2.16.1 D-2025-06-30 https://github.com/zaproxy/zaproxy/releases/download/w2025-06-30/ZAP_WEEKLY_D-2025-06-30.zip ZAP_WEEKLY_D-2025-06-30.zip SHA-256:64d02c408cbd2ccc8223ceba107edf681269c0c059d572b9fe612985bb503431 289547435 https://github.com/zaproxy/zaproxy/releases/download/v2.16.1/ZAP_2_16_1_windows-x32.exe ZAP_2_16_1_windows-x32.exe SHA-256:8437978b03c88f83933e07319dccb3c958c9db97ef8abc571e56c30938797e1a 245210624 https://github.com/zaproxy/zaproxy/releases/download/v2.16.1/ZAP_2_16_1_windows.exe ZAP_2_16_1_windows.exe SHA-256:d9aca657be405d5ac3cc82af576ea71cd9b35894c81e4a8dd696d56a69ce861d 245386752 https://github.com/zaproxy/zaproxy/releases/download/v2.16.1/ZAP_2.16.1_Linux.tar.gz ZAP_2.16.1_Linux.tar.gz SHA-256:5b2eb8319b085121a6e8ad50d69d67dbef8c867166f71a937bfc888d247a2ac1 234364899 https://github.com/zaproxy/zaproxy/releases/download/v2.16.1/ZAP_2.16.1.dmg ZAP_2.16.1.dmg SHA-256:79d7bc6db7e9583d3d90549791843998f0cf170ed975cfa01fac657f2e0d9120 262910572 Bug fix and enhancement release. https://www.zaproxy.org/docs/desktop/releases/2.16.1/ accessControl Access Control Testing Adds a set of tools for testing access control in web applications. ZAP Dev Team 10 accessControl-alpha-10.zap alpha <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.14.0.</li> <li>Maintenance changes.</li> <li>Link website alert pages and help (Issues 8189).</li> <li>The results table now presents the same context menu as other similar tables (History, Search, etc) facilitating copying URLs, etc (Issue 8356).</li> <li>Now has a table export button (Issue 8356).</li> <li>Adjusted some labels/titles to use title caps (Issue 2000 &amp; 8356).</li> </ul> <h3>Fixed</h3> <ul> <li>Now uses the General Font (Issue 8356), as set in the Display options.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/accessControl-v10/accessControl-alpha-10.zap SHA-256:8e068a789650cd31a5a4592cf57af3dbcb04b98f6fcd20bf752889c3843cbce8 https://www.zaproxy.org/docs/desktop/addons/access-control-testing/ https://github.com/zaproxy/zap-extensions/ 2024-03-25 597028 2.14.0 commonlib >= 1.17.0 & < 2.0.0 alertFilters Alert Filters Allows you to automate the changing of alert risk levels. ZAP Dev Team 24 alertFilters-release-24.zap release <h3>Changed</h3> <ul> <li>Use the alert reference for statistics.</li> <li>Workaround core issue that prevents the filters to be correctly applied (Issue 8888).</li> </ul> <h3>Added</h3> <ul> <li>Added parameter descriptions for the ZAP API.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/alertFilters-v24/alertFilters-release-24.zap SHA-256:33ca1609f8b63501d0e55c1c3a12ed3c9fadb63e1877b7142fde28aaad6cc4ff https://www.zaproxy.org/docs/desktop/addons/alert-filters/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 569827 2.16.0 pscan >= 0.1.0 & < 1.0.0 allinonenotes All In One Notes A simple extension to view all notes in one pane. David Vassallo 2 allinonenotes-alpha-2.zap alpha <h3>Added</h3> <ul> <li>Add info and repo URLs.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> <li>Update link to repository.</li> <li>Maintenance changes.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/allinonenotes-v2/allinonenotes-alpha-2.zap SHA-256:9e70d6e76b72692e9c0cb64002a692b710710e688ea2d8834818086300632d2a https://www.zaproxy.org/docs/desktop/addons/all-in-one-notes/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 249532 2.11.0 ascanrules Active scanner rules The release status Active Scanner rules ZAP Dev Team 72 ascanrules-release-72.zap release <h3>Added</h3> <ul> <li>Some Postgres error messages in the SQL Injection scan rule.</li> <li>All rules have been tagged of interest to Penetration Testers.</li> </ul> <h3>Changed</h3> <ul> <li>SQL Injection scan rule to start using ComparableResponse - part of the work to reduce False Positives.</li> <li>Depends on an updated version of the Common Library add-on.</li> <li>Due to it being 2025 and the mass adoption of HTTPS: De-prioritized plain HTTP payloads in the External Redirect scan rule.</li> </ul> <h3>Fixed</h3> <ul> <li>SQL Injection scan rule to treat a 500 response to an SQLi attack as a likely vulnerability.</li> <li>Use location header in SQL injection response comparisons (Issue 8651).</li> <li>Addressed False Negative with simple allow list handling in the External Redirect scan rule.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/ascanrules-v72/ascanrules-release-72.zap SHA-256:421f1f2275c2f0d2904f83ea59e3991b5c0f94cf600e2a996a89933ec1e5fe8e https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 3291496 2.16.0 commonlib >= 1.32.0 & < 2.0.0 network >= 0.3.0 oast >= 0.7.0 ascanrulesAlpha Active scanner rules (alpha) The alpha status Active Scanner rules ZAP Dev Team 49 ascanrulesAlpha-alpha-49.zap alpha <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> <li>Maintenance changes.</li> <li>Depends on an updated version of the Common Library add-on.</li> </ul> <h3>Added</h3> <ul> <li>All rules (except examples) have been tagged of interest to Penetration Testers.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesAlpha-v49/ascanrulesAlpha-alpha-49.zap SHA-256:2be5e3162a41edfe99b03d54cd1f92b913ca0a4f9b8b86954d86d2b0571c91f9 https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-alpha/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 406428 2.16.0 commonlib >= 1.32.0 & < 2.0.0 ascanrulesBeta Active scanner rules (beta) The beta status Active Scanner rules ZAP Dev Team 59 ascanrulesBeta-beta-59.zap beta <h3>Changed</h3> <ul> <li>The extension now has a user friendly name for use in the GUI.</li> <li>Depends on an updated version of the Common Library add-on.</li> </ul> <h3>Added</h3> <ul> <li>All rules have been tagged of interest to Penetration Testers.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/ascanrulesBeta-v59/ascanrulesBeta-beta-59.zap SHA-256:9320a087f184f0eecdad4066d1ee0cf1bc11dffebe2e72d7ed53c6714635fab6 https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-beta/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 1778891 2.16.0 commonlib >= 1.32.0 & < 2.0.0 database >= 0.1.0 network >= 0.3.0 oast >= 0.7.0 attacksurfacedetector Attack Surface Detector The Attack Surface Detector analyzes web application source code to generate endpoints that can be used for penetration testing. Secure Decisions (Matthew DeLetto) 1.1.4 attacksurfacedetector-alpha-1.1.4.zap alpha Various incremental changes (see https://github.com/secdec/attack-surface-detector-zap/releases)<br> Fix un-handled exception when target unavailable & address various "house keeping" tasks.<br> https://github.com/zaproxy/zap-extensions/releases/download/2.7/attacksurfacedetector-alpha-1.1.4.zap SHA1:e21758c2cdcbc7806f44cc986a88360457eff82e https://github.com/secdec/attack-surface-detector-zap/wiki https://github.com/secdec/attack-surface-detector-zap/ 2019-03-07 15604948 2.7.0 authhelper Authentication Helper Helps identify and set up authentication handling ZAP Dev Team 0.26.0 authhelper-beta-0.26.0.zap beta <h3>Added</h3> <ul> <li>Add configuration support for the wait time after Client Script Based Authentication.</li> <li>Include the Web Element being interacted with in the Client Script Based Authentication diagnostics.</li> <li>Allow to enable authentication diagnostics for Client Script and Browser Based Authentication through the GUI.</li> <li>Automation Framework errors to the Authentication Report.</li> <li>Replace TOTP token during Client Script Based Authentication.</li> <li>Include more diagnostics in Client Script and Browser Based Authentication methods.</li> <li>Improve Authentication Report: <ul> <li>Add the ID of the step to make it easier to match with extracted screenshots.</li> <li>Include the script used by the Client Script Based Authentication.</li> <li>Add the initiator to the HTTP Messages to know what those messages correspond to.</li> <li>Include the tag name of the Web Element, now collecting <code>button</code>s along with <code>input</code>s.</li> </ul> </li> <li>Detection of session tokens in non standard headers.</li> <li>Search for username/password fields under shadow DOMs with Browser Based Authentication.</li> </ul> <h3>Changed</h3> <ul> <li>Warn when the recorded script used with Client Script Based Authentication does not launch a browser.</li> <li>Updated to depend on Zest add-on 48.6.0.</li> <li>Maintenance changes.</li> <li>Depend on reports 0.39.0 to include AF errors.</li> <li>Use Header Based Session Management configuration to find a better candidate authentication message with Client Script and Browser Based Authentication methods.</li> <li>Client Script authentication to refresh the page of no suitable verification URL found.</li> <li>Wait for the detection of the session method in Client Script Based Authentication method.</li> <li>Include the name of the interaction in the Client Script Based Authentication diagnostics.</li> <li>Clear fields before sending keys for Browser Based Authentication, including when using steps.</li> <li>Do not add an empty line to the start of the Other Info of Session Management Response Identified scan rule's alerts.</li> <li>Update the Client Script Based Authentication help page with the new Automation Framework <code>scriptInline</code> field.</li> <li>The Authentication Request Detection and Session Management Detection scan rules now skip resources (images, css, js, etc) which are unlikely to be relevant.</li> <li>The Verification Detection scan rule now skips messages that seem related to login/logout/registration functionality.</li> <li>Now depends on minimum Common Library version 1.33.0.</li> </ul> <h3>Fixed</h3> <ul> <li>Correct descriptions of the Zest script steps in the Authentication Report.</li> <li>Fix loading/saving of Client Script Based Authentication through the GUI.