The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. Release 2.4.0 ZAP 2.4.0 has been released, which includes: Attack Mode Advanced Fuzzing Scan Policies Scan Dialogs with Advanced Options Hiding Unused Tabs New Add-ons New Scan Rules Changed Scan Rules More User Interface Changes Extended API Support Internationalized Help Add-ons ‘Attack’ Mode A new ‘attack’ mode has been added that means that applications that you have specified are in scope are actively scanned as they are discovered. Advanced Fuzzing A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time, as well as introducing new attack payloads including the option to use scripts for generating the payloads as well as pre and post attack manipulation and analysis. Scan Policies Scan policies define exactly which rules are run as part of an active scan. They also define how these rules run influencing how many requests are made and how likely potential issues are to be flagged. The new Scan Policy Manager dialog allows you to create, import and export as many scan policies as you need. You select any scan policy when you start an active scan and also specify the one used by the new attack mode. Scan policy dialog boxes allow sorting by any column, and include a quality column (indicating if individual scanners are Release, Beta, or Alpha quality). Scan Dialogs with Advanced Options New Active Scan and Spider dialogs have replaced the increasing number of right click 'Attack' options. These provide easy access to all of the most common options and optionally a wide range of advanced options. Hiding Unused Tabs By default only the essential tabs are now shown when ZAP starts up. The remaining tabs are revealed when they are used (e.g. for the spider and active scanner) or when you display them via the special tab on the far right of each window with the green '+' icon. This special tab disappears if there are no hidden tabs. Tabs can be closed via a small 'x' icon which is shown when the tab is selected. Tabs can also be 'pinned' using a small 'pin' icon that is also shown when the tab is selected - pinned tabs will be shown when ZAP next starts up. New Add-ons Two significant new ‘alpha’ quality add-ons are available: Access Control Testing: adds the ability to automate many aspects of access control testing. Sequence Scanning: adds the ability to scan 'sequences' of web pages, in other words pages that must be visited in a strict order in order to work correctly. These can both be downloaded from the ZAP Marketplace. New Scan Rules A number of significant new ‘alpha’ quality scanners are available: Relative Path Confusion: Allows ZAP to scan for issues that may result in XSS, by detecting if the browser can be fooled into interpreting HTML as CSS. Proxy Disclosure: Allows ZAP to detect forward and reverse proxies between the ZAP instance and the origin web server / application server. Storability / Cacheability: Allows ZAP to passively determine whether a page is storable by a shared cache, and whether it can be served from that cache in response to a similar request. This is useful from both a privacy and application performance perspective. The scanner follows RFC 7234. Support has also been added for Direct Web Remoting as an input vector for all scan rules. Changed Scan Rules External Redirect: This plugin’s ID has been changed from 30000 to 20019, in order to more closely align with the established groupings. (This change may be of importance to **API Users**). Additionally some minor changes have been implemented to prevent collisions between injected values and in-page content, and improve performance. (Issues: 1529 and 1569) Session ID in URL Rewrite: This plugin has been updated with a minimum length check for the value of the parameters it looks for. A false positive condition was raised related to this plugin (Issue 1396) whereby sID=5 would trigger a finding. Minimum length for session IDs as this plugin interprets them is now eight (8) characters. Client Browser Cache: The active scan rule TestClientBrowserCache has been removed. Checks performed by the passive scan rule CacheControlScanner have been slightly modified. (Issue 1499) More User Interface Changes The ZAP splash screen is back: It now includes new graphics, a tips & tricks module, and loading/progress info. The active scan dialog show the real plugin’s progress status based on the number of nodes that need to be scanned. There is a new session persistence options dialog that prompts the user for their preferred settings at startup (you can choose to “Remember” the option and not be asked again). For all Alerts the Risk field (False Positive, Suspicious, Warning) has been replaced with a more appropriately defined Confidence field (False Positive, Low, Medium, High, or Confirmed). Timestamps are now optionally available for the output tab. Test: Video: Войти или зарегистрироваться, чтобы увидеть ссылку.