OWASP Penetration Testing Kit - Release Notes

Please support the OWASP PTK project

June 2026 ( 9.9.7 )
  • Reworked ZAP automation startup around an explicit controller-driven lifecycle for active scan rule and legacy spiderClient workflows
  • Removed the browser history permission from Chromium and Firefox builds
  • Redacted ZAP callback URLs, callback secrets, zapid, and session keys from runtime/logging paths
  • Improved ZAP browser close/readiness handling so PTK findings are drained before managed browsers close
  • Improved multi-browser DAST, IAST, and SAST participation evidence for ZAP automation
  • Fixed SPA route tracking reliability, restoring Juice Shop hash-route and DOM XSS coverage after longer journeys
  • Hardened PTK Agent/npm activation, drain/export finalization, and installed-package validation
  • Reduced noisy ZAP add-on INFO logging while preserving release-gate lifecycle evidence
  • Added a structured pentester guide covering installation, workflows, scanning engines, manual tools, reporting, automation, ZAP integration, and troubleshooting
  • Updated security-related npm dependencies

PTK 9.9.7 focuses on making ZAP-managed automation reliable enough for release, while reducing browser permissions and tightening callback-data handling. Release validation passed the Juice Shop smoke gate, the ZAP active-scan-rule Firing Range matrix, the ZAP legacy spiderClient Firing Range matrix, and the npm release matrix across packaged and installed flows.

May 2026 ( 9.9.5 )
  • Hardened PTK/ZAP browser automation close handling so PTK-created child tabs no longer stop the whole scan session
  • Improved automation target scoping so PTK attaches only to the intended scan target and PTK-created child tabs, not unrelated tabs opened manually during a scan
  • Improved AngularJS client-side template injection coverage, including $parse, form, postMessage, storage, cookie, and raw-body sources
  • Added safer AngularJS template-marker checks for contexts where execution-style probes caused noisy framework errors
  • Fixed JWT alg=none false positives where header-based behavior could be reported as a cookie finding
  • Expanded SAST and IAST DOM source, propagation, and sink coverage for browser APIs such as location, hash, storage, postMessage, DOM writes, navigation, and form actions
  • Added and hardened ptk-scan / PTK Agent SDK workflows for local browser-extension scans, scenario runs, provider matrices, and larger report exports

PTK 9.9.5 focuses on stabilizing real browser automation and improving scanner accuracy. This release makes ZAP-managed Edge and Firefox scans more predictable, keeps unrelated manual tabs out of active scan scope, improves AngularJS and DOM taint coverage, fixes JWT carrier false positives, and adds stronger local Agent SDK/npm workflows for repeatable release validation.

April 2026 ( 9.9.0 )
  • Improved PTK/ZAP browser automation startup and runtime selection for more reliable Chrome, Edge, and Firefox automation runs
  • Added safer Codex/Playwright Agent SDK automation for direct scan, crawl, and export workflows, including scenario-guided and planner-only crawling
  • Expanded reflected XSS DAST coverage from 5 to 18 attack variants across script, SVG/onload, JavaScript, and attribute contexts
  • Added OS command injection coverage for Unix command output detection
  • Reduced duplicate SPA/DOM XSS and IAST runtime finding noise with rulepack-driven presentation aggregation
  • Improved export payload normalization, redaction handling, automation telemetry, and automated scan performance

PTK 9.9.0 focuses on more reliable automation and higher-signal DAST coverage. This release improves ZAP-managed browser automation startup, runtime selection, progress handling, and session coordination for Chrome, Edge, and Firefox validation workflows. It also adds safer direct Playwright/Codex scan automation, expands reflected XSS payload coverage across more browser contexts, adds OS command injection coverage, and reduces repeated SPA/DOM XSS and IAST noise through rulepack-driven aggregation. Export handling, redaction, automation telemetry, and automated scan performance have also been tightened.

March 2026 ( 9.8.0 )
  • Added opt-in DAST autodiscovery with Strict, Safe, and Wide budgets
  • Added clear Auto-discovered badges and kept user-driven URLs above discovered URLs in the request list
  • Added a new Explorer tab and improved the Analysis view for easier DAST review
  • DAST details now lazy-load the full request/response snapshot for more accurate completed-scan evidence
  • Cleaned duplicate passive/header checks and improved secure-header coverage
  • Improved popup and dashboard performance, menu behavior, and multiple DAST/explorer UI flows

PTK 9.8.0 focuses on making DAST easier to control and easier to review. This release adds opt-in autodiscovery with explicit budgets, clearer separation between user-driven and discovered requests, and a new Explorer workflow alongside improvements to the Analysis view. It also restores full HTTP evidence in DAST details, cleans up duplicate passive header checks, improves secure-header coverage, and makes the popup and dashboard faster and smoother to use day to day.