</li> <li>Inject user credentials into the script when running the Client Script Based Authentication browser integration.</li> <li>Delay when recording diagnostics.</li> <li>Allow to use zero login page wait for Client Script and Browser Based Authentication methods through the GUI.</li> <li>Ensure Client Script Based Authentication method has a clean state when reauthenticating.</li> <li>Handle missing username field in Browser Based Authentication.</li> <li>Correct the processing of cookies with the same name in Header Based Session Management method.</li> <li>Correct redirection handling when checking verification URLs.</li> <li>Verification URL comparison.</li> <li>Use the session token from JSON string response.</li> <li>Do not auto configure the Header Based Session Management method with duplicated session tokens.</li> <li>Ensure that auth messages with both known and unknown Session tokens are correctly processed.</li> <li>Respect Client Script Based Authentication's Login Page Wait when authenticating in browsers (e.g. AJAX Spider).</li> <li>Correct handling of JSON arrays in the Authentication Request Identified scan rule.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/authhelper-v0.26.0/authhelper-beta-0.26.0.zap SHA-256:b1f803d8faa1355e523cd1e59e13fd3d6519a7b673f36c2b9ad9ff5d166686eb https://www.zaproxy.org/docs/desktop/addons/authentication-helper/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 1317779 2.16.0 commonlib >= 1.33.0 & < 2.0.0 database >=0.8.0 & < 1.0.0 network >=0.6.0 pscan >= 0.1.0 & < 1.0.0 selenium 15.* zest >=48.6.0 authstats Authentication Statistics Records logged in/out statistics for all contexts in scope. ZAP Dev Team 2 authstats-alpha-2.zap alpha <h3>Added</h3> <ul> <li>Add repo URL.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> <li>Dynamically unload the add-on.</li> <li>Change info URL to link to the site.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/authstats-v2/authstats-alpha-2.zap SHA-256:cfb604c27f3a7a58e7b5aa55fe9f19a9ce5561fab3ef7d3f6c72845671fb5dcf https://www.zaproxy.org/docs/desktop/addons/authentication-statistics/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 247499 2.11.0 automation Automation Framework Automation Framework. ZAP Dev Team 0.50.0 automation-beta-0.50.0.zap beta <h3>Added</h3> <ul> <li>Add support for the wait time of the Client Script Based Authentication.</li> <li>Allow to inline scripts for Script and Client Script Based Authentication.</li> </ul> <h3>Changed</h3> <ul> <li>Maintenance changes.</li> <li>Adjusted further dialog, progress, and log messages with regard to preventing inclusion of commas in scan rule ID numbers. As well as ensuring consistency in use of ID (full caps) for table column headings, and the Add Add-ons dialog.</li> </ul> <h3>Fixed</h3> <ul> <li>Correctly handle missing script engines.</li> <li>Correct error messages of the statistics test.</li> <li>Allow to use zero login page wait for Client Script and Browser Based Authentication methods.</li> <li>Ensure log and progress messages related to scripts and script engines are not all referred to as session management related.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/automation-v0.50.0/automation-beta-0.50.0.zap SHA-256:8ceefb34a122d9dbe3fc56874013a757617388c7b2f32054973a323a0ba9ef54 https://www.zaproxy.org/docs/desktop/addons/automation-framework/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 1997816 2.16.0 commonlib >= 1.31.0 & < 2.0.0 network >= 0.15.0 & < 1.0.0 beanshell BeanShell Console Provides a BeanShell Console ZAP Dev Team 7 beanshell-beta-7.zap beta <h3>Added</h3> <ul> <li>Add info and repo URLs.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> <li>Maintenance changes.</li> <li>Improve permissions and space handling when saving.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/beanshell-v7/beanshell-beta-7.zap SHA-256:0a83cb7d0369ccef50768ccbda1e6c6d82b9f4e3bd9372b38fd32cc21f6a30fb https://www.zaproxy.org/docs/desktop/addons/bean-shell/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 577838 2.11.0 browserView Browser View Adds an option to render HTML responses like a browser ZAP Dev Team 6 browserView-alpha-6.zap alpha <h3>Added</h3> <ul> <li>Add info and repo URLs.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.12.0.</li> <li>Maintenance changes.</li> <li>Make missing JavaFX logging less verbose in regular use.</li> <li>Update help with the requirements to use the add-on.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/browserView-v6/browserView-alpha-6.zap SHA-256:e53cfde3a009a4be2e40c84ac02e05114505160bd2bab6cbb42416ab9a65b16c https://www.zaproxy.org/docs/desktop/addons/browser-view/ https://github.com/zaproxy/zap-extensions/ 2023-03-13 197667 2.12.0 bruteforce Forced Browse Forced browsing of files and directories using code from the OWASP DirBuster tool ZAP Dev Team 17 bruteforce-beta-17.zap beta <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/bruteforce-v17/bruteforce-beta-17.zap SHA-256:4c5828447d69da32e450e65a6b082284b56538383d5cf4036b743805115a9a90 https://www.zaproxy.org/docs/desktop/addons/forced-browse/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 552468 2.16.0 commonlib >= 1.23.0 & < 2.0.0 bugtracker Bug Tracker Bug Tracker extension. ZAP Dev Team 4 bugtracker-alpha-4.zap alpha <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.1.</li> <li>Dependency updates.</li> <li>Maintenance changes.</li> <li>Updated to use PAT not password (https://github.blog/changelog/2021-08-12-git-password-authentication-is-shutting-down/).</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/bugtracker-v4/bugtracker-alpha-4.zap SHA-256:37c57f8e7f4a1608500527ac1831f8b078427f804ea04ad5790a2970e3e1b722 https://www.zaproxy.org/docs/desktop/addons/bug-tracker/ https://github.com/zaproxy/zap-extensions/ 2022-09-23 3707425 2.11.1 callgraph Call Graph Allows the user to view a call graph of the selected resources Colm O'Flaherty 5 callgraph-alpha-5.zap alpha <h3>Added</h3> <ul> <li>Add help.</li> <li>Add info and repo URLs.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> <li>Maintenance changes.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/callgraph-v5/callgraph-alpha-5.zap SHA-256:0874ce5aad0c4bbf28f72627a4940759d328396e12b7d6a5596f2e41bf24dc4e https://www.zaproxy.org/docs/desktop/addons/call-graph/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 925930 2.11.0 callhome Call Home Handles all of the calls to ZAP services. ZAP Dev Team 0.14.0 callhome-release-0.14.0.zap release <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> <h3>Added</h3> <ul> <li>Network stats to telemetry.</li> <li>Sequence stats to telemetry.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/callhome-v0.14.0/callhome-release-0.14.0.zap SHA-256:100870954c18d9f9c9ed2db5348eb069262a7c177bfbe158355c1b20e9fa5cef https://www.zaproxy.org/docs/desktop/addons/call-home/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 322668 2.16.0 client Client Side Integration Exposes client (browser) side information in ZAP using Firefox and Chrome extensions. ZAP Dev Team 0.16.0 client-alpha-0.16.0.zap alpha <h3>Added</h3> <ul> <li>Client Spider scope check.</li> <li>Added optional parameters for Page Load Time and Max Crawl Depth to the Client Spider API.</li> <li>Recording advice and guidance.</li> </ul> <h3>Changed</h3> <ul> <li>Updated Chrome and Firefox extensions to v0.1.3.</li> </ul> <h3>Fixed</h3> <ul> <li>Client Spider to allow all requests while authenticating.</li> <li>Ensure that the <code>clientSpider</code> API endpoint <code>status</code> returns 100(%) only when finished.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/client-v0.16.0/client-alpha-0.16.0.zap SHA-256:a26420e71737faa67e3a7b70d6ebfbc5216f4680ab4ba3dbf09343072028c21c https://www.zaproxy.org/docs/desktop/addons/client-side-integration/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 2624539 2.16.0 commonlib >=1.23.0 network >=0.8.0 selenium >=15.14.0 commonlib Common Library A common library, for use by other add-ons. ZAP Dev Team 1.33.0 commonlib-release-1.33.0.zap release <h3>Added</h3> <ul> <li>Constants related to authentication.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/commonlib-v1.33.0/commonlib-release-1.33.0.zap SHA-256:07f9cf5358f4407a91e4fc7bde87c2a01acc49ec57d80d3b5a317cabf3e4cc67 https://www.zaproxy.org/docs/desktop/addons/common-library/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 15250049 2.16.0 communityScripts Community Scripts Useful ZAP scripts written by the ZAP community. ZAP Community 19 communityScripts-alpha-19.zap alpha <h3>Added</h3> <ul> <li>extender/arpSyndicateSubdomainDiscovery.js - uses the API of <a href="https://www.subdomain.center/">ARPSyndicate's Subdomain Center</a> to find and add subdomains to the Sites Tree.</li> <li>passive/JavaDisclosure.js - Passive scan for Java error messages leaks</li> <li>httpsender/RsaEncryptPayloadForZap.py - A script that encrypts requests using RSA</li> <li>selenium/FillOTPInMFA.js - A script that fills the OTP in MFA</li> <li>authentication/KratosApiAuthentication.js - A script to authenticate with Kratos using the API flow</li> <li>authentication/KratosBrowserAuthentication.js - A script to authenticate with Kratos using the browser flow</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.15.0.</li> <li>Use Prettier to format all JavaScript scripts.