diff --git a/site/content/blog/2025-03-03-zap-updates-february-2025/images/zapbot-monthly-preview.png b/site/content/blog/2025-03-03-zap-updates-february-2025/images/zapbot-monthly-preview.png new file mode 100644 index 000000000..149d6ad2c Binary files /dev/null and b/site/content/blog/2025-03-03-zap-updates-february-2025/images/zapbot-monthly-preview.png differ diff --git a/site/content/blog/2025-03-03-zap-updates-february-2025/images/zapbot-monthly-updates.png b/site/content/blog/2025-03-03-zap-updates-february-2025/images/zapbot-monthly-updates.png new file mode 100644 index 000000000..48421a4ad Binary files /dev/null and b/site/content/blog/2025-03-03-zap-updates-february-2025/images/zapbot-monthly-updates.png differ diff --git a/site/content/blog/2025-03-01-zap-updates-february-2025/index.md b/site/content/blog/2025-03-03-zap-updates-february-2025/index.md similarity index 67% rename from site/content/blog/2025-03-01-zap-updates-february-2025/index.md rename to site/content/blog/2025-03-03-zap-updates-february-2025/index.md index abc41446f..e428c8a96 100644 --- a/site/content/blog/2025-03-01-zap-updates-february-2025/index.md +++ b/site/content/blog/2025-03-03-zap-updates-february-2025/index.md @@ -1,28 +1,52 @@ --- title: "ZAP Updates - February 2025" summary: > - TODO + Authentication, authentication, authentication... And there will be a 2.16.1 release "soon". images: -- https://www.zaproxy.org/blog/2025-03-01-zap-updates-february-2025/images/zapbot-monthly-updates.png +- https://www.zaproxy.org/blog/2025-03-03-zap-updates-february-2025/images/zapbot-monthly-updates.png type: post tags: - blog - update -date: "2025-03-01" +date: "2025-03-03" authors: -- TODO +- simon --- -## Highlights -TODO - ## Ongoing Work -TODO -## New Contributors -A very warm welcome to the people who started to contribute to ZAP this month! +This month we've continued our focus on authentication. You probably will not notice many changes yet, but theres a lot going on behind the scenes! + +To make the changes more visible we've added a new set of [ZAP Authentication Tests](/docs/scans/auth/). + +We know that configuring ZAP to handle authentication is hard, so the aim is to make this much easier. +One of our key focusses is [Browser Based Authentication](/docs/desktop/addons/authentication-helper/browser-auth/) along +with [Session Auto-Detection](/docs/desktop/addons/authentication-helper/autodetect-session/) and +[Verification Request Identification](/docs/desktop/addons/authentication-helper/verification-id/). +This combination of features allows you to completely configure ZAP authentication by only providing the login URL and +a valid set of credentials. All of the "stdbba" [Authentication Tests](/docs/scans/auth/) just provide this minimal set of data. +As you will see, this works against most of the sites we're testing against. + +If [Browser Based Authentication](/docs/desktop/addons/authentication-helper/browser-auth/) does not work "out-of-the-box" then +we have a new option for configuring it without having to go down the full "scripting" route. More details soon :grin: + +And if that doen't work then we have a new option to record client side scripts which you can use for authentication. +Again, look out for more details coming soon! + +We are also looking at how to make it much easier to debug authentication issues. +One part of the solution is a new [Authentication Report](/docs/desktop/addons/authentication-helper/auth-report-json/). +This is currently just in JSON format but we plan to add HTML and potentially PDF versions as well. + +If you know of any other sites that anyone can sign up to which have tricky login screens then let us know! + +## ZAP Slack + +The [ZAP Slack](/slack/) is open to everyone - just signup via https://www.zaproxy.org/slack/ + +## Next Release: 2.16.1 -TODO: Add from https://github.com/zaproxy/zap-core-help/pulls?q=is%3Apr+credits+is%3Aclosed +We've found out that theres a bug in the Core which means you cannot update alerts via the Desktop GUI. +As a result we'll be releasing a 2.16.1 bug fix release in the near future. ## GitHub Pulse Here are some statistics for the two main ZAP repositories: diff --git a/site/content/docs/scans/auth.md b/site/content/docs/scans/auth.md index b02ce117e..95c564cfa 100644 --- a/site/content/docs/scans/auth.md +++ b/site/content/docs/scans/auth.md @@ -4,7 +4,19 @@ type: page EditableContent: true --- -Authentication Test Results +Testing ZAP authentication handling against a range of test and real world applications. + +Columns: + +* __Type__: + * __stdbba__: Standard [Browser Based Authentication](/docs/desktop/addons/authentication-helper/browser-auth/), just the login URL and credentials, no additional configuration + * __bbaplus__: [Browser Based Authentication](/docs/desktop/addons/authentication-helper/browser-auth/) with some additional additional configuration + * __csa__: [Client Script Authentication](/docs/desktop/addons/authentication-helper/client-script/), using a client side Zest script to authenticate +* __Auth__: Did ZAP succeed in authentication to this site? This is the key column +* __Username__: Did ZAP find the username field? Only applicable to Browser Based Auth +* __Password__: Did ZAP find the password field? Only applicable to Browser Based Auth +* __Session Mgmt__: Did ZAP identify the session management method? +* __Verification__: Did ZAP identify a suitable verification URL? {{< auth-results >}}