March 2026 ( 9.7.0 )
  • Added new DAST Analysis and Coverage tabs for manual follow-up and cross-engine visibility
  • Added IAST buckets to group runtime results into client-side attack surfaces such as Execution, Authz/State and Data/Storage
  • Added SAST buckets to group code artifacts into practical review areas such as Routes, Endpoints, Params and Gadgets
  • Improved export/import, evidence presentation, R-Builder handoff, and scan management progress feedback
  • Improved cross-engine coverage, plus overall UI consistency, stability and responsiveness

PTK 9.7.0 focuses on making scan results easier to act on. DAST now includes dedicated Analysis and Coverage views to highlight the most useful manual-testing candidates and show which engines contributed evidence for the same host/session. IAST and SAST now use bucketed summaries to group runtime and code-level results into practical attack surfaces and review areas, reducing noise and surfacing the most relevant information first. This release also improves export/import flow, R-Builder handoff, evidence presentation, cross-engine coverage, and overall stability and performance across the extension.

February 2026 ( 9.6.0 )
  • Added report export in PDF and Markdown formats
  • Introduced Executive and Technical report presets for different audiences
  • Added a report Summary section for quick high-level visibility
  • Added severity filters to manage and triage findings faster
  • Added confidence scoring and correlated findings across DAST, IAST, SAST and SCA
  • Implemented safe-by-default redaction for exports (tokens, Authorization headers, cookies, storage values)
  • Improved evidence readability with truncation and consistent formatting (including monospace blocks where applicable)
  • Executive reports now deduplicate/group repeated findings to reduce noise (especially for repeated SCA/SAST-style entries)

PTK 9.6.0 is a major reporting-focused release. It introduces PDF and Markdown exports with two presets: Executive reports for shareable, prioritised summaries, and Technical reports for deeper per-engine detail. This release adds a dedicated Summary section, severity-based triage filters, and confidence scoring with correlation across DAST, IAST, SAST and SCA to highlight high-signal issues. Exports are safe-by-default with redaction enabled, evidence is easier to consume thanks to truncation and consistent formatting, and Executive reports reduce noise by grouping repeated findings.

January 2026 ( 9.5.0 )
  • Improved JWT attacks with better validation logic and fixed false positives for alg=none checks, including public/unauthenticated endpoints
  • Added improved SPA attacks support for more reliable DAST execution across client-routed Single-Page Applications
  • UI performance improvements for a faster, more responsive dashboard experience, especially while scans are running

PTK 9.5.0 focuses on improving reliability and usability during real-world testing. JWT attacks now perform stricter validation and reduce noise by fixing false positives around alg=none and endpoints that are intentionally public. This release also improves DAST support for Single-Page Applications by handling SPA navigation and in-app flows more reliably. Finally, UI performance has been optimized so the dashboard feels faster and remains responsive under scanning load.

December 2025 ( 9.4.0 )
  • Added a new CVE Lookup module for passive CVE checks, with 10 new CVEs supported across both passive lookup and DAST attack coverage
  • Improved IAST functionality with chrome.debugger support for better visibility and correlation in complex browser-driven flows
  • UI improvements and bug fixes across the extension for improved usability, stability and performance

PTK 9.4.0 introduces CVE-focused passive checks through the new CVE Lookup module and expands coverage with 10 new CVEs available in both passive lookup and active DAST attacks. IAST was also enhanced using chrome.debugger to improve request/response visibility and correlation for modern applications. Finally, this release includes UI improvements and stability fixes to make day-to-day scanning smoother and more reliable.

December 2025 ( 9.3.0 / 9.3.1 )
  • Unified DAST, SAST and IAST scan envelopes and finding structure with effectiveSeverity and a shared normalizeScanResult view model
  • Refreshed modules.json, catalog.json and IAST modules with consistent metadata and HTML-sanitised recommendations
  • New DAST scan profiles (Fast / Smart / Comprehensive) to control atomic vs per-parameter attacks and avoid re-attacking URLs/params after confirmed findings
  • Added CVE-focused DAST modules using the React2Shell attack flow, including coverage for CVE-2025-55182 labs
  • Improved IAST stability with reliable module loading, JSON-based sink rules and reduced noise from generic hash-based sources
  • Laid SCA integration groundwork by aligning SCA results with the unified model and updating the portal schema for SCA alongside DAST/SAST/IAST

This release unifies how DAST, SAST and IAST report findings, with a shared scan envelope, standardised metadata and a common normalizeScanResult view model across the UI. Modules and rules have been cleaned up with consistent descriptions, recommendations and OWASP/CWE mapping, while new DAST profiles give users better control over attack strategy and noise. React2Shell-powered CVE modules add coverage for modern React injection chains (including CVE-2025-55182 labs), and IAST gains more stable module loading plus JSON-driven sinks to reduce false positives. Finally, SCA results are now aligned with the same model and the portal schema is ready to surface SCA findings alongside DAST/SAST/IAST.