</li> <li>Update the following scripts to implement the <code>getMetadata()</code> function with revised metadata: <ul> <li>active/Cross Site WebSocket Hijacking.js</li> <li>active/cve-2019-5418.js</li> <li>active/gof_lite.js</li> <li>active/JWT None Exploit.js</li> <li>active/SSTI.js</li> <li>passive/clacks.js</li> <li>passive/CookieHTTPOnly.js</li> <li>passive/detect_csp_notif_and_reportonly.js</li> <li>passive/detect_samesite_protection.js</li> <li>passive/f5_bigip_cookie_internal_ip.js</li> <li>passive/find base64 strings.js</li> <li>passive/Find Credit Cards.js</li> <li>passive/Find Emails.js</li> <li>passive/Find Hashes.js</li> <li>passive/Find HTML Comments.js</li> <li>passive/Find IBANs.js</li> <li>passive/Find Internal IPs.js</li> <li>passive/find_reflected_params.py</li> <li>passive/HUNT.py</li> <li>passive/Mutliple Security Header Check.js</li> <li>passive/google_api_keys_finder.js</li> <li>passive/JavaDisclosure.js</li> <li>passive/Report non static sites.js</li> <li>passive/RPO.js</li> <li>passive/s3.js</li> <li>passive/Server Header Disclosure.js</li> <li>passive/SQL injection detection.js</li> <li>passive/Telerik Using Poor Crypto.js</li> <li>passive/Upload form discovery.js</li> <li>passive/X-Powered-By_header_checker.js</li> </ul> </li> <li>httpsender/Alert on Unexpected Content Types.js now checks for common content-types (<code>json</code>, <code>xml</code>, and <code>yaml</code>) more consistently.</li> <li>targeted/request_to_xml.js no longer uses deprecated method to show the message in the editor dialogue.</li> </ul> https://github.com/zaproxy/community-scripts/releases/download/v19/communityScripts-alpha-19.zap SHA-256:f96502b471dd349ae2fceba4a68bde9465091580040ad8798e13bb176030bbba https://www.zaproxy.org/docs/desktop/addons/community-scripts/ https://github.com/zaproxy/community-scripts/ 2024-07-01 475346 2.15.0 coreLang Core Language Files Translations of the core language files ZAP Dev Team 15 coreLang-release-15.zap release <h3>Changed</h3> <ul> <li>Update the languages files from Crowdin.</li> <li>Update minimum ZAP version to 2.11.1.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/coreLang-v15/coreLang-release-15.zap SHA-256:d8258b914ffc95820dd045acf56677668a8cbbfc759290f72e30210056dfb88c https://crowdin.com/project/zaproxy https://github.com/zaproxy/zap-extensions/ 2022-02-14 4616009 2.11.1 custompayloads Custom Payloads Ability to add, edit or remove payloads that are used i.e. by active scanners ZAP Dev Team 0.14.0 custompayloads-release-0.14.0.zap release <h3>Changed</h3> <ul> <li>Promoted to Release status.</li> <li>Update minimum ZAP version to 2.16.0.</li> <li>Maintenance changes.</li> <li>The superfluous/unused ID element of the custom payloads has been removed from the GUI and config.</li> <li>Now depends on the Common Library add-on.</li> </ul> <h3>Added</h3> <ul> <li>Add help button to Options panel and add further detailed Help content.</li> </ul> <h3>Fixed</h3> <ul> <li>The add-on will no longer attempt to save or load Payloads for which there is no Category.</li> <li>Ensure file is selected, exists, and is readable when attempting to import multiple payloads.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/custompayloads-v0.14.0/custompayloads-release-0.14.0.zap SHA-256:fe99e67a3a456c70a25c35e5d25961c1dca417d2c94124316c2ea26965009ec2 https://www.zaproxy.org/docs/desktop/addons/custom-payloads/ https://github.com/zaproxy/zap-extensions/ 2025-01-15 292156 2.16.0 commonlib >= 1.17.0 & < 2.0.0 database Database Provides database engines and related infrastructure. ZAP Dev Team 0.8.0 database-alpha-0.8.0.zap alpha <h3>Changed</h3> <ul> <li>Allow other add-ons to use Flyway for database migration tasks.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/database-v0.8.0/database-alpha-0.8.0.zap SHA-256:c8e89451c763b1b399d9f801c8f230979d4569f849ff670d004dc2007399ba19 https://www.zaproxy.org/docs/desktop/addons/database/ https://github.com/zaproxy/zap-extensions/ 2025-03-04 23094734 2.16.0 dev Dev Add-on An add-on to help with development of ZAP. ZAP Dev Team 0.10.0 dev-alpha-0.10.0.zap alpha <h3>Added</h3> <ul> <li>Basic CSRF test app.</li> <li>Page with input elements that appear after a delay and off the displayed screen.</li> <li>Auth app which uses multiple (faked) domains.</li> <li>An auth example where there's a div that may obscure the login fields.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/dev-v0.10.0/dev-alpha-0.10.0.zap SHA-256:f749b0ec8d593fc16ec5798ce1e3668ceeb7d965dcaf029ae039acf5ebabe09a https://www.zaproxy.org/docs/desktop/addons/dev-add-on/ https://github.com/zaproxy/zap-extensions/ 2025-05-15 182901 2.16.0 commonlib >=1.17.0 network >=0.7.0 diff Diff Displays a dialog showing the differences between 2 requests or responses. It uses diffutils and diff_match_patch ZAP Dev Team 17 diff-beta-17.zap beta <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/diff-v17/diff-beta-17.zap SHA-256:6629fdcd55e509dfaf1e1004204b3dca5a75bfb1593c11bd8281bd7c7fd367b9 https://www.zaproxy.org/docs/desktop/addons/diff/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 693148 2.16.0 commonlib >=1.23.0 directorylistv1 Directory List v1.0 List of directory names to be used with Forced Browse or Fuzzer add-on. ZAP Dev Team 9 directorylistv1-release-9.zap release <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/directorylistv1-v9/directorylistv1-release-9.zap SHA-256:71e5b57bcf89774267375426f2e67f789cf13a4b69c97c8946a325fa321d18ce https://www.zaproxy.org/docs/desktop/addons/directory-list-v1.0/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 961164 2.16.0 directorylistv2_3 Directory List v2.3 Lists of directory names to be used with Forced Browse or Fuzzer add-on. ZAP Dev Team 4 directorylistv2_3-release-4.zap release <h3>Added</h3> <ul> <li>Add help.</li> <li>Add repo URL.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> <li>Change info URL to link to the site.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/directorylistv2_3-v4/directorylistv2_3-release-4.zap SHA-256:3a8b04b9363b57acd9cf8cd67abce4c630f986e2b492a1ebd01eaa9587a0a199 https://www.zaproxy.org/docs/desktop/addons/directory-list-v2.3/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 8722229 2.11.0 directorylistv2_3_lc Directory List v2.3 LC Lists of lower case directory names to be used with Forced Browse or Fuzzer add-on. ZAP Dev Team 4 directorylistv2_3_lc-release-4.zap release <h3>Added</h3> <ul> <li>Add help.</li> <li>Add repo URL.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> <li>Change info URL to link to the site.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/directorylistv2_3_lc-v4/directorylistv2_3_lc-release-4.zap SHA-256:2603580ba53673c31800ef7373e7cc09de759369b6f8fb43cc9e5024ad5d9af4 https://www.zaproxy.org/docs/desktop/addons/directory-list-v2.3-lc/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 7569974 2.11.0 domxss DOM XSS Active scanner rule DOM XSS Active scanner rule Aabha Biyani, ZAP Dev Team 21 domxss-release-21.zap release <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> <h3>Fixed</h3> <ul> <li>Handle exceptions while obtaining the XPath of an element.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/domxss-v21/domxss-release-21.zap SHA-256:4902e5d519c7b4a68441d9fb3ae2edc1df3d1c4086333a2e4844279e65ea96ec https://www.zaproxy.org/docs/desktop/addons/dom-xss-active-scan-rule/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 284336 2.16.0 commonlib >= 1.29.0 & < 2.0.0 network >=0.1.0 selenium >= 15.13.0 encoder Encoder Adds encode/decode/hash dialog and support for scripted processors as well ZAP Dev Team 1.7.0 encoder-release-1.7.0.zap release <h3>Fixed</h3> <ul> <li>Address malformed HTML in the help.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/encoder-v1.7.0/encoder-release-1.7.0.zap SHA-256:8ef98c344fc5ebd3362d9a4fc4bda9ebaffb0d35136a40499a2fda21cadb5715 https://www.zaproxy.org/docs/desktop/addons/encode-decode-hash/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 504247 2.16.0 commonlib >=1.23.0 evalvillain Eval Villain Adds the Eval Villain extension to Firefox when launched from ZAP. Dennis Goodlett and the ZAP Dev Team 0.4.0 evalvillain-alpha-0.4.0.zap alpha <h3>Changed</h3> <ul> <li>Updated with new version of Eval Villain.</li> <li>Update minimum ZAP version to 2.15.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/evalvillain-v0.4.0/evalvillain-alpha-0.4.0.zap SHA-256:dedb6245cee2383b13eb4c0c58301ee2518c6e0af36359559f2e1638a8a076e3 https://www.zaproxy.org/docs/desktop/addons/eval-villain/ https://github.com/zaproxy/zap-extensions/ 2024-11-25 4957040 2.15.0 selenium >=15.5.0 exim Import/Export Import and Export functionality ZAP Dev Team & thatsn0tmysite 0.14.0 exim-beta-0.14.0.zap beta <h3>Changed</h3> <ul> <li>Caps fix in Import menu (Issue 2000).</li> </ul> <h3>Fixed</h3> <ul> <li>Sites Tree export now correctly handles node names with newlines and special characters (Issue 8858).</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/exim-v0.14.0/exim-beta-0.14.0.zap SHA-256:82502ddb13af4cf434f5f821a3df274cc505dc93f512574cf28cee77de3edb4d https://www.zaproxy.org/docs/desktop/addons/import-export/ https://github.com/zaproxy/zap-extensions/ 2025-03-25 1054064 2.16.0 commonlib >= 1.28.0 & < 2.0.0 fileupload FileUpload Detect File upload requests and scan them to find related vulnerabilities KSASAN preetkaran20@gmail.com 1.2.1 fileupload-alpha-1.2.1.zap alpha https://github.com/zaproxy/zap-extensions/releases/download/2.7/fileupload-alpha-1.2.1.zap SHA-256:84734320ed04f6e287cc0458897e99e80fe16d632d071e73187e446448b5fa7f https://www.zaproxy.org/blog/2021-08-20-zap-fileupload-addon/ https://github.com/SasanLabs/owasp-zap-fileupload-addon/ 2023-10-23 78272 2.11.0 formhandler Value Generator This Value Generator Add-on allows a user to define field names and values to be used when submitting values to an app. Fields can be added, modified, enabled/disabled, and deleted. ZAP Dev Team 6.7.0 formhandler-beta-6.7.0.zap beta <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> <li>Depend on Common Library add-on, to provide the default/custom values to the other add-ons (Issue 8016).</li> </ul> <h3>Fixed</h3> <ul> <li>Fixed an issue in the help which may cause images to be displayed inline impacting the flow of the text.