|
| 1 | +--- |
| 2 | +title: "ZAP Updates - April 2025" |
| 3 | +summary: > |
| 4 | + April 2025 updates and ongoing feature development statuses. |
| 5 | +images: |
| 6 | +- https://www.zaproxy.org/blog/2025-05-05-zap-updates-april-2025/images/zapbot-monthly-updates.png |
| 7 | +type: post |
| 8 | +tags: |
| 9 | +- blog |
| 10 | +- update |
| 11 | +date: "2025-05-05" |
| 12 | +authors: |
| 13 | +- akshath |
| 14 | +--- |
| 15 | + |
| 16 | +This month was all about small but meaningful improvements. |
| 17 | + |
| 18 | +## Highlights |
| 19 | +### ZAP Wins Inaugural DefectDojo Award |
| 20 | +We’re proud to announce that ZAP has won the inaugural DefectDojo Open Source Award for being one of the Best Dynamic Application Security Testing (DAST) Tools out there. |
| 21 | +This award recognizes ZAP’s contributions to the open-source cybersecurity ecosystem - [read more here](/blog/2025-04-22-zap-wins-inaugural-defectdojo-award-for-open-source/). |
| 22 | + |
| 23 | +### New ZAP Success Story |
| 24 | +A new success story featuring Possible Security, a Riga-based cybersecurity firm, was published to the website in April. |
| 25 | +They highlight ZAP’s role as a core tool in their web and mobile app penetration tests. |
| 26 | +[Read the full story here](/success/possiblesecurity/). |
| 27 | + |
| 28 | +### Authentication Improvements |
| 29 | +This month brought several improvements to ZAP’s authentication tooling. |
| 30 | +The browser-based recorder received multiple fixes and enhancements, while the team also began discussions around a potential authentication wizard, aimed at streamlining and improving the overall authentication setup experience. |
| 31 | + |
| 32 | +### Spidering Enhancements |
| 33 | +We continued to iterate on both the AJAX spider and Client spider, focusing on better handling of dynamic content and improved coverage of modern, JavaScript-driven web applications, especially when authentication is also involved. |
| 34 | + |
| 35 | +## Ongoing Work |
| 36 | +### Continued Enhancements to Authentication |
| 37 | +Work is steadily progressing to make authentication even more reliable and adaptable. |
| 38 | +We're focusing on improving support for complex login sequences, multi-step authentication, and modern SPA frameworks, ensuring ZAP can keep pace with today's evolving web technologies. |
| 39 | + |
| 40 | +### LLM Add-on Pull Request |
| 41 | +We're actively reviewing a pull request for a Large Language Model (LLM) add-on. |
| 42 | +This experimental feature aims to leverage LLMs within ZAP in a meaningful way. |
| 43 | + |
| 44 | +## Miscellaneous Updates |
| 45 | +### PENTEST Tags Added to Scan Rules |
| 46 | +We’ve added PENTEST policy tags to all Java active and passive scan rules, helping users identify rules most relevant to penetration testing. |
| 47 | +(Essentially this is all rules except the Example rules in the alpha add-ons.) |
| 48 | + |
| 49 | +### Windows Binary False Positives Resolved |
| 50 | +ZAP’s Windows binary was being falsely flagged as malicious by a few vendors, including FortiGuard and Ikarus. |
| 51 | +This issue was resolved after outreach, though Alibaba did not respond and the Chromium team’s reply was disappointing. |
| 52 | +We're continuing to monitor and engage where needed to minimize disruption for users. |
| 53 | + |
| 54 | +### New PortSwigger Lab Solution Blog Post |
| 55 | +A detailed walkthrough on using ZAP to solve PortSwigger's "Broken Brute-Force Protection, IP Block" lab was published on the blog. |
| 56 | +[Read the full guide here](/blog/2025-04-09-portswigger-labs-broken-brute-force-protection-ip-block/). |
| 57 | + |
| 58 | +## GitHub Pulse |
| 59 | +Here are some statistics for the two main ZAP repositories: |
| 60 | + |
| 61 | +[zaproxy](https://github.com/zaproxy/zaproxy/pulse/monthly) |
