v61/ascanrules-release-61.zap
- SHA-256:d4da0e3df9985b439833987ad5515f27d7ce8a2110b1bcc6cb6b6431921b6525
+ https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v62/ascanrules-release-62.zap
+ SHA-256:d6d8ff8c6036aba752786d2013b04a960a62bc0162d6c95dd1ea73de81fdb91e
https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/
https://github.com/zaproxy/zap-extensions/
- 2024-01-24
- 3279826
+ 2024-01-26
+ 3280154
2.14.0
@@ -176,31 +167,26 @@
Active scanner rules (alpha)
The alpha status Active Scanner rules
ZAP Dev Team
- 45
- ascanrulesAlpha-alpha-45.zap
+ 46
+ ascanrulesAlpha-alpha-46.zap
alpha
<h3>Changed</h3>
<ul>
-<li>Update minimum ZAP version to 2.14.0.</li>
+<li>Move MongoDB time based tests to its own scan rule, NoSQL Injection - MongoDB (Time Based) with ID 90039 (Issue 7341).</li>
<li>Depend on newer version of Common Library add-on.</li>
-<li>Add website alert links to the help page (Issue 8189).</li>
-</ul>
-<h3>Fixed</h3>
-<ul>
-<li>Fix time-based false positives in NoSQL Injection - MongoDB scan rule.</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesAlpha-v45/ascanrulesAlpha-alpha-45.zap
- SHA-256:8186168bfb816c7efdbb07989461cb5730621a92a497561e36908049dc01ef0e
+ https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesAlpha-v46/ascanrulesAlpha-alpha-46.zap
+ SHA-256:17202f0e556bf9fa75f9161fd3dde897fdad8c0419641a9e8b0d11a54ed9609b
https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-alpha/
https://github.com/zaproxy/zap-extensions/
- 2024-01-16
- 390845
+ 2024-01-26
+ 394880
2.14.0
commonlib
- >= 1.20.0 & < 2.0.0
+ >= 1.22.0 & < 2.0.0
@@ -210,25 +196,32 @@
Active scanner rules (beta)
The beta status Active Scanner rules
ZAP Dev Team
- 49
- ascanrulesBeta-beta-49.zap
+ 50
+ ascanrulesBeta-beta-50.zap
beta
<h3>Changed</h3>
<ul>
-<li>Update minimum ZAP version to 2.14.0.</li>
-<li>Update references for Expression Language Injection and HTTP Parameter Pollution (Issue 8262).</li>
-<li>The Source Code Disclosure - SVN scan rule includes example alert functionality for documentation generation purposes (Issue 6119).</li>
+<li>References for the following scan rules were updated (Issue 8262):
+<ul>
+<li>Exponential Entity Expansion (Billion Laughs Attack)</li>
+<li>Relative Path Confusion</li>
+<li>HTTPS Content Available via HTTP</li>
+<li>Remote Code Execution - Shell Shock</li>
</ul>
-<h3>Removed</h3>
+</li>
+<li>The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
<ul>
-<li>Help entry for the Spring Actuators scan rule (missed during previous removal/promotion).</li>
+<li>HTTPS Content Available via HTTP</li>
+<li>Remote Code Execution - Shell Shock (it now also uses Alert Refs (Issue 7100))</li>
+</ul>
+</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesBeta-v49/ascanrulesBeta-beta-49.zap
- SHA-256:6ddae5f9e9c90fab7c81e4f15e76aa050913d84b729ae2203c1e87e7c5822a27
+ https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesBeta-v50/ascanrulesBeta-beta-50.zap
+ SHA-256:a7cf0a9f16493b21387eb7ec5ad630ae51c8de1bfc7d12a85caaa3b309be06dc
https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-beta/
https://github.com/zaproxy/zap-extensions/
- 2024-01-16
- 1739035
+ 2024-01-26
+ 1739680
2.14.0
@@ -591,24 +584,19 @@
Common Library
A common library, for use by other add-ons.