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/formhandler-v6.7.0/formhandler-beta-6.7.0.zap SHA-256:2adb0a7f60f7c43861cdeac14d0d72cde139abcaf12fdd6cb82cf4739e52bd81 https://www.zaproxy.org/docs/desktop/addons/value-generator/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 2128203 2.16.0 commonlib >= 1.29.0 & < 2.0.0 fuzz Fuzzer Advanced fuzzer for manual testing ZAP Dev Team 13.16.0 fuzz-beta-13.16.0.zap beta <h3>Changed</h3> <ul> <li>Maintenance changes.</li> <li>Use a scrollbar in the Default Category combo box instead of making the options panel larger (Issue 8923).</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/fuzz-v13.16.0/fuzz-beta-13.16.0.zap SHA-256:c39125db01a774b19b5f224d504a301a0f25a213e87a3ce58d90306a79a70701 https://www.zaproxy.org/docs/desktop/addons/fuzzer/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 2014901 2.16.0 commonlib >= 1.23.0 & < 2.0.0 fuzzai FuzzAI Files FuzzAI files which can be used with the ZAP fuzzer ZAP Dev Team 0.0.1 fuzzai-release-0.0.1.zap release <h3>Added</h3> <ul> <li>First version</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/fuzzai-v0.0.1/fuzzai-release-0.0.1.zap SHA-256:7d60565b5814b8523514c5d8001d0bdf1f30f6d96cae9b4ac0abb45ee7abcaea https://www.zaproxy.org/docs/desktop/addons/fuzzai-files/ https://github.com/zaproxy/zap-extensions/ 2024-09-24 50063 2.15.0 fuzzdb FuzzDB Files FuzzDB files which can be used with the ZAP fuzzer ZAP Dev Team 9 fuzzdb-release-9.zap release <h3>Changed</h3> <ul> <li>Updated RAFT lists based on more recent SecLists contributions</li> <li>Update minimum ZAP version to 2.11.1.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/fuzzdb-v9/fuzzdb-release-9.zap SHA-256:c79537362cd6b383f447359685e3bd51795600b97ca0c1fadc4ba74828a7d4f4 https://www.zaproxy.org/docs/desktop/addons/fuzzdb-files/ https://github.com/zaproxy/zap-extensions/ 2022-09-23 6167205 2.11.1 fuzzdboffensive FuzzDB Offensive FuzzDB web backdoors and attack files which can be used with the ZAP fuzzer or for manual penetration testing - contains files that may well be flagged by anti-virus tools ZAP Dev Team 5 fuzzdboffensive-release-5.zap release <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.14.0.</li> <li>Updated help and description to say this may cause problems with anti-virus tools (Issue 8297).</li> </ul> https://github.com/zaproxy/fuzzdb-offensive/releases/download/v5/fuzzdboffensive-release-5.zap SHA-256:9d7bf6f8df62e5ee56e72b47785e6027674127ae70604d9c4f6dc0cea1f536dc https://www.zaproxy.org/docs/desktop/addons/fuzzdb-offensive/ https://github.com/zaproxy/fuzzdb-offensive/ 2024-01-11 523693 2.14.0 gettingStarted Getting Started with ZAP Guide A short Getting Started with ZAP Guide ZAP Dev Team 19 gettingStarted-release-19.zap release <h3>Changed</h3> <ul> <li>Update Getting Started Guide for 2.16.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/gettingStarted-v19/gettingStarted-release-19.zap SHA-256:74ca76fbe518917005828d3b4f4392d8d91b5e11d1d6517a1ae9fc19f16bfd9b https://www.zaproxy.org/docs/desktop/addons/getting-started-guide/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 968572 2.16.0 graaljs GraalVM JavaScript Provides the GraalVM JavaScript engine for ZAP scripting. ZAP Dev Team 0.9.0 graaljs-alpha-0.9.0.zap alpha <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/graaljs-v0.9.0/graaljs-alpha-0.9.0.zap SHA-256:8abec96df1ff90177953d5fffd4dfd57228c1a8d8e140a521e81ea80a256ca19 https://www.zaproxy.org/docs/desktop/addons/graalvm-javascript/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 24540532 2.16.0 commonlib >=1.24.0 scripts >=45.2.0 graphql GraphQL Support Inspect and attack GraphQL endpoints. ZAP Dev Team 0.28.0 graphql-alpha-0.28.0.zap alpha <h3>Fixed</h3> <ul> <li>A Null Pointer Exception which occurred when installing the add-on when Tech Detection (Wappalyzer) add-on was already installed (Issue 8902).</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/graphql-v0.28.0/graphql-alpha-0.28.0.zap SHA-256:f71725838a911988ce76cc2f188fa27b6e899e1fae900f5e75996a9ccf605db9 https://www.zaproxy.org/docs/desktop/addons/graphql-support/ https://github.com/zaproxy/zap-extensions/ 2025-03-26 5524748 2.16.0 commonlib >= 1.29.0 & < 2.0.0 groovy Groovy Support Adds Groovy support to ZAP ZAP Dev Team 3.2.0 groovy-beta-3.2.0.zap beta <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.14.0.</li> <li>Maintenance changes.</li> <li>Replace usage of singletons with injected variables (e.g. <code>model</code>, <code>control</code>) in scripts.</li> <li>Dependency updates.</li> <li>Update Active and Passive Script Templates to include a <code>getMetadata</code> function. This will allow them to be used as regular scan rules.</li> <li>Depend on the <code>commonlib</code> and <code>scripts</code> add-ons for scan rule scripts.</li> </ul> <h3>Fixed</h3> <ul> <li>Updated encode-decode script template to conform to the latest method signatures.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/groovy-v3.2.0/groovy-beta-3.2.0.zap SHA-256:2603bcff3728308c6dab09135def96a1209ce8219b0d1f9d861c59b5a8fc522e https://www.zaproxy.org/docs/desktop/addons/groovy-support/ https://github.com/zaproxy/zap-extensions/ 2024-04-11 20168743 2.14.0 commonlib >=1.24.0 scripts >=45.2.0 grpc gRPC Support Inspect, attack gRPC endpoints, and decode protobuf messages. ZAP Dev Team 0.2.0 grpc-alpha-0.2.0.zap alpha <h3>Added</h3> <ul> <li>gRPC WebSocket Support Added</li> </ul> <h3>Fixed</h3> <ul> <li>Do not try to decode non-gRPC responses when active scanning, which would lead to unnecessary warnings.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/grpc-v0.2.0/grpc-alpha-0.2.0.zap SHA-256:028464ebc6c80f36fd32088c7aede870f68940dcbb2064a0ed6bfe2bb93f37e1 https://www.zaproxy.org/docs/desktop/addons/grpc-support/ https://github.com/zaproxy/zap-extensions/ 2024-07-02 8202269 2.15.0 help Help - English English version of the ZAP help file. ZAP Crowdin Team 20 help-release-20.zap release <h3>Fixed</h3> <ul> <li>Remove TOC entries that no longer exist.</li> </ul> <h3>Changed</h3> <ul> <li>Updated for 2.16.1.</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help-v20/help-release-20.zap SHA-256:851d68575d96abcfc1bc24307b4d83c0f697383785b3107251d85b95e887b929 https://www.zaproxy.org/docs/desktop/ https://github.com/zaproxy/zap-core-help/ 2025-03-25 639618 2.16.0 help_ar_SA Help - Arabic Arabic version of the ZAP help file. ZAP Crowdin Team 1 help_ar_SA-alpha-1.zap alpha <ul> <li>First version.</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_ar_SA-v1/help_ar_SA-alpha-1.zap SHA-256:8208b0c788d5e29a2bb34f3c44c07db613faefb17d8d9cfb60adc02629c2b3f1 https://github.com/zaproxy/zap-core-help/ 2022-01-18 649333 2.11.0 help_bs_BA Help - Bosnian Bosnian version of the ZAP help file. ZAP Crowdin Team 9 help_bs_BA-alpha-9.zap alpha Updated with the latest files from crowdin https://github.com/zaproxy/zap-extensions/releases/download/2.7/help_bs_BA-alpha-9.zap SHA1:d33a3277e877da4734e6bf9c911c61c4e6ce2f3f 2018-02-08 747536 2.7.0 help_es_ES Help - Spanish Spanish version of the ZAP help file. ZAP Crowdin Team 10 help_es_ES-release-10.zap release <h3>Changed</h3> <ul> <li>Updated with the latest files from crowdin</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_es_ES-v10/help_es_ES-release-10.zap SHA-256:63cc24e180374cf038d6aefe31b3f62e170437958ad61d2d3e65d2722fbedc1a https://github.com/zaproxy/zap-core-help/ 2022-01-18 697066 2.11.0 help_fil_PH Help - Filipino Filipino version of the ZAP help file. ZAP Crowdin Team 3 help_fil_PH-alpha-3.zap alpha <h3>Changed</h3> <ul> <li>Updated with the latest files from crowdin</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_fil_PH-v3/help_fil_PH-alpha-3.zap SHA-256:64bbeb0f9404b70c0d49e9fd5da789b8d3902a20f518c7305eb412242831a180 https://github.com/zaproxy/zap-core-help/ 2022-01-18 710027 2.11.0 help_fr_FR Help - French French version of the ZAP help file. ZAP Crowdin Team 10 help_fr_FR-alpha-10.zap alpha <h3>Changed</h3> <ul> <li>Updated with the latest files from crowdin</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_fr_FR-v10/help_fr_FR-alpha-10.zap SHA-256:f1ede9441e5de48170fdef598eb543ef6ad0813eed2e838d2c4803ea114fcb1a https://github.com/zaproxy/zap-core-help/ 2022-01-18 646717 2.11.0 help_id_ID Help - Indonesian Indonesian version of the ZAP help file. ZAP Crowdin Team 3 help_id_ID-beta-3.zap beta <h3>Changed</h3> <ul> <li>Updated with the latest files from crowdin</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_id_ID-v3/help_id_ID-beta-3.zap SHA-256:ef50363872d783c3c49417bc821b28256cf35d8390004c48f6d4e030ceb8a7c5 https://github.com/zaproxy/zap-core-help/ 2022-01-18 671009 2.11.0 help_ja_JP Help - Japanese Japanese version of the ZAP help file. ZAP Crowdin Team 10 help_ja_JP-beta-10.zap beta <h3>Changed</h3> <ul> <li>Updated with the latest files from crowdin</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_ja_JP-v10/help_ja_JP-beta-10.zap SHA-256:11d310352e8719fe50587c5b97dd5eeb3a2e2ab23e450a7c1d0fad013d003536 https://github.com/zaproxy/zap-core-help/ 2022-01-18 661964 2.11.0 help_ms_MY Help - Malay Malay version of the ZAP help file. ZAP Crowdin Team 1 help_ms_MY-alpha-1.zap alpha <ul> <li>First version.