ZAPping the OWASP Top 10

[psiinon]

I'm working on a cheat sheet: "ZAPping the OWASP Top 10": https://docs.google.com/document/d/1bwucd9A-hQ6t-1YPdn7VH7SWMsRXBCQJ9iS3zhizfaQ/edit?usp=sharing
The idea is for this doc to summarize the ZAP components most suitable for automated and manual testing of each of the OWASP Top 10 Risks.

What do you think?
Is it useful?
Is it understandable?
Does it need more details?
What have I got wrong or missed out??

You should all be able to comment on the doc, or you can comment on this thread.

Your feedback will be appreciated :)

Cheers,

Simon

[gmaran23]

Simon,

1. Good effort. Should we add the Port Scanner addon under the Security Misconfiguration section? And the wappalyzer as well to detect old technologies - although wappalyzer is added to the A9 section as well.

2. This is very useful as most of the developers/architects just look for OWASP Top 10 mitigations to begin with.

3. It is understandable because I know Zap. 
4. May be for new users to understand, we could hyperlink how to sections for the add-ons usage.

[psiinon]

Good suggestions!

I've added the port scanner and tech detection / wappalyzer to A5.

I've been wondering how to publish this, and I'm now thinking this should be on the wiki (with hyperlinks to the add-ons) and as a downloadable/printable pdf, in a similar format to the getting started guide.
I'm working on the pdf right now - getting the layout right is tricky (and not one of my strengths;)

Many thanks,

Simon

[psiinon]

I've attached my first attempt at a printable version (in Libra Office format, it will be published as a pdf).
The online version will link to the help pages for all of the components.

It could be prettier (not my strong point;) can anyone improve it??

Any other comments?

Cheers,

Simon

[gmaran23]

Tried some table for Automated tools and Manual tools. Doesn't look too good or too bad either :)

Attached.

I didn't change the font/color of the headings though to adhere with other ZAP documents theme.

[psiinon]

I was wondering about using that layout, but thought it might look unbalanced with the Automated vs Manual components.

What does everyone else think?

Lists or tables?

Many thanks,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
OWASP ZAP Project leader

[Colm O'Flaherty]

"A9 - Components with known vulnerabiliities" is covered (with increasing coverage) using the new alpha status  "Insecure Component" passive scanner. I've just added support for the meta "generator" tag, and I'll be adding vulnerability data for additional products as I find test cases / real world examples of vulnerable software in use.  It currently detects vulnerable reported versions of the following:

- Apache + various modules

- PHP

- Squid

- Tomcat

- JBoss

- IIS

- Sun One

- Oracle application server

- Oracle web cache

- Nginx

- lighttpd

- Jetty

- Netscape Enterprise

- Tornado Server

- OpenCMS

- IBM HTTP Server

- OpenSSL

- Perl

- Python

- WordPress

Colm

--

[kingthorin+owaspzap]

My 2cents:

1. I like the tables. My only concern is the entries where there's an entire column blank, i.e.: Automated Tools for A2.
2. "General purpose manual components" should probably be in title caps, since it's a title.
3. I've only reviewed the latest PDF. Are colour images available?
4. Under A1 Manual tools can the multi-line entry be made to align properly like the multi-line entry under A3?
5. Can we adjust all cell alignment to left aligned but centered top to bottom? Currently it seems all over the place Automated in A1 has one left/centre and one left/bottom (it seems, though one might be a different font size too), while everything within A2 seems to be left/top.
6. For the header row I'd suggest centre/centre alignment.
7. If it doesn't break OWASP style guidelines I'd suggest white header row text vs the current black.
8. Last, if we could reduce margins and head/foot space I think it behooves us to keep this to two pages that way people might actually print it for their cube walls. If we could somehow fit it on a single page like a traditional "cheat sheet" even better.

Ok so that's probably way more than 2cents worth of input but I can't help myself :)

[psiinon]

Great.
I've added that to the Google doc and my local odt.

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

[psiinon]

You can hack either my odt or the one gmaran23 posted. Or create your own one from scratch if you want :)
I'm not aware of any 'OWASP style guidelines' so I think we have pretty much free rein over the format..
Be good if it was similar to the Getting Started format, although we can change that one as well if we like.

[psiinon]

Might be tricky to get down to one page, but we could have one page for automated components and one for manual?
Maybe all in a table format?

[kingthorin+owaspzap]

Looks like this page should be brought in-line with whatever is assembled:
https://code.google.com/p/zaproxy/wiki/OWASPTop10RisksCoverage

[psiinon]

Ha!
I'd forgotten all about that page :)

I've updated it with the doc in table format, and also uploaded a pdf version linked off that page (http://sourceforge.net/projects/zaproxy/files/docs/ZAPpingTheOwaspTop10.pdf/download)

How does that look?

[psiinon]

I've now created a page on the OWASP wiki (which also links to a downloadable pdf version):

https://www.owasp.org/index.php/ZAPpingTheTop10

Thanks to everyone who provided input, and please let me know if you spot anything thats wrong or becomes out of date.

Cheers,

Simon