ZAP Dev Team
- 1.21.0
- commonlib-release-1.21.0.zap
+ 1.22.0
+ commonlib-release-1.22.0.zap
release
<h3>Added</h3>
<ul>
-<li>Add solution to 'Server Misconfiguration' and 'Application Misconfiguration' vulnerabilities (Issue 8056).</li>
-</ul>
-<h3>Changed</h3>
-<ul>
-<li>Update Vulnerabilities' references to use https links and retire some which were out-dated (Issue 8262).</li>
-<li>Maintenance changes.</li>
+<li>Add alert tag for scan rules that use time based tests.</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.21.0/commonlib-release-1.21.0.zap
- SHA-256:ef032287106e12c20b151115b43d73cf268294a859e8dd4ff5d6b99f12acf524
+ https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.22.0/commonlib-release-1.22.0.zap
+ SHA-256:5f88c3a00cb118790e96ee801f7f305ead8c199a827b3293c1effc1a7db13e18
https://www.zaproxy.org/docs/desktop/addons/common-library/
https://github.com/zaproxy/zap-extensions/
- 2024-01-16
- 10793045
+ 2024-01-26
+ 10793000
2.14.0
communityScripts
@@ -1838,23 +1826,23 @@
OpenAPI Support
Imports and spiders OpenAPI definitions.
ZAP Dev Team plus Joanna Bona, Nathalie Bouchahine, Artur Grzesica, Mohammad Kamar, Markus Kiss, Michal Materniak, Marcin Spiewak, and SDA SE Open Industry Solutions
- 38
- openapi-beta-38.zap
+ 39
+ openapi-beta-39.zap
beta
- <h3>Changed</h3>
+ <h3>Added</h3>
<ul>
-<li>Dependency updates.</li>
+<li>Video link in help for Automation Framework job.</li>
</ul>
-<h3>Fixed</h3>
+<h3>Changed</h3>
<ul>
-<li>An issue in the headers generator which might lead to content-type header being incorrectly set.</li>
+<li>Dependency updates.</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/openapi-v38/openapi-beta-38.zap
- SHA-256:58988bd550a98130f306a6efbcd349581b7a2cd4b27aa85af5217c3132221c50
+ https://github.com/zaproxy/zap-extensions/releases/download/openapi-v39/openapi-beta-39.zap
+ SHA-256:9f4eec172dc3dd32052eee670854afbbd12a3b61269beebaa0329b358621a1c9
https://www.zaproxy.org/docs/desktop/addons/openapi-support/
https://github.com/zaproxy/zap-extensions/
- 2023-10-23
- 13848523
+ 2024-01-26
+ 13941067
2.14.0
@@ -2098,58 +2086,46 @@
Passive scanner rules
The release status Passive Scanner rules
ZAP Dev Team
- 54
- pscanrules-release-54.zap
+ 55
+ pscanrules-release-55.zap
release
<h3>Changed</h3>
<ul>
-<li>The Big Redirect scan rule will now also alert on responses that have multiple HREFs (idea from xnl-h4ck3r).</li>
-<li>The references for the following scan rules are now all HTTPS (Issue 8262) and in some cases updated:
-<ul>
-<li>Loosely Scoped Cookie</li>
-<li>Charset Mismatch</li>
-<li>Strict-Transport-Security Header</li>
-<li>Content Security Policy (CSP) Header Not Set</li>
-<li>CSP</li>
-<li>Session ID in URL Rewrite</li>
-<li>HTTP Server Response Header</li>
-<li>Cookie Poisoning</li>
-<li>User Controllable HTML Element Attribute (Potential XSS)</li>
-<li>X-Content-Type-Options Header Missing</li>
-<li>Content-Type Header Missing</li>
-<li>Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)</li>
+<li>The Salvation2 library used by the CSP scan rule has been replaced by htmlunit-csp.</li>
+<li>The following rules now include example alert functionality for documentation generation purposes (Issue 6119):
+<ul>
+<li>HTTPS to HTTP Insecure Transition in Form Post</li>
+<li>HTTP to HTTPS Insecure Transition in Form Post</li>
+<li>Secure Pages Include Mixed Content</li>
+<li>User Controllable JavaScript Event (XSS)</li>
+<li>Cookie without SameSite Attribute</li>
+<li>X-Debug-Token Information Leak</li>
<li>Retrieved from Cache</li>
</ul>
</li>
-<li>The Absence of Anti-CSRF Tokens scan rule now takes into account the Partial Match settings from the Anti-CSRF Options (Issue 8280).</li>
-<li>On Non-LOW threshold, PII Scan rule only evaluates HTML, JSON and XML responses (Issue 8264).</li>
-<li>Maintenance changes.</li>
-<li>The following rules now include example alert functionality for documentation generation and cross linking purposes (Issues 6119, and 8189).