</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_ms_MY-v1/help_ms_MY-alpha-1.zap SHA-256:6407990b8ebaa2e401c3addc47081c742ab7fce25cec107ef49b4e627ad3ceae https://github.com/zaproxy/zap-core-help/ 2022-01-18 636908 2.11.0 help_pt_BR Help - Portuguese, Brazilian Portuguese, Brazilian version of the ZAP help file. ZAP Crowdin Team 11 help_pt_BR-release-11.zap release <h3>Changed</h3> <ul> <li>Updated with the latest files from crowdin</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_pt_BR-v11/help_pt_BR-release-11.zap SHA-256:3fdf92763c1c851848df6b3588c97bbeb22837002351fd00c8208d8ab01ff710 https://github.com/zaproxy/zap-core-help/ 2022-01-18 682092 2.11.0 help_ru_RU Help - Russian Russian version of the ZAP help file. ZAP Crowdin Team 2 help_ru_RU-release-2.zap release <h3>Changed</h3> <ul> <li>Promote to Release</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_ru_RU-v2/help_ru_RU-release-2.zap SHA-256:3fd5d8e6af7453a3a16e7c38a19ec941a330d0fd050f562ecebdc4638ae52c80 https://github.com/zaproxy/zap-core-help/ 2022-02-24 779171 2.11.0 help_tr_TR Help - Turkish Turkish version of the ZAP help file. ZAP Crowdin Team 2 help_tr_TR-release-2.zap release <h3>Changed</h3> <ul> <li>Updated with the latest files from crowdin</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_tr_TR-v2/help_tr_TR-release-2.zap SHA-256:a92b43beab5e196341d8ddf40d594f1596c225c74f0f5b9280e223acc9a8535c https://github.com/zaproxy/zap-core-help/ 2022-01-18 710766 2.11.0 help_zh_CN Help - Chinese Simplified Chinese Simplified version of the ZAP help file. ZAP Crowdin Team 3 help_zh_CN-beta-3.zap beta <h3>Changed</h3> <ul> <li>Updated with the latest files from crowdin</li> </ul> https://github.com/zaproxy/zap-core-help/releases/download/help_zh_CN-v3/help_zh_CN-beta-3.zap SHA-256:959b718a307ca32c7807c0d327533765eeb6a0a799b9bc98a2a1e22b3b47bc5a https://github.com/zaproxy/zap-core-help/ 2022-01-18 656718 2.11.0 highlighter Highlighter Allows you to highlight strings in the request and response tabs. ZAP Dev Team 8 highlighter-alpha-8.zap alpha <h3>Added</h3> <ul> <li>Add help.</li> <li>Add info and repo URLs.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/highlighter-v8/highlighter-alpha-8.zap SHA-256:4c4852bb2f42eb20dbe19a091e9025667947c73967a65770658333bedd01fccf https://www.zaproxy.org/docs/desktop/addons/highlighter/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 115527 2.11.0 hud HUD - Heads Up Display Display information from ZAP in browser. ZAP Dev Team 0.19.0 hud-beta-0.19.0.zap beta <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.15.0.</li> <li>Disable the HUD by default - it still works but its flaky, and currently not a focus for us.</li> </ul> https://github.com/zaproxy/zap-hud/releases/download/v0.19.0/hud-beta-0.19.0.zap SHA-256:737239ce1b765ff32f9351a647594f22d725d319b94f7a2ef2cb153aadf832df https://www.zaproxy.org/docs/desktop/addons/hud/ https://github.com/zaproxy/zap-hud/ 2024-05-07 1382692 2.15.0 network >= 0.1.0 websocket imagelocationscanner Image Location and Privacy Scanner Image Location and Privacy Passive Scanner Jay Ball (@veggiespam) and the ZAP Dev Team 6 imagelocationscanner-beta-6.zap beta <h3>Added</h3> <ul> <li>Updated to Image Location and Privacy Scanner version 1.2; merged from <a href="https://github.com/veggiespam/ImageLocationScanner">source</a> <ul> <li>Updated dependency Metadata Extractor to 2.19.0</li> <li>Added support for scanning HEIF image format used by modern iPhone images</li> <li>Added support for Samsung, more Reconyxs, &amp; Sony camera proprietary privacy leakage</li> <li>Added detection for a few new information leakage tags in currently supported cameras.</li> <li>Added GPS elevation detection</li> </ul> </li> <li>The rule has been tagged of interest to Penetration Testers and QA.</li> </ul> <h3>Changed</h3> <ul> <li>Depends on an updated version of the Common Library add-on.</li> <li>Update minimum ZAP version to 2.16.0.</li> </ul> <h3>Removed</h3> <ul> <li>No longer support XMP as it was too unreliable.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/imagelocationscanner-v6/imagelocationscanner-beta-6.zap SHA-256:1f2ec1b0f05617ba5d6c4078751ddb2ddbd23ae4aa47b9c7520bacc61d2c85e8 https://www.zaproxy.org/docs/desktop/addons/image-location-and-privacy-scanner/ https://github.com/zaproxy/zap-extensions/ 2025-06-19 1392553 2.16.0 commonlib >= 1.32.0 & < 2.0.0 invoke Invoke Applications Invoke external applications passing context related information such as URLs and parameters ZAP Dev Team 16 invoke-beta-16.zap beta <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/invoke-v16/invoke-beta-16.zap SHA-256:439fd2ff1d090779bc9f874696286d1685dffa7b83624254c2b92a2daa943464 https://www.zaproxy.org/docs/desktop/addons/invoke-applications/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 323503 2.16.0 commonlib >=1.23.0 jruby Ruby Scripting Allows Ruby to be used for ZAP scripting - templates included ZAP Dev Team 8 jruby-beta-8.zap beta <h3>Changed</h3> <ul> <li>Update links to zaproxy repo.</li> <li>Rename reliability to confidence in active/passive templates.</li> <li>Maintenance changes.</li> <li>Update minimum ZAP version to 2.11.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/jruby-v8/jruby-beta-8.zap SHA-256:f5bb450a165f6c407b8d24f7b2776bdc7a2edb0b4b42aea385f8a6ad1ae605ca https://www.zaproxy.org/docs/desktop/addons/ruby-scripting/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 21968128 2.11.0 jsonview JSON View Adds a view that shows JSON messages nicely formatted Juha Kivekäs 3 jsonview-alpha-3.zap alpha <h3>Changed</h3> <ul> <li>Maintenance changes.</li> <li>Update minimum ZAP version to 2.13.0.</li> <li>Depend on Common Library add-on to reuse libraries (Issue 7961).</li> </ul> <h3>Fixed</h3> <ul> <li>Use other library to format the JSON bodies (Issue 7798).</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/jsonview-v3/jsonview-alpha-3.zap SHA-256:ddafbbced033cc937ef37182e3650119dee3c7e5f1ac4ded73ea42125467184d https://www.zaproxy.org/docs/desktop/addons/json-view/ https://github.com/zaproxy/zap-extensions/ 2023-09-07 120558 2.13.0 commonlib >= 1.16.0 & < 2.0.0 jwt JWT Support Detect JWT requests and scan them to find related vulnerabilities KSASAN preetkaran20@gmail.com 1.0.3 jwt-alpha-1.0.3.zap alpha <ul> <li>First version of JWT Support. <ul> <li>Contains scanning rules for basic JWT related vulnerabilities.</li> <li>Contains JWT Fuzzer for fuzzing the JWT's present in the request.</li> </ul> </li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/2.7/jwt-alpha-1.0.3.zap SHA-256:d3df8480010ad2df230cbdb99619aafdb869861349455c3da0129a99b132d204 https://github.com/SasanLabs/owasp-zap-jwt-addon/ 2023-01-02 751748 2.11.1 commonlib fuzz 13.* jython Python Scripting Allows Python to be used for ZAP scripting - templates included ZAP Dev Team 15 jython-beta-15.zap beta <h3>Changed</h3> <ul> <li>Maintenance changes.</li> <li>Update Active and Passive Script Templates to include a <code>getMetadata</code> function. This will allow them to be used as regular scan rules.</li> <li>Depend on the <code>commonlib</code> add-on for scan rule scripts.</li> <li>Update minimum <code>scripts</code> add-on version to 45.1.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/jython-v15/jython-beta-15.zap SHA-256:019a64ba85cc9021a841e7253ae14f619129b603ab2048bec9593f5d59c1da02 https://www.zaproxy.org/docs/desktop/addons/python-scripting/ https://github.com/zaproxy/zap-extensions/ 2024-04-11 43315501 2.14.0 commonlib >=1.24.0 scripts >=45.2.0 kotlin Kotlin Support Allows Kotlin to be used for ZAP scripting StackHawk Engineering 1.1.0 kotlin-alpha-1.1.0.zap alpha <h3>Changed</h3> <ul> <li>Use appropriate syntax style for highlighting of code.</li> <li>Update minimum ZAP version to 2.11.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/kotlin-v1.1.0/kotlin-alpha-1.1.0.zap SHA-256:85a47ea7199b77cfb09081302c277de2ba5e2102ef79907573ebcfa6425302e9 https://www.zaproxy.org/docs/desktop/addons/kotlin-support/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 48865539 2.11.0 levoai Levo.ai Build OpenAPI Specs with ZAP traffic using Levo.ai. Levo.ai 0.3.0 levoai-zap-addon-alpha-0.3.0.zap alpha <h3>Added</h3> <ul> <li>Option to configure an organization ID that is added as a header in the requests made to the Satellite.</li> <li>Option to specify the environment under which the discovered apps will be shown in the Levo dashboard.</li> <li>Set the sensor type in the requests made to the Satellite.</li> </ul> https://github.com/levoai/levoai-zap-addon/releases/download/v0.3.0/levoai-zap-addon-alpha-0.3.0.zap SHA-256:1a86d7c288bf4284e83f54203f4ed8dd7d40b2bd47fbb8f8f853da67676269d2 https://levo.ai https://github.com/levoai/levoai-zap-addon 2024-07-10 2465951 2.12.0 maplocal Map Local Allows mapping of responses to content of a chosen local file. Keindel (Andrey Maksimov) 0.0.1 maplocal-alpha-0.0.1.zap alpha <ul> <li>First version of Map Local extension. Provides feature to map Response Body to a content of chosen local file. <ul> <li>Has status panel in UI with 3 columns: Enabled / URL / Local Path.</li> <li>Has add / edit dialog with browse button to choose file.</li> <li>Has file choice verification check.</li> <li>Popup menus in sites and history, edit / remove - popups in status panel.</li> <li>Persists to session DB.</li> </ul> </li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/2.7/maplocal-alpha-0.0.1.zap SHA-256:d3ecd2a6e23b06ffed8646ee2314d921a1c1925c3ab08070a624a090734ebdca https://github.com/Keindel/owasp-zap-maplocal-addon 2023-10-05 49040 2.12.0 neonmarker Neonmarker Colors history table items based on tags Juha Kivekäs, Kingthorin 1.8.0 neonmarker-alpha-1.8.0.zap alpha <h3>Changed</h3> <ul> <li>Adjust initialization of the Tags list</li> </ul> https://github.com/kingthorin/neonmarker/releases/download/v1.8.0/neonmarker-alpha-1.8.0.zap SHA-256:b4a52ab49d887fa1772b4b371d9ec9e48f2bb5dd0add25f21130b9e58e053e0b https://www.zaproxy.org/docs/desktop/addons/neonmarker/ https://github.com/kingthorin/neonmarker 2025-02-14 35958 2.16.0 pscan >=0.2.0 network Network Provides core networking capabilities. ZAP Dev Team 0.22.0 network-beta-0.22.0.zap beta <h3>Fixed</h3> <ul> <li>A typo in the help with regard to Transparent Proxying.</li> </ul> <h3>Changed</h3> <ul> <li>Default Global Exclusions patterns: <ul> <li>All case insensitive (Issue 8930).