| 62 | +Excluding merges, 4 authors have pushed 12 commits to main and 12 commits to all branches. On main, 33 files have changed and there have been 1,202 additions and 426 deletions. |
| 63 | + |
| 64 | +[zap-extensions](https://github.com/zaproxy/zap-extensions/pulse/monthly) |
| 65 | +Excluding merges, 7 authors have pushed 90 commits to main and 91 commits to all branches. On main, 549 files have changed and there have been 7,419 additions and 2,127 deletions. |
| 66 | + |
| 67 | +A total of [77 human PRs were merged](https://github.com/search?q=org%3Azaproxy+type%3Apr+-author%3Azapbot+-author%3Aapp%2Fdependabot+sort%3Aupdated-asc+closed%3A2025-04+is%3Amerged&type=pullrequests) on the ZAP repos. |
| 68 | + |
| 69 | +## Released Add-ons - Full Changelog |
| 70 | +In April 2025, we released updated versions of 6 add-ons: |
| 71 | + |
| 72 | +##### Advanced SQLInjection Scanner |
| 73 | +**v16** |
| 74 | +Changed |
| 75 | +- Update minimum ZAP version to 2.16.0. |
| 76 | +- Maintenance changes. |
| 77 | +- The included active scan rule has been tagged of interest to Penetration Testers. |
| 78 | + |
| 79 | +##### Common Library |
| 80 | +**v1.32.0** |
| 81 | +Added |
| 82 | +- Add an alert tag for scan rules that are believed to be of interest to Penetration Testers (essentially everything except the Example rules). |
| 83 | + |
| 84 | +##### Linux WebDrivers |
| 85 | +**v137** |
| 86 | +Changed |
| 87 | +- Update ChromeDriver to 136.0.7103.49. |
| 88 | + |
| 89 | +**v136** |
| 90 | +Changed |
| 91 | +- Update ChromeDriver to 135.0.7049.114. |
| 92 | + |
| 93 | +**v135** |
| 94 | +Changed |
| 95 | +- Update ChromeDriver to 135.0.7049.97. |
| 96 | + |
| 97 | +**v134** |
| 98 | +Changed |
| 99 | +- Update ChromeDriver to 135.0.7049.95. |
| 100 | + |
| 101 | +**v133** |
| 102 | +Changed |
| 103 | +- Update ChromeDriver to 135.0.7049.84. |
| 104 | + |
| 105 | +**v132** |
| 106 | +Changed |
| 107 | +- Update ChromeDriver to 135.0.7049.42. |
| 108 | + |
| 109 | +##### MacOS WebDrivers |
| 110 | +**v137** |
| 111 | +Changed |
| 112 | +- Update ChromeDriver to 136.0.7103.49. |
| 113 | + |
| 114 | +**v136** |
| 115 | +Changed |
| 116 | +- Update ChromeDriver to 135.0.7049.114. |
| 117 | + |
| 118 | +**v135** |
| 119 | +Changed |
| 120 | +- Update ChromeDriver to 135.0.7049.97. |
| 121 | + |
| 122 | +**v134** |
| 123 | +Changed |
| 124 | +- Update ChromeDriver to 135.0.7049.95. |
| 125 | + |
| 126 | +**v133** |
| 127 | +Changed |
| 128 | +- Update ChromeDriver to 135.0.7049.84. |
| 129 | + |
| 130 | +**v132** |
| 131 | +Changed |
| 132 | +- Update ChromeDriver to 135.0.7049.42. |
| 133 | + |
| 134 | +##### Script Console |
| 135 | +**v45.11.0** |
| 136 | +Fixed |
| 137 | +- NPE when using scripts with no UI. |
| 138 | + |
| 139 | +**v45.10.0** |
| 140 | +Fixed |
| 141 | +- NPE when using some scripts after re-installing the scripts add-on. |
| 142 | +- Correct error message of the Automation Framework job. |
| 143 | +- Templates and Zest scripts were not being shown in the editor (Issue 8922). |
| 144 | + |
| 145 | +Added |
| 146 | +- Standardized Policy Tags to the base Scripts Passive Scanner. |
| 147 | + |
| 148 | +Changed |
| 149 | +- Depends on an updated version of the Common Library add-on. |
| 150 | + |
| 151 | +##### Windows WebDrivers |
| 152 | +**v137** |
| 153 | +Changed |
| 154 | +- Update ChromeDriver to 136.0.7103.49. |
| 155 | + |
| 156 | +**v136** |
| 157 | +Changed |
| 158 | +- Update ChromeDriver to 135.0.7049.114. |
| 159 | + |
| 160 | +**v135** |
| 161 | +Changed |
| 162 | +- Update ChromeDriver to 135.0.7049.97. |
| 163 | + |
| 164 | +**v134** |
| 165 | +Changed |
| 166 | +- Update ChromeDriver to 135.0.7049.95. |
| 167 | + |
| 168 | +**v133** |
| 169 | +Changed |
| 170 | +- Update ChromeDriver to 135.0.7049.84. |
| 171 | + |
| 172 | +**v132** |
| 173 | +Changed |
| 174 | +- Update ChromeDriver to 135.0.7049.42. |
| 175 | + |
0 commit comments