November 2025 ( 9.2.7 )
  • SAST runs off the main thread (Chrome MV3 offscreen + worker, Firefox background worker)
  • Richer SAST telemetry with per-file and per-module progress events
  • Improved taint traces and trace visualization in the findings UI
  • Taint model cleanup, new rule filters and refined document.cookie handling

SAST now executes in a dedicated worker context (offscreen document on Chrome MV3, background worker on Firefox), so heavy JavaScript scans no longer freeze the UI and stay responsive even on large SPAs. New structured telemetry emits per-file and per-module progress, while upgraded taint traces and visualization make it easier to follow data flows end-to-end. The taint model has been refined with cleaner document.cookie handling and new rule filters to cut noise and keep reports focused on the most relevant issues.

November 2025 ( 9.2.6 )
  • DAST worker pool with rate limiting and safe retries
  • Request fingerprinting and new DAST filters (all/vulns/4xx/5xx)
  • SAST: new rules, taint trace UI, richer report cards
  • SAST: exclude well-known libraries like jQuery to reduce noise

DAST now runs attacks through a queued, rate-limited worker pool with request fingerprinting, deduplication and scoped DAST filters, so large scans stay reliable and focused even under throttling. SAST adds new rules, visual taint traces, self-contained report cards, and excludes well-known libraries like jQuery from analysis to cut false positives and highlight real issues in your own code.

September 2025 ( 9.2.4 / 9.2.5 )
  • Attacks on each parameter separately
  • Vulnarable parameter is reported
  • Attacks on JSON
  • Bug fixes

DAST now targets each input parameter individually and reports exactly which parameter (name + original value) is vulnerable for easy triage. It also parses application/json bodies and tests keys/array elements/path locations structurally to find injections and logic flaws.

June 2025 ( 9.2.2 / 9.2.3 )
  • All scans can be managed from the dashboard panel
  • Added SAST taint flow rules
  • Added DAST settings to manage requests per second and concurrency
  • Bug fixes

Since this version the OWASP PTK supports taint flow rules for SAST. DAST scan can be tuned with requests per second and concurrency.

May 2025 ( Chromium 9.1.1 / Firefox 9.1.1)
  • Added SAST freature
  • Improved DAST capabilities
  • Bug fixes

Since this version the OWASP PTK supports Static Application Security Testing by analyzing every JavaScript, WebAssembly, and embedded script loaded by the page.

May 2025 ( Chromium 9.0.0 / Firefox 9.0.0)
  • Added IAST freature
  • Bug fixes

Since this version the OWASP PTK supports Interactive Application Security Testing by implementing hooks fir client-side JavaScript.

May 2024 ( Chromium 8.9.3 / Firefox 8.9.2)
  • R-Attacker is now DAST
  • Cheat sheets added for XSS and SQL
  • Bug fixes

February 2024 ( Chromium 8.8.3 / Firefox 8.8.2)
  • R-Builder with cURL support
  • R-Builder export/import functionality
  • Bug fixes

January 2024 ( Chromium 8.7.3 / Firefox 8.7.2)
  • JWT attacks added
  • Bug fixes

December 2023 ( Chromium 8.6.3 / Firefox 8.6.2)
  • Json Web Token Inspector
  • Bug fixes

February 2023 ( Chromium 8.3.3 / Firefox 8.3.2)
  • Request builder with DAST scan feature.
  • More passive attacks according OWASP Secure Headers project.
  • Attacks improvements.
  • UI improvements
  • Bug fixes

September 2022 ( Chromium 8.2.3 / Firefox 8.2.2)
  • Request builder with declarativeNetRequest support for Chome/Edge browsers.
  • Macro and traffic recording feature is back again.
  • Reload extension functionality added. There are a lot of changes related to manifest V3 and due to worker may be inactive after 5 minutes, sometims you may need to reload the PTK
  • UI improvements
  • Bug fixes

August 2022 ( Chromium 8.1.3 / Firefox 8.1.2)
  • Cookie editor allows to manage cookies, eg add, edit or remove cookies. Rules to block or protect cookies. Import and export.
  • Bug fixes

June 2022 ( 8.0.3 )
  • Manifest 3 support for chromium based browsers
  • R-Attacker, R-Builder and Encoder/Decoder data saved in local storage, so you won't miss your data even after restarting
  • Macro and Traffic recording no longer supported
  • Bug fixes