</li> <li>Fix a naming mistake in &quot;ExtParam - .NET adx resources (SR/WR.adx?d=)&quot; adx should have been axd.</li> <li>Extend Image related patterns to include svg and webp.</li> <li>Extend Audio/Video patterns to include webm.</li> </ul> </li> <li>Change default log level of cookies processing to error to avoid flooding the logs with warnings when the cookies are rejected/invalid.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/network-v0.22.0/network-beta-0.22.0.zap SHA-256:cfcd202ca42e8b99c1c87a23c1661293181fc20fd95073decac757b0e47bc687 https://www.zaproxy.org/docs/desktop/addons/network/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 28129285 2.16.0 oast OAST Support Allows you to exploit out-of-band vulnerabilities ZAP Dev Team 0.22.0 oast-beta-0.22.0.zap beta <h3>Changed</h3> <ul> <li>Link to repositories/documentation instead of service URLs in the help content.</li> <li>No longer provide a default server URL for Interactsh due to (random) unavailability.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/oast-v0.22.0/oast-beta-0.22.0.zap SHA-256:7ddbcda77b9f58a0b7b3f4db4bf3aaa7b7bf87c4ee578d343e748a5b8c077a0e https://www.zaproxy.org/docs/desktop/addons/oast-support/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 904262 2.16.0 database >= 0.6.0 network >= 0.1.0 onlineMenu Online menus ZAP Online menu items ZAP Dev Team 14 onlineMenu-release-14.zap release <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/onlineMenu-v14/onlineMenu-release-14.zap SHA-256:da47b95478c008545f403ffc20640c12c6215211e93727118f0854a2e40c5794 https://www.zaproxy.org/docs/desktop/addons/online-menu/ https://github.com/zaproxy/zap-extensions/ 2025-01-09 208647 2.16.0 openapi OpenAPI Support Imports and spiders OpenAPI definitions. ZAP Dev Team plus Joanna Bona, Nathalie Bouchahine, Artur Grzesica, Mohammad Kamar, Markus Kiss, Michal Materniak, Marcin Spiewak, and SDA SE Open Industry Solutions 45 openapi-beta-45.zap beta <h3>Fixed</h3> <ul> <li>Correct definition detection while spidering.</li> </ul> <h3>Changed</h3> <ul> <li>Clarified an error message which occurs in automation if there's a problem importing.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/openapi-v45/openapi-beta-45.zap SHA-256:a6eb04864d5c8887dd7a625b1bc01d0e0c2a8cb3ed412762faa9143bb4d65d93 https://www.zaproxy.org/docs/desktop/addons/openapi-support/ https://github.com/zaproxy/zap-extensions/ 2025-03-24 11575308 2.16.0 commonlib >= 1.29.0 & < 2.0.0 packpentester Collection: Pentester Pack A collection of add-ons ideal for pentesters ZAP Dev Team 0.1.0 packpentester-alpha-0.1.0.zap alpha <h3>Fixed</h3> <ul> <li>Corrected fuzz add-on name</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/packpentester-v0.1.0/packpentester-alpha-0.1.0.zap SHA-256:0b8e7e4ddffdcacf46fdf9793bf84217738e281cbd5ccac732788c4b768d069c https://www.zaproxy.org/docs/desktop/addons/collection-pentester-pack/ https://github.com/zaproxy/zap-extensions/ 2022-05-12 6792 2.11.1 accessControl attacksurfacedetector custompayloads evalvillain fileupload fuzz fuzzdb jsonview jwt requester viewstate wappalyzer packscanrules Collection: Scan Rules Pack All of the add-ons just containing release, beta and alpha status scan rules ZAP Dev Team 0.0.1 packscanrules-alpha-0.0.1.zap alpha <p>First version.</p> https://github.com/zaproxy/zap-extensions/releases/download/packscanrules-v0.0.1/packscanrules-alpha-0.0.1.zap SHA-256:5ad68f153379bd96f36a7bead61e884cc42e1409cdd262dffc682b5f7bf92da4 https://www.zaproxy.org/docs/desktop/addons/collection-scan-rules-pack/ https://github.com/zaproxy/zap-extensions/ 2022-05-13 9244 2.11.1 ascanrules ascanrulesAlpha ascanrulesBeta domxss pscanrules pscanrulesAlpha pscanrulesBeta retire paramdigger Parameter Digger Identify hidden, unlinked parameters. Useful for finding web cache poisoning vulnerabilities. ZAP Dev Team and Arkaprabha Chakraborty 0.3.0 paramdigger-alpha-0.3.0.zap alpha <h3>Added</h3> <ul> <li>Support for menu weights (Issue 8369)</li> </ul> <h3>Changed</h3> <ul> <li>Maintenance changes.</li> <li>Update minimum ZAP version to 2.15.0.</li> <li>The output panel is now properly reset on ZAP session change (part of Issue 7694).</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/paramdigger-v0.3.0/paramdigger-alpha-0.3.0.zap SHA-256:585e4853c7cbc3c925ea4d5e1cfbcd6d8a3d4a20b00bdd49f582743cc6a9e281 https://www.zaproxy.org/docs/desktop/addons/parameter-digger/ https://github.com/zaproxy/zap-extensions/ 2024-07-15 561541 2.15.0 commonlib >= 1.23.0 & < 2.0.0 plugnhack Plug-n-Hack Configuration Supports the Mozilla Plug-n-Hack standard: https://developer.mozilla.org/en-US/docs/Plug-n-Hack. ZAP Dev Team 13 plugnhack-beta-13.zap beta <h3>Changed</h3> <ul> <li>Maintenance changes.</li> <li>Update minimum ZAP version to 2.12.0.</li> <li>Use Network add-on to obtain main proxy address/port.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/plugnhack-v13/plugnhack-beta-13.zap SHA-256:8d74b572bb7e08d09ebcfd10da9f2f65f7970f9452feadb8bbe69c8037b80ee2 https://www.zaproxy.org/docs/desktop/addons/plug-n-hack/ https://github.com/zaproxy/zap-extensions/ 2022-10-27 736005 2.12.0 network >= 0.2.0 postman Postman Support Imports and spiders Postman collections. ZAP Dev Team 0.6.0 postman-alpha-0.6.0.zap alpha <h3>Fixed</h3> <ul> <li>Correct deserialization of headers.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/postman-v0.6.0/postman-alpha-0.6.0.zap SHA-256:ee4b5db5adaea09367730c05b544920c939dffbb44e0d9c343f7bb7b58d3ef10 https://www.zaproxy.org/docs/desktop/addons/postman-support/ https://github.com/zaproxy/zap-extensions/ 2025-02-03 283411 2.16.0 commonlib >= 1.16.0 & < 2.0.0 pscan Passive Scanner Provides core passive scanning capabilities. ZAP Dev Team 0.3.0 pscan-alpha-0.3.0.zap alpha <h3>Changed</h3> <ul> <li>Adjusted further dialog, progress, and log messages with regard to preventing inclusion of commas in scan rule ID numbers. As well as ensuring consistency in use of ID (full caps) for table column headings.</li> <li>Depend on the Common Library add-on.</li> <li>Log all errors that might happen during the passive scan.</li> </ul> <h3>Added</h3> <ul> <li>The Stats Passive Scan Rule been tagged of interest to Penetration Testers, as well as adding tags associated with DEV or QA applicability.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/pscan-v0.3.0/pscan-alpha-0.3.0.zap SHA-256:0a917d1dac147a7669e72ff93687b08931e88e78652485561521106cc93e0507 https://www.zaproxy.org/docs/desktop/addons/passive-scanner/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 676378 2.16.0 commonlib >= 1.32.0 & < 2.0.0 pscanrules Passive scanner rules The release status Passive Scanner rules ZAP Dev Team 65 pscanrules-release-65.zap release <h3>Added</h3> <ul> <li>All rules have been tagged of interest to Penetration Testers, as well as adding tags associated with DEV or QA applicability.</li> </ul> <h3>Changed</h3> <ul> <li>Depends on an updated version of the Common Library add-on.</li> <li>Clarified details of the Viewstate scan rule alerts, in some instances they were misleading (containing colons suggesting further data).</li> <li>The Open Redirect scan rule (ID: 10028) and its alerts have been renamed &quot;Off-site Redirect&quot; as this is a passive rule which compares the authority of the origin and destination and there is no assurance of a truly &quot;open&quot; redirect.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/pscanrules-v65/pscanrules-release-65.zap SHA-256:c604a5924a1f1934751e8018ef69bd8015e4ba4d6088a120cbff63d52ebccf2f https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 1943150 2.16.0 commonlib >= 1.32.0 & < 2.0.0 pscan pscanrulesAlpha Passive scanner rules (alpha) The alpha status Passive Scanner rules ZAP Dev Team 45 pscanrulesAlpha-alpha-45.zap alpha <h3>Added</h3> <ul> <li>All rules have been tagged of interest to Penetration Testers, as well as adding tags associated with DEV or QA applicability.</li> </ul> <h3>Changed</h3> <ul> <li>Depends on an updated version of the Common Library add-on.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesAlpha-v45/pscanrulesAlpha-alpha-45.zap SHA-256:1cfec4ffeb0a054c4b0572f7400b8931b88b3436f3edc999fbf8a1f4579a797a https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules-alpha/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 561559 2.16.0 commonlib >= 1.32.0 & < 2.0.0 pscanrulesBeta Passive scanner rules (beta) The beta status Passive Scanner rules ZAP Dev Team 44 pscanrulesBeta-beta-44.zap beta <h3>Changed</h3> <ul> <li>Dropped period from extension name used in the GUI.</li> <li>Depends on an updated version of the Common Library add-on.</li> </ul> <h3>Fixed</h3> <ul> <li>A false positive with the Sub Resource Integrity Attribute Missing scan rule with regard to which link tags it raises alerts on (Issue 8938).</li> </ul> <h3>Added</h3> <ul> <li>All rules have been tagged of interest to Penetration Testers, as well as adding tags associated with DEV or QA applicability.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesBeta-v44/pscanrulesBeta-beta-44.zap SHA-256:3a24c0b21897b3bd2a9472196b7a0a1f11f566172aef075487d358bfa80eb087 https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules-beta/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 682438 2.16.0 commonlib >= 1.32.0 & < 2.0.0 quickstart Quick Start Provides a tab which allows you to quickly test a target application ZAP Dev Team 51 quickstart-release-51.zap release <h3>Added</h3> <ul> <li>Stats counter to the main toolbar button (Issue 8375).</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> <li>Depend on Passive Scanner add-on (Issue 7959).</li> </ul> <h3>Fixed</h3> <ul> <li>An exception that prevented the look and feel from changing completely.</li> <li>Issues setting the AJAX Spider options.