-<ul>
-<li>Big Redirect</li>
-<li>Information Disclosure: Debug Errors</li>
-<li>Information Disclosure: In URL</li>
-<li>Information Disclosure: Referrer</li>
-<li>Cookie Poisoning</li>
-<li>User Controllable Charset</li>
-<li>Open Redirect</li>
-<li>User Controllable HTML Element Attribute (Potential XSS)</li>
-<li>Heartbleed OpenSSL Vulnerability (Indicative)</li>
-<li>Strict-Transport-Security Header</li>
-<li>Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)</li>
-<li>X-Content-Type-Options Header Missing</li>
-<li>Content-Type Header Missing</li>
+<li>The following scan rules now have alert references (Issue 7100):
+<ul>
+<li>Cookie without SameSite Attribute</li>
+<li>Retrieved from Cache (raw text was also trimmed from one Alert reference (Issue 8262))</li>
+</ul>
+</li>
+</ul>
+<h3>Fixed</h3>
+<ul>
+<li>An issue where Other Info on alerts for the following rules may have been hard to read (missing spaces or new lines):
+<ul>
+<li>HTTPS to HTTP Insecure Transition in Form Post</li>
+<li>HTTP to HTTPS Insecure Transition in Form Post</li>
+<li>User Controllable JavaScript Event (XSS)</li>
</ul>
</li>
-<li>The CWE for the Cookie Poisoning scan rule was updated to a more specific one.</li>
-<li>The Strict-Transport-Security Header and Big Redirect scan rules now use alert references for their different types of alerts (Issue 7100).</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/pscanrules-v54/pscanrules-release-54.zap
- SHA-256:32d97b36a344b2f57572523f25d78494a508aae32fc727bdb38ff5e81c3a32a4
+ https://github.com/zaproxy/zap-extensions/releases/download/pscanrules-v55/pscanrules-release-55.zap
+ SHA-256:9f33849866f0d1893d1c3459a25f292e675497b0d92250d068d631cbedcd5434
https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/
https://github.com/zaproxy/zap-extensions/
- 2024-01-16
- 1868648
+ 2024-01-26
+ 1859979
2.14.0
@@ -2534,19 +2510,19 @@
Selenium
WebDriver provider and includes HtmlUnit browser
ZAP Dev Team
- 15.17.0
- selenium-release-15.17.0.zap
+ 15.18.0
+ selenium-release-15.18.0.zap
release
<h3>Changed</h3>
<ul>
-<li>Update Selenium to version 4.16.1.</li>
+<li>Update Selenium to version 4.17.0.</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/selenium-v15.17.0/selenium-release-15.17.0.zap
- SHA-256:2002eb417f750123feb249d91e7d48ded7463228eb0ced603513974ab9b2f818
+ https://github.com/zaproxy/zap-extensions/releases/download/selenium-v15.18.0/selenium-release-15.18.0.zap
+ SHA-256:32eea6ed408c37b0c4edf9d39de06d47408486e638cab5e79acc142049add735
https://www.zaproxy.org/docs/desktop/addons/selenium/
https://github.com/zaproxy/zap-extensions/
- 2024-01-18
- 31487082
+ 2024-01-26
+ 31558250
2.14.0
@@ -2623,20 +2599,23 @@
Spider
Spider used for automatically finding URIs on a site.
