Todays weekly release includes 2 very significant changes, which we really wanted to get into ZAP 2.10.0:
- Authentication Verification Strategies - these define how ZAP can tell if a user is logged in or not. In addition to the current option for checking just responses ZAP now supports checking just requests, requests and responses and polling. The polling option is ideal for modern web apps which dont typically return an logged in/out indications in every request. A PR has been opened for the related help changes: #326
The Ajax Spider has been published to the ZAP Marketplace and is available for 2.9.0 as well but the Authentication Verification Strategies require core changes and are therefore only available in the weekly.
If you do try them out then please let us know how you get on with them.