February 2022 ( 7.5.3 )
  • Improved R-Attacker module to support attacks for every parameter separately
  • Added R-Attacker external integration to support Selenium tests
  • Bug fixes

December 2021 ( 7.5.2 )
  • New stored XSS attack with window.postMessage payload!
  • Wappalyzer module updated to the latest version
  • Bug fixes

November 2021 ( 7.5.1 )
  • New! Reporting feature has been added, so you can generate a report in one click.
  • Wappalyzer and Retire NPM module updated to the latest version
  • Privacy policy is now in place, please check it out
  • Bug fixes

September 2021 ( 7.4.0 )
  • Retire.js NPM module added to identify known vulnerbailities (CVE)
  • Wappalyzer NPM module updated to the latest version
  • Bug fixes

August 2021 ( 7.3.0 )
  • Tabs monitoring functionality improvements
  • Bug fixes

June 2021 ( 7.1.0 / 7.2.0 )
  • Recording authentication is now starting with incognito mode when allowed (not supported in Firefox)
  • Fixed an issue with recording events on iframes in a new popup window
  • R-Builder can now store requests
  • Added a blacklist for R-Attacker to exclude .css and .js files from attacking
  • Added a new attack - JWT None algorithm
  • Added a disclaimer

April 2021 ( 7.0.0 )
  • Added encode and decode features
  • Fixed an issue with \ and ` characters in macro recording

April 2021 ( 6.2.5 )
  • Added double click support for macro recording
  • Added an option to generate additional delays when export a macro for better SPA support
  • Removed HAR viewer due to problem with PerfCascade NPM module
  • Bug fixes

March 2021 ( 6.2.1 )
  • Improved dashboard performance and detection
  • Added ability to execute requests and export a HAR file with recorded output
  • Bug fixes

March 2021 ( 6.2.0 )
  • New R-Attacker functionality - scan in runtime and get a report once completed
  • New Proxy tab to monitor requests for selected tab
  • Dashborad - Web Application Firewall detection card
  • Dashborad - Storage/Authentication card (with auto decoding JWT tokens)
  • Incognito mode is now separated, no shared resources between normal and private windows (not supported in Firefox)
  • NPM package release - 1.0.2
  • Bug fixes

December 2020 ( 6.0.0 )
  • ES6 standart support
  • NPM modules support
  • Cross-browser support including incognito mode on Firefox browsers
  • Added R-Attacker to allow attacks execution on any request

October 2020 ( 5.0.0 )
  • Cross-browser support

September 2020 ( 4.1.0 )
  • Export a list of URLs discovered during browsing an application
  • Export a list of FQDNs discovered during browsing an application
  • Added SQL Injection attacks against POST requests

May 2020 ( 4.0.0 )
  • New Dashboard view
  • Request builder executes a request based on simple url
  • New macro event type added to support Javascript. When selected the exported macro will contain javascript code to help simplify playback on most of the modern SPA apps like ReactJS/Angular
  • Added recording import to support conversion from Selenium .side and .html recording to javascript macro
  • Real time events tracking during recording/playback on the floating window. Tracker window is draggable and resizable
  • iFrames support added for recording/playback
  • Added HAR viewer for traffic recording
  • Improved performance by limiting number of tracking tabs

March 2020 ( 3.1.9 )
  • Export macro recording using Driver events by default
  • Issue with validate functionality fixed
  • Bug fixes

February 2020 ( 3.1.5 )
  • UI changes to improve user experience
  • Macro auto export and auto save features have been added
  • Bug fixes

December 2019 ( 3.1.1 )
  • Swagger YAML to JSON convertor has been added
  • Issue where 'Host' header was missed in recorded traffic

October 2019 ( 3.1.0 )
  • Incognito mode support for traffic/macro recording
  • Macro replay notifications added
  • Improved display HTML response in request builder
  • Added traffic analysis for authentication

May 2019 ( 2.2.11 )
  • Added onChange event support for macro recording and replay
  • Fixed an issue with traffic recording
  • Fixed an issue with delete event during macro recording
  • Fixed an issue with backspace event during macro recording
  • Added functionality to validate HTML using a regex after macro replay
  • Fixed an issue when request builder used wrong header
  • Added functionality to display a response as HTML

April 2019 ( 2.2.7 )
  • Fixed an issue with Access-Control-Allow-Origin response header
  • Added local file support for swagger utility
  • AS Pro / AS Enterprise support disabled by default
  • Minor fix for messages passing
  • Added support for AS Pro / AS Enterprise validate functionality
  • Fixed issues with export/download macro
  • Fixed issue with validate functionality
  • Request builder now supports 2xx, 3xx, 4xx, 5xx response statuses. Added support for Referer and User-Agent request headers
  • Replay macro functionaly has been added
  • Validate functionality for AppSpider Pro reports