ZAP Dev Team
- 0.8.0
- spider-release-0.8.0.zap
+ 0.9.0
+ spider-release-0.9.0.zap
release
- <h3>Changed</h3>
+ <h3>Added</h3>
<ul>
-<li>Handle multiple "Link" HTTP Response headers.</li>
-<li>Maintenance changes.</li>
+<li>Video link in help for Automation Framework job.</li>
+</ul>
+<h3>Changed</h3>
+<ul>
+<li>The sitemap.xml parser will now accept and process a greater range of possible file content (Issue 8299).</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/spider-v0.8.0/spider-release-0.8.0.zap
- SHA-256:d34817e760a4faf6fbeb3a8a264c6662df537e82dceeab10e088ed69fc6fe7c5
+ https://github.com/zaproxy/zap-extensions/releases/download/spider-v0.9.0/spider-release-0.9.0.zap
+ SHA-256:8f5863ee4b5c36199cd5cda6b4871b40e566f413b4d0ac13d7e99f70dce83747
https://www.zaproxy.org/docs/desktop/addons/spider/
https://github.com/zaproxy/zap-extensions/
- 2023-12-19
- 1150808
+ 2024-01-26
+ 1150320
2.14.0
diff --git a/ZapVersions-dev.xml b/ZapVersions-dev.xml
index f4faee8a..1fd3d92a 100644
--- a/ZapVersions-dev.xml
+++ b/ZapVersions-dev.xml
@@ -131,28 +131,19 @@
Active scanner rules
The release status Active Scanner rules
ZAP Dev Team
- 61
- ascanrules-release-61.zap
+ 62
+ ascanrules-release-62.zap
release
<h3>Changed</h3>
<ul>
-<li>Update reference for Server Side Include (Issue 8262)</li>
-</ul>
-<h3>Fixed</h3>
-<ul>
-<li>False positives on redirects for:
-<ul>
-<li>Cloud Metadata (Issue 7710)</li>
-<li>Hidden Files</li>
-</ul>
-</li>
+<li>The Source Code Disclosure - /WEB-INF Folder rule now includes example alert functionality for documentation generation purposes (Issue 6119).</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v61/ascanrules-release-61.zap
- SHA-256:d4da0e3df9985b439833987ad5515f27d7ce8a2110b1bcc6cb6b6431921b6525
+ https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v62/ascanrules-release-62.zap
+ SHA-256:d6d8ff8c6036aba752786d2013b04a960a62bc0162d6c95dd1ea73de81fdb91e
https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/
https://github.com/zaproxy/zap-extensions/
- 2024-01-24
- 3279826
+ 2024-01-26
+ 3280154
2.14.0
@@ -176,31 +167,26 @@
Active scanner rules (alpha)
The alpha status Active Scanner rules
ZAP Dev Team
- 45
- ascanrulesAlpha-alpha-45.zap
+ 46
+ ascanrulesAlpha-alpha-46.zap
alpha
<h3>Changed</h3>
<ul>
-<li>Update minimum ZAP version to 2.14.0.</li>
+<li>Move MongoDB time based tests to its own scan rule, NoSQL Injection - MongoDB (Time Based) with ID 90039 (Issue 7341).</li>
<li>Depend on newer version of Common Library add-on.</li>
-<li>Add website alert links to the help page (Issue 8189).</li>
-</ul>
-<h3>Fixed</h3>
-<ul>
-<li>Fix time-based false positives in NoSQL Injection - MongoDB scan rule.</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesAlpha-v45/ascanrulesAlpha-alpha-45.zap
- SHA-256:8186168bfb816c7efdbb07989461cb5730621a92a497561e36908049dc01ef0e
+ https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesAlpha-v46/ascanrulesAlpha-alpha-46.zap
+ SHA-256:17202f0e556bf9fa75f9161fd3dde897fdad8c0419641a9e8b0d11a54ed9609b
