You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
The key has expired.
Changed
Minimum ZAP version is now 2.9.0. (Various scan rules adjusted to address core deprecations.)
'Username Hash Found' scan rule now uses updated core functionality to retrieve configured users.
Tweak help for 'Cookie HttpOnly' scan rule.
'Information Disclosure: Suspicious Comments' if matched within script block or JS response raise Alert with Low confidence.
Migrate an input file from Beta to Release that were missed during previous promotions.
This addresses errors such as [ZAP-PassiveScanner] ERROR org.zaproxy.zap.extension.pscanrules.InformationDisclosureInURL - No such file: .... /xml/URL-information-disclosure-messages.txt
'Application Error' scan rule now supports custom payloads when used in conjunction with the Custom Payloads addon.
Timestamp Disclosure scan rule now only considers potential timestamps within plus or minus one year when used at High threshold (Issue 5837).
'Application Error' scan rule's patterns file application_errors.xml is now copied to ZAP's home directory, which means it is editable by the user. As well as being more consistent with other similar input files.
'Information Disclosure - Sensitive Information in URL' correct evidence field for some alerts, and enhance other info details (Issue 5832).
Removed
'Header XSS Protection' was deprecated and removed (Issue 5849).
