Hi,
Performance is increasingly an issue alright.. not so much for the passive scanners, but definitely for the active scanners. The "Attack Strength" option can be used to mediate this, as long as the scanner takes note of it, and scales the number of requests it makes accordingly. The other key thing for performance is that the more critical checks should be performed before the less critical checks. To this end, we recently made a change to Zap to run Active Scan scanners in decreasing order of severity (ie, run the scanners that raise High risk alerts before scanners that raise Medium alerts, etc). We probably need to do a little bit of rationalisation to make sure that all the scanners raise alerts of the appropriate severity, so that they can be correctly prioritised.
There is some overlap between a proposed "Unvalidated Redirects and Forwards" scanner, and the existing "Path Traversal" scanner (which I believe is still implemented in the Zap core, rather than as an extension). The Path Traversal scanner checks for Local and Remote path traversals. A remote path traversal exploit might look like "
http://www.example.com?goto=http://www.google.com". This is effectively an "Unvalidated Redirect". Maybe take a look, see what you think, and if you can suggest ways of improving it, or for making it detect other cases, it would be good to hear of them. I'm not certain of the terminology here, so maybe we need to standardise. Suggestions are welcome.
The OWASP Top 10 is an excellent place to start looking alright, but as far as I'm aware, there is no entry in the wiki to map the OWASP Top 10 to Zap development effort, or to scanners implemented as extensions. If you added the wiki page, I could help in updating it, for the scanners that I'm familiar with.
Some more scanner ideas (there may also have been other ideas floating about which I haven't mentioned here):
- Command Injection: inject Windows / Linux/ Unix commands, and verify if they have been executed, by examining the output. This would definitely be a severity high issue.
- Server Side Inclusion (including command injection): verify if Server Side Includes have been enabled, and if they can be exploited. Depending on which directives can be exploited, this would probably be medium, or if command injection is supported, then definitely High.
- More SQL Injection scanners for other RDBMSs. Each one would need to check for time-based SQL injection techniques, using RDBMS specific time delay functions. I can give some guidance on this.. I just don't have access to to the appropriate RDBMSs, or I would be implementing these.
- An improved LDAP injection scanner, using proper LDAP expressions to attempt to control the output, rather than merely relying on known LDAP middleware error messages in the output.
Someone feel free to correct me if parts of these have already been implemented.
Colm