https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-alpha/
https://github.com/zaproxy/zap-extensions/
- 2024-01-16
- 390845
+ 2024-01-26
+ 394880
2.14.0
commonlib
- >= 1.20.0 & < 2.0.0
+ >= 1.22.0 & < 2.0.0
@@ -210,25 +196,32 @@
Active scanner rules (beta)
The beta status Active Scanner rules
ZAP Dev Team
- 49
- ascanrulesBeta-beta-49.zap
+ 50
+ ascanrulesBeta-beta-50.zap
beta
<h3>Changed</h3>
<ul>
-<li>Update minimum ZAP version to 2.14.0.</li>
-<li>Update references for Expression Language Injection and HTTP Parameter Pollution (Issue 8262).</li>
-<li>The Source Code Disclosure - SVN scan rule includes example alert functionality for documentation generation purposes (Issue 6119).</li>
+<li>References for the following scan rules were updated (Issue 8262):
+<ul>
+<li>Exponential Entity Expansion (Billion Laughs Attack)</li>
+<li>Relative Path Confusion</li>
+<li>HTTPS Content Available via HTTP</li>
+<li>Remote Code Execution - Shell Shock</li>
</ul>
-<h3>Removed</h3>
+</li>
+<li>The following scan rules now include example alert functionality for documentation generation purposes (Issue 6119):
<ul>
-<li>Help entry for the Spring Actuators scan rule (missed during previous removal/promotion).</li>
+<li>HTTPS Content Available via HTTP</li>
+<li>Remote Code Execution - Shell Shock (it now also uses Alert Refs (Issue 7100))</li>
+</ul>
+</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesBeta-v49/ascanrulesBeta-beta-49.zap
- SHA-256:6ddae5f9e9c90fab7c81e4f15e76aa050913d84b729ae2203c1e87e7c5822a27
+ https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesBeta-v50/ascanrulesBeta-beta-50.zap
+ SHA-256:a7cf0a9f16493b21387eb7ec5ad630ae51c8de1bfc7d12a85caaa3b309be06dc
https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-beta/
https://github.com/zaproxy/zap-extensions/
- 2024-01-16
- 1739035
+ 2024-01-26
+ 1739680
2.14.0
@@ -591,24 +584,19 @@
Common Library
A common library, for use by other add-ons.
ZAP Dev Team
- 1.21.0
- commonlib-release-1.21.0.zap
+ 1.22.0
+ commonlib-release-1.22.0.zap
release
<h3>Added</h3>
<ul>
-<li>Add solution to 'Server Misconfiguration' and 'Application Misconfiguration' vulnerabilities (Issue 8056).</li>
-</ul>
-<h3>Changed</h3>
-<ul>
-<li>Update Vulnerabilities' references to use https links and retire some which were out-dated (Issue 8262).</li>
-<li>Maintenance changes.</li>
+<li>Add alert tag for scan rules that use time based tests.</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.21.0/commonlib-release-1.21.0.zap
- SHA-256:ef032287106e12c20b151115b43d73cf268294a859e8dd4ff5d6b99f12acf524
+ https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.22.0/commonlib-release-1.22.0.zap
+ SHA-256:5f88c3a00cb118790e96ee801f7f305ead8c199a827b3293c1effc1a7db13e18
https://www.zaproxy.org/docs/desktop/addons/common-library/
https://github.com/zaproxy/zap-extensions/
- 2024-01-16
- 10793045
+ 2024-01-26
+ 10793000
2.14.0
communityScripts
@@ -1838,23 +1826,23 @@
OpenAPI Support
Imports and spiders OpenAPI definitions.