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/quickstart-v51/quickstart-release-51.zap SHA-256:907d8ef64109a853974222b3a64d2021335d19db426f8670134e8d7312bdc0ce https://www.zaproxy.org/docs/desktop/addons/quick-start/ https://github.com/zaproxy/zap-extensions/ 2025-01-10 774568 2.16.0 callhome >= 0.0.1 network >= 0.3.0 pscan >= 0.1.0 & < 1.0.0 reports >= 0.4.0 reflect Reflect Finds reflected parameters Caleb Kinney 0.0.11 reflect-alpha-0.0.11.zap alpha https://github.com/zaproxy/zap-extensions/releases/download/2.7/reflect-alpha-0.0.11.zap SHA-256:c45307037042e4079546a5fcb17d1165475e5cdd5ba7e8abc0d2cf0a14866466 https://github.com/TypeError/reflect/ 2021-02-19 1780219 2.9.0 regextester Regular Expression Tester Allows to test Regular Expressions ZAP Dev Team 2 regextester-alpha-2.zap alpha <h3>Added</h3> <ul> <li>Add help.</li> <li>Add info and repo URLs.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> </ul> <h3>Fixed</h3> <ul> <li>Close dialogues when the add-on is uninstalled.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/regextester-v2/regextester-alpha-2.zap SHA-256:b4706709c16a45e8bedc0bd6f28dd09532d5dbf3f1fe2c2853e20dbf6160a584 https://www.zaproxy.org/docs/desktop/addons/regular-expression-tester/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 159441 2.11.0 replacer Replacer Easy way to replace strings in requests and responses. ZAP Dev Team 20 replacer-release-20.zap release <h3>Fixed</h3> <ul> <li>Typo in automation job help.</li> <li>Address misleading warning <code>Unrecognised parameter</code> for <code>deleteAllRules</code> (Issue 8764).</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> <li>Fields with default or missing values are omitted for the <code>replacer</code> job in saved Automation Framework plans.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/replacer-v20/replacer-release-20.zap SHA-256:632ffa3e1a323b86c873a92285a308d052c7090b52721fdbc5a507e8baa001e0 https://www.zaproxy.org/docs/desktop/addons/replacer/ https://github.com/zaproxy/zap-extensions/ 2025-01-10 445124 2.16.0 reports Report Generation Official ZAP Reports. ZAP Dev Team 0.39.0 reports-release-0.39.0.zap release <h3>Changed</h3> <ul> <li>Caps fixed for Section Selections of the Risk and Confidence HTML report (Issue 2000).</li> </ul> <h3>Added</h3> <ul> <li>The Automation Framework progress to the report data when run via an AF job.</li> <li>Statistics to the traditional extended JSON and XML reports.</li> </ul> <h3>Fixed</h3> <ul> <li>Correct error messages of the Automation Framework job.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/reports-v0.39.0/reports-release-0.39.0.zap SHA-256:9032b01f5858e0156e384138273065f7311ca662a6a1559fb96937cd76392c13 https://www.zaproxy.org/docs/desktop/addons/report-generation/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 14921503 2.16.0 commonlib >= 1.17.0 & < 2.0.0 requester Requester Allows to manually edit and send messages. Surikato and the ZAP Dev Team 7.8.0 requester-beta-7.8.0.zap beta <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/requester-v7.8.0/requester-beta-7.8.0.zap SHA-256:b18fdf0717b90407b770d9bcdae9898fe2365935c03e6a133520750b1dd3e9a7 https://www.zaproxy.org/docs/desktop/addons/requester/ https://github.com/zaproxy/zap-extensions/ 2025-01-10 763103 2.16.0 commonlib >=1.23.0 retest Retest An add-on to retest for presence/absence of previously generated alerts. ZAP Dev Team 0.11.0 retest-alpha-0.11.0.zap alpha <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> <li>To handle automation class changes.</li> <li>Depend on newer version of Passive Scanner add-on (Issue 7959).</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/retest-v0.11.0/retest-alpha-0.11.0.zap SHA-256:26ad328ba5bcb144c20076949aacacf6c352121ee74f5bf4a813ccdd8945e35f https://www.zaproxy.org/docs/desktop/addons/retest/ https://github.com/zaproxy/zap-extensions/ 2025-01-10 259775 2.16.0 automation >=0.44.0 commonlib >= 1.17.0 & < 2.0.0 pscan >= 0.1.0 & < 1.0.0 retire Retire.js Use Retire.js to identify vulnerable or out-dated JavaScript packages. Nikita Mundhada and the ZAP Dev Team 0.47.0 retire-release-0.47.0.zap release <h3>Changed</h3> <ul> <li>Updated with upstream retire.js pattern changes.</li> <li>Depends on an updated version of the Common Library add-on.</li> <li>Maintenance changes.</li> </ul> <h3>Added</h3> <ul> <li>The scan rule as been tagged of interest to Penetration Testers, as well as adding tags associated with DEV or QA applicability.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/retire-v0.47.0/retire-release-0.47.0.zap SHA-256:a5a0320de40aa1426724b12e24e6308af4035cd54806a664c6180743e7e59e69 https://www.zaproxy.org/docs/desktop/addons/retire.js/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 1006728 2.16.0 commonlib >= 1.32.0 & < 2.0.0 reveal Reveal Show hidden fields and enable disabled fields ZAP Dev Team 10 reveal-release-10.zap release <h3>Fixed</h3> <ul> <li>The content length is now properly set on responses which have been modified (Issue 8947).</li> </ul> <h3>Changed</h3> <ul> <li>Maintenance changes.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/reveal-v10/reveal-release-10.zap SHA-256:18368c13aa8a31a6470a465e9aef7c93d9a45b2c34cfe90f4200cbd04637fd0e https://www.zaproxy.org/docs/desktop/addons/reveal/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 239142 2.16.0 revisit Revisit Revisit a site at any time in the past using the session history ZAP Dev Team 6 revisit-alpha-6.zap alpha <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> <li>Maintenance changes.</li> <li>Minor fix in help content.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/revisit-v6/revisit-alpha-6.zap SHA-256:3f265ea36923b0a7870fb1d24db7c82261ad2616e3b1ad0e5bac5a6b7b8e8230 https://www.zaproxy.org/docs/desktop/addons/revisit/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 302331 2.16.0 saml SAML Support Detect, Show, Edit, Fuzz SAML requests ZAP Dev Team 10 saml-alpha-10.zap alpha <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.12.0.</li> <li>Maintenance changes.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/saml-v10/saml-alpha-10.zap SHA-256:097492271c7ec1d85def81091ffe897f4809927043844d1f5f0c7c598a0ad164 https://www.zaproxy.org/docs/desktop/addons/saml-support/ https://github.com/zaproxy/zap-extensions/ 2022-10-28 1811985 2.12.0 scanpolicies Scan Policies A set of standard scan policies. ZAP Dev Team 0.3.0 scanpolicies-alpha-0.3.0.zap alpha <h3>Changed</h3> <ul> <li>Updated based on Rules' Policy Tag assignments.</li> <li>Updated help to cover the PENTEST Policy Tag.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/scanpolicies-v0.3.0/scanpolicies-alpha-0.3.0.zap SHA-256:b06299925bb14d5a22661ddc89d9ac13d25af17c7c06cc730dafb682861b4a88 https://www.zaproxy.org/docs/desktop/addons/scan-policies/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 280872 2.16.0 scripts Script Console Supports all JSR 223 scripting languages ZAP Dev Team 45.12.0 scripts-release-45.12.0.zap release <h3>Changed</h3> <ul> <li>Maintenance changes.</li> </ul> <h3>Fixed</h3> <ul> <li>Loop when trying to extract an underlying script exception.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/scripts-v45.12.0/scripts-release-45.12.0.zap SHA-256:dacdb33bb2a6353067439fbe8f3a816d6caa0c8634ae1bdfe6c41ef27ba32241 https://www.zaproxy.org/docs/desktop/addons/script-console/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 5192132 2.16.0 commonlib >=1.32.0 pscan >= 0.1.0 & < 1.0.0 selenium Selenium WebDriver provider and includes HtmlUnit browser ZAP Dev Team 15.37.0 selenium-release-15.37.0.zap release <h3>Changed</h3> <ul> <li>Update Selenium to version 4.33.0.</li> </ul> <h3>Fixed</h3> <ul> <li>Prevent concurrent modification exceptions.</li> <li>Restore loading of extensions with newer Chrome versions.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/selenium-v15.37.0/selenium-release-15.37.0.zap SHA-256:57e40600b57b5a7066243699cf968aec2d3af266922b4bbe953295d5f7805b57 https://www.zaproxy.org/docs/desktop/addons/selenium/ https://github.com/zaproxy/zap-extensions/ 2025-06-06 33939100 2.16.0 commonlib >=1.23.0 network >=0.2.0 sequence Sequence Gives the possibility of defining a sequence of requests to be scanned. ZAP Dev Team 8 sequence-beta-8.zap beta <h3>Added</h3> <ul> <li>Add Automation Framework jobs: <ul> <li><code>sequence-import</code> to import HARs as sequences.</li> <li><code>sequence-activeScan</code> to active scan sequences.</li> </ul> </li> <li>Data for reporting.</li> <li>Stats for import automation and active scan.</li> <li>Sequence active scan policy which will be used if neither a policy nor policyDefinition are set.</li> <li>Add Import top level menu item to import HAR as sequence.</li> <li>Active Scan Sequence dialog.</li> </ul> <h3>Changed</h3> <ul> <li>Depend on Import/Export add-on to allow to import HARs as sequences.</li> <li>Update minimum ZAP version to 2.16.0.</li> <li>Maintenance changes.</li> <li>Sequence scan implementation.</li> <li>Promoted to beta.</li> </ul> <h3>Removed</h3> <ul> <li>Sequence panel from the Active Scan dialog.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/sequence-v8/sequence-beta-8.zap SHA-256:8419a137caf10cf117523db84f886142116f1e694ca1da44b4481567915e1d6d https://www.zaproxy.org/docs/desktop/addons/sequence-scanner/ https://github.com/zaproxy/zap-extensions/ 2025-01-10 1609867 2.16.0 exim >= 0.13 network zest 48.* soap SOAP Support Imports and scans WSDL files containing SOAP endpoints. Alberto (albertov91) + ZAP Dev Team 25 soap-beta-25.zap beta <h3>Added</h3> <ul> <li>The WSDL passive scan rule has been tagged of interest to Penetration Testers and QA.</li> <li>The included active scan rules have been tagged of interest to Penetration Testers.</li> </ul> <h3>Changed</h3> <ul> <li>Depends on an updated version of the Common Library add-on.