Latest weekly release

40 views
Skip to first unread message

psiinon

unread,
Nov 10, 2020, 12:11:15 PM11/10/20
to OWASP ZAP Developer Group
Todays weekly release includes 2 very significant changes, which we really wanted to get into ZAP 2.10.0:
  • Ajax Spider "Allowed Resources" - these are off domain resources that will now be returned to the spider but not crawled. They are configurable but by default will include all javascript and CSS files - this should allow the ajax spider to work much more effectively with modern web apps that include javascript from CDNs. Previousl ZAP would block these which meant that sites that used CDNs could not be crawled so effectively.
  • Authentication Verification Strategies - these define how ZAP can tell if a user is logged in or not. In addition to the current option for checking just responses ZAP now supports checking just requests, requests and responses and polling. The polling option is ideal for modern web apps which dont typically return an logged in/out indications in every request. A PR has been opened for the related help changes: #326
The Ajax Spider has been published to the ZAP Marketplace and is available for 2.9.0 as well but the Authentication Verification Strategies require core changes and are therefore only available in the weekly.

If you do try them out then please let us know how you get on with them.

Many thanks,

Simon
Reply all
Reply to author
Forward
0 new messages