ZAP Dev Team plus Joanna Bona, Nathalie Bouchahine, Artur Grzesica, Mohammad Kamar, Markus Kiss, Michal Materniak, Marcin Spiewak, and SDA SE Open Industry Solutions
- 38
- openapi-beta-38.zap
+ 39
+ openapi-beta-39.zap
beta
- <h3>Changed</h3>
+ <h3>Added</h3>
<ul>
-<li>Dependency updates.</li>
+<li>Video link in help for Automation Framework job.</li>
</ul>
-<h3>Fixed</h3>
+<h3>Changed</h3>
<ul>
-<li>An issue in the headers generator which might lead to content-type header being incorrectly set.</li>
+<li>Dependency updates.</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/openapi-v38/openapi-beta-38.zap
- SHA-256:58988bd550a98130f306a6efbcd349581b7a2cd4b27aa85af5217c3132221c50
+ https://github.com/zaproxy/zap-extensions/releases/download/openapi-v39/openapi-beta-39.zap
+ SHA-256:9f4eec172dc3dd32052eee670854afbbd12a3b61269beebaa0329b358621a1c9
https://www.zaproxy.org/docs/desktop/addons/openapi-support/
https://github.com/zaproxy/zap-extensions/
- 2023-10-23
- 13848523
+ 2024-01-26
+ 13941067
2.14.0
@@ -2098,58 +2086,46 @@
Passive scanner rules
The release status Passive Scanner rules
ZAP Dev Team
- 54
- pscanrules-release-54.zap
+ 55
+ pscanrules-release-55.zap
release
<h3>Changed</h3>
<ul>
-<li>The Big Redirect scan rule will now also alert on responses that have multiple HREFs (idea from xnl-h4ck3r).</li>
-<li>The references for the following scan rules are now all HTTPS (Issue 8262) and in some cases updated:
-<ul>
-<li>Loosely Scoped Cookie</li>
-<li>Charset Mismatch</li>
-<li>Strict-Transport-Security Header</li>
-<li>Content Security Policy (CSP) Header Not Set</li>
-<li>CSP</li>
-<li>Session ID in URL Rewrite</li>
-<li>HTTP Server Response Header</li>
-<li>Cookie Poisoning</li>
-<li>User Controllable HTML Element Attribute (Potential XSS)</li>
-<li>X-Content-Type-Options Header Missing</li>
-<li>Content-Type Header Missing</li>
-<li>Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)</li>
+<li>The Salvation2 library used by the CSP scan rule has been replaced by htmlunit-csp.</li>
+<li>The following rules now include example alert functionality for documentation generation purposes (Issue 6119):
+<ul>
+<li>HTTPS to HTTP Insecure Transition in Form Post</li>
+<li>HTTP to HTTPS Insecure Transition in Form Post</li>
+<li>Secure Pages Include Mixed Content</li>
+<li>User Controllable JavaScript Event (XSS)</li>
+<li>Cookie without SameSite Attribute</li>
+<li>X-Debug-Token Information Leak</li>
<li>Retrieved from Cache</li>
</ul>
</li>
-<li>The Absence of Anti-CSRF Tokens scan rule now takes into account the Partial Match settings from the Anti-CSRF Options (Issue 8280).</li>
-<li>On Non-LOW threshold, PII Scan rule only evaluates HTML, JSON and XML responses (Issue 8264).</li>
-<li>Maintenance changes.</li>
-<li>The following rules now include example alert functionality for documentation generation and cross linking purposes (Issues 6119, and 8189).