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/soap-v25/soap-beta-25.zap SHA-256:dac5f464ba1ee20602a42041567b20068d7a6f0823a2867e2694e5b47af814a1 https://www.zaproxy.org/docs/desktop/addons/soap-support/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 12910257 2.16.0 commonlib >= 1.32.0 & < 2.0.0 spider Spider Spider used for automatically finding URIs on a site. ZAP Dev Team 0.15.0 spider-release-0.15.0.zap release <h3>Changed</h3> <ul> <li>Include anti-csrf tokens as part of irrelevant parameters.</li> <li>Ignore irrelevant parameters in request bodies (<code>x-www-form-urlencoded</code>) (Related to Issue 7771).</li> <li>Skip all URIs with <code>javascript</code> schemes.</li> <li>Changed to title caps on the Irrelevant Parameters table &quot;title&quot; in the Options dialog (Issue 2000).</li> </ul> <h3>Added</h3> <ul> <li>Add an option to allow users to indicate the Spider should attempt to avoid logout related paths/functionality.</li> </ul> <h3>Fixed</h3> <ul> <li>An incorrect column name in the Irrelevant Parameters table used by the Options dialog (Domain should have been Name).</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/spider-v0.15.0/spider-release-0.15.0.zap SHA-256:d2bd362945acd4965def0e90804b5793c4008bd9a5d6fc0201ba2d72997f1384 https://www.zaproxy.org/docs/desktop/addons/spider/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 1168525 2.16.0 commonlib >= 1.29.0 & < 2.0.0 database network >=0.3.0 spiderAjax Ajax Spider Allows you to spider sites that make heavy use of JavaScript using Crawljax ZAP Dev Team 23.24.0 spiderAjax-release-23.24.0.zap release <h3>Added</h3> <ul> <li>Allow to configure how the scope is checked, either Flexible or Strict, to allow or not access to out of scope domains.</li> <li>Allow to avoid logout elements.</li> </ul> <h3>Changed</h3> <ul> <li>Maintenance changes.</li> </ul> <h3>Fixed</h3> <ul> <li>Allow access to domains out of context (e.g. SSO) when using Client Script and Browser Based Authentication.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/spiderAjax-v23.24.0/spiderAjax-release-23.24.0.zap SHA-256:3f0c69698bbfea65065f891970f0d0dccc4ed9059f8e2060ba522c1c1a1c089f https://www.zaproxy.org/docs/desktop/addons/ajax-spider/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 7584850 2.16.0 commonlib >= 1.23.0 & < 2.0.0 network >=0.11.0 selenium 15.* sqliplugin Advanced SQLInjection Scanner An advanced active injection bundle for SQLi (derived by SQLMap) Andrea Pompili (Yhawke) 16 sqliplugin-beta-16.zap beta <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> <li>Maintenance changes.</li> <li>The included active scan rule has been tagged of interest to Penetration Testers.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/sqliplugin-v16/sqliplugin-beta-16.zap SHA-256:7c04881f9a3c9c6b4e1ca37099e247886073f15945e479fbdcd58144b2e5a8be https://www.zaproxy.org/docs/desktop/addons/advanced-sqlinjection-scanner/ https://github.com/zaproxy/zap-extensions/ 2025-04-30 541003 2.16.0 commonlib >= 1.32.0 & < 2.0.0 sse Server-Sent Events Allows you to view Server-Sent Events (SSE) communication. ZAP Dev Team 13 sse-alpha-13.zap alpha <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.15.0.</li> <li>Maintenance changes.</li> </ul> <h3>Fixed</h3> <ul> <li>More gracefully handle missing value for &quot;id&quot; field (Issue 8320)</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/sse-v13/sse-alpha-13.zap SHA-256:38cf84e00664287e691606f473343ba0c0db0711c4f895312d0d482c3354731b https://www.zaproxy.org/docs/desktop/addons/server-sent-events/ https://github.com/zaproxy/zap-extensions/ 2024-05-21 330079 2.15.0 svndigger SVN Digger Files SVN Digger files which can be used with ZAP forced browsing ZAP Dev Team 4 svndigger-release-4.zap release <h3>Added</h3> <ul> <li>Add help.</li> <li>Add repo URL.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> <li>Promote to release status.</li> <li>Change info URL to link to the site.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/svndigger-v4/svndigger-release-4.zap SHA-256:5556efdf3fdb84ebd6cf3e76ca31e3fb6fb57c002cf14b2cf2f05f67bf2b622a https://www.zaproxy.org/docs/desktop/addons/svn-digger-files/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 713963 2.11.0 tips Tips and Tricks Display ZAP Tips and Tricks ZAP Dev Team 14 tips-beta-14.zap beta <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.16.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/tips-v14/tips-beta-14.zap SHA-256:732458ced13378724804c26a84a31383fca18db397841b03a2e7e7743504e192 https://www.zaproxy.org/docs/desktop/addons/tips-and-tricks/ https://github.com/zaproxy/zap-extensions/ 2025-01-10 572632 2.16.0 tokengen Token Generation and Analysis Allows you to generate and analyze pseudo random tokens, such as those used for session handling or CSRF protection ZAP Dev Team 15 tokengen-beta-15.zap beta <h3>Changed</h3> <ul> <li>Now using 2.10 logging infrastructure (Log4j 2.x).</li> <li>Maintenance changes.</li> <li>Update minimum ZAP version to 2.11.0.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/tokengen-v15/tokengen-beta-15.zap SHA-256:daef1d13d44a76b8735a30ed9e1e50fa87a85d02728bd7ae575197d173f942f9 https://www.zaproxy.org/docs/desktop/addons/token-generator/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 525206 2.11.0 treetools TreeTools Tools to add functionality to the tree view. Carl Sampson 8 treetools-beta-8.zap beta <h3>Added</h3> <ul> <li>Add help.</li> <li>Add info and repo URLs.</li> </ul> <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> <li>Maintenance changes.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/treetools-v8/treetools-beta-8.zap SHA-256:b7f61f8939937ebc120bce8deb72713d7676087056e88801df2573112e7642e4 https://www.zaproxy.org/docs/desktop/addons/treetools/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 128931 2.11.0 viewstate ViewState ASP/JSF ViewState Decoder and Editor Calum Hutton 3 viewstate-alpha-3.zap alpha <h3>Changed</h3> <ul> <li>Update minimum ZAP version to 2.11.0.</li> <li>Maintenance changes.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/viewstate-v3/viewstate-alpha-3.zap SHA-256:715caefd591415e79b32195361fea82aa8c6357b24e69530c22fde0a1b6dad17 https://www.zaproxy.org/docs/desktop/addons/viewstate/ https://github.com/zaproxy/zap-extensions/ 2021-10-07 148716 2.11.0 wappalyzer Technology Detection Technology detection using various fingerprints and identifiers. ZAP Dev Team 21.46.0 wappalyzer-release-21.46.0.zap release <h3>Changed</h3> <ul> <li>Updated with enthec upstream icon and pattern changes.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/wappalyzer-v21.46.0/wappalyzer-release-21.46.0.zap SHA-256:637356cf77f36afe419991d57ee3ed7429b321465e412865cf6db09fb734e962 https://www.zaproxy.org/docs/desktop/addons/technology-detection/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 21024941 2.16.0 commonlib >= 1.17.0 & < 2.0.0 pscan >= 0.1.0 & < 1.0.0 webdriverlinux Linux WebDrivers Linux WebDrivers for Firefox and Chrome. ZAP Dev Team 146 webdriverlinux-release-146.zap release <h3>Changed</h3> <ul> <li>Update ChromeDriver to 138.0.7204.92.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/webdriverlinux-v146/webdriverlinux-release-146.zap SHA-256:2c3b75a5ac2232165a39dd7bc402685e6fe6c33604be4897ac5f45e3467380c2 https://www.zaproxy.org/docs/desktop/addons/linux-webdrivers/ https://github.com/zaproxy/zap-extensions/ 2025-07-01 15875526 2.16.0 webdrivermacos MacOS WebDrivers MacOS WebDrivers for Firefox and Chrome. ZAP Dev Team 146 webdrivermacos-release-146.zap release <h3>Changed</h3> <ul> <li>Update ChromeDriver to 138.0.7204.92.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/webdrivermacos-v146/webdrivermacos-release-146.zap SHA-256:4b6c69c276cc737c1339b901cb60ec1ca17fab2fd4b4f5c37465a801265ae17d https://www.zaproxy.org/docs/desktop/addons/macos-webdrivers/ https://github.com/zaproxy/zap-extensions/ 2025-07-01 21344940 2.16.0 webdriverwindows Windows WebDrivers Windows WebDrivers for Firefox and Chrome. ZAP Dev Team 146 webdriverwindows-release-146.zap release <h3>Changed</h3> <ul> <li>Update ChromeDriver to 138.0.7204.92.</li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/webdriverwindows-v146/webdriverwindows-release-146.zap SHA-256:4e56f13f61bc2e8e372e6f06c68ea4f533ad6bd901a4192cff12e2c54eebe777 https://www.zaproxy.org/docs/desktop/addons/windows-webdrivers/ https://github.com/zaproxy/zap-extensions/ 2025-07-01 21644259 2.16.0 websocket WebSockets Allows you to inspect WebSocket communication. ZAP Dev Team 33 websocket-release-33.zap release <h3>Changed</h3> <ul> <li>Add website alert links to the help page (Issue 8189).</li> <li>Replace usage of CWE-200 for the following rules (Issue 8712): <ul> <li>Email Disclosure.</li> <li>Debug Error Disclosure.</li> </ul> </li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/websocket-v33/websocket-release-33.zap SHA-256:b34ee5374065661de46f329cea8a098713feac4b0f15cb97c96a59f837aad476 https://www.zaproxy.org/docs/desktop/addons/websockets/ https://github.com/zaproxy/zap-extensions/ 2025-06-20 1403130 2.16.0 commonlib >=1.23.0 zest Zest - Graphical Security Scripting Language A graphical security scripting language, ZAPs macro language on steroids ZAP Dev Team 48.7.0 zest-beta-48.7.0.zap beta <h3>Changed</h3> <ul> <li>Update Zest library to 0.30.0: <ul> <li>Update Selenium to version 4.33.0.</li> <li>Send RETURN key if submit fails for input elements not in a form.</li> </ul> </li> </ul> https://github.com/zaproxy/zap-extensions/releases/download/zest-v48.7.0/zest-beta-48.7.0.zap SHA-256:5823a0371f456b3428e66d95924cc566a07ee546786f3bf025be9a27f10e5a9c https://www.zaproxy.org/docs/desktop/addons/zest/ https://github.com/zaproxy/zap-extensions/ 2025-06-10 3045587 2.16.0 commonlib >=1.31.0 network >=0.2.0 pscan >= 0.1.0 & < 1.0.0 scripts >=45.2.0 selenium >= 15.13.0