-<ul>
-<li>Big Redirect</li>
-<li>Information Disclosure: Debug Errors</li>
-<li>Information Disclosure: In URL</li>
-<li>Information Disclosure: Referrer</li>
-<li>Cookie Poisoning</li>
-<li>User Controllable Charset</li>
-<li>Open Redirect</li>
-<li>User Controllable HTML Element Attribute (Potential XSS)</li>
-<li>Heartbleed OpenSSL Vulnerability (Indicative)</li>
-<li>Strict-Transport-Security Header</li>
-<li>Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)</li>
-<li>X-Content-Type-Options Header Missing</li>
-<li>Content-Type Header Missing</li>
+<li>The following scan rules now have alert references (Issue 7100):
+<ul>
+<li>Cookie without SameSite Attribute</li>
+<li>Retrieved from Cache (raw text was also trimmed from one Alert reference (Issue 8262))</li>
+</ul>
+</li>
+</ul>
+<h3>Fixed</h3>
+<ul>
+<li>An issue where Other Info on alerts for the following rules may have been hard to read (missing spaces or new lines):
+<ul>
+<li>HTTPS to HTTP Insecure Transition in Form Post</li>
+<li>HTTP to HTTPS Insecure Transition in Form Post</li>
+<li>User Controllable JavaScript Event (XSS)</li>
</ul>
</li>
-<li>The CWE for the Cookie Poisoning scan rule was updated to a more specific one.</li>
-<li>The Strict-Transport-Security Header and Big Redirect scan rules now use alert references for their different types of alerts (Issue 7100).</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/pscanrules-v54/pscanrules-release-54.zap
- SHA-256:32d97b36a344b2f57572523f25d78494a508aae32fc727bdb38ff5e81c3a32a4
+ https://github.com/zaproxy/zap-extensions/releases/download/pscanrules-v55/pscanrules-release-55.zap
+ SHA-256:9f33849866f0d1893d1c3459a25f292e675497b0d92250d068d631cbedcd5434
https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/
https://github.com/zaproxy/zap-extensions/
- 2024-01-16
- 1868648
+ 2024-01-26
+ 1859979
2.14.0
@@ -2534,19 +2510,19 @@
Selenium
WebDriver provider and includes HtmlUnit browser
ZAP Dev Team
- 15.17.0
- selenium-release-15.17.0.zap
+ 15.18.0
+ selenium-release-15.18.0.zap
release
<h3>Changed</h3>
<ul>
-<li>Update Selenium to version 4.16.1.</li>
+<li>Update Selenium to version 4.17.0.</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/selenium-v15.17.0/selenium-release-15.17.0.zap
- SHA-256:2002eb417f750123feb249d91e7d48ded7463228eb0ced603513974ab9b2f818
+ https://github.com/zaproxy/zap-extensions/releases/download/selenium-v15.18.0/selenium-release-15.18.0.zap
+ SHA-256:32eea6ed408c37b0c4edf9d39de06d47408486e638cab5e79acc142049add735
https://www.zaproxy.org/docs/desktop/addons/selenium/
https://github.com/zaproxy/zap-extensions/
- 2024-01-18
- 31487082
+ 2024-01-26
+ 31558250
2.14.0
@@ -2623,20 +2599,23 @@
Spider
Spider used for automatically finding URIs on a site.
ZAP Dev Team
- 0.8.0
- spider-release-0.8.0.zap
+ 0.9.0
+ spider-release-0.9.0.zap
release
- <h3>Changed</h3>
+ <h3>Added</h3>
<ul>
-<li>Handle multiple "Link" HTTP Response headers.</li>
-<li>Maintenance changes.</li>
+<li>Video link in help for Automation Framework job.</li>
+</ul>
+<h3>Changed</h3>
+<ul>
+<li>The sitemap.xml parser will now accept and process a greater range of possible file content (Issue 8299).</li>
</ul>
- https://github.com/zaproxy/zap-extensions/releases/download/spider-v0.8.0/spider-release-0.8.0.zap
- SHA-256:d34817e760a4faf6fbeb3a8a264c6662df537e82dceeab10e088ed69fc6fe7c5
+ https://github.com/zaproxy/zap-extensions/releases/download/spider-v0.9.0/spider-release-0.9.0.zap
+ SHA-256:8f5863ee4b5c36199cd5cda6b4871b40e566f413b4d0ac13d7e99f70dce83747
https://www.zaproxy.org/docs/desktop/addons/spider/
https://github.com/zaproxy/zap-extensions/
- 2023-12-19
- 1150808
+ 2024-01-26
+ 1150320
2.14.0