OWASP Top 10 2023

145 views
Skip to first unread message

Shamsudin MH

unread,
Dec 29, 2023, 10:48:39 AM12/29/23
to ZAP Developer Group
Hello ZAP Developer Team

Good Evening!

I have implemented the active scanning from my microservice to zap sdk.
and its really working great...

i would like to know.. does its covers all 2023 Top 10. vulnerabilities.

As per document its cover 2021 and when i see 2023... there are five newly 
added as below... do we have any Add-ons for this as on Today? please update..

API3:2023 - Broken Object Property Level Authorization
API4:2023 - Unrestricted Resource Consumption
API5:2023 - Broken Function Level Authorization
API6:2023 - Unrestricted Access to Sensitive Business Flows
API10:2023 - Unsafe Consumption of APIs

Regards,
Shamsudin

kingthorin+zap

unread,
Dec 29, 2023, 11:14:50 AM12/29/23
to ZAP Developer Group
API Top 10 is not the same as the Top 10.

We don't currently have a mapping for the API Top 10.

Kevin W. Wall

unread,
Dec 29, 2023, 11:26:03 AM12/29/23
to zaproxy...@googlegroups.com
Rick,

You do have ZAP coverage mapped to CWEs though, right? I personally find that mapping more useful as it is much more granular. (Unfortunately, I failed to bookmark it on my personal laptop, and am too lazy to search for it at the moment, but perhaps someone on the ZAP team can provide it.) The OWASP API Top 10 has associated CWEs mapped to the respective API Top 10 issues, so one should be able to combine the two lists via CWEs with a little effort to figure out which ones ZAP covers.

Just a thought.

-kevin

--
You received this message because you are subscribed to the Google Groups "ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/c0729dcd-39a4-422d-bd76-00e36e587661n%40googlegroups.com.


--
Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

kingthorin+zap

unread,
Dec 30, 2023, 6:37:27 AM12/30/23
to ZAP Developer Group
Yes most alerts have a mapped CWE:  ZAP – ZAP Alert Details (zaproxy.org)

Open CRE may also map between API Top 10 and ZAP, not sure.

Shamsudin MH

unread,
Jan 9, 2024, 4:59:56 AMJan 9
to ZAP Developer Group
Thanks for your response.

How can I write my code to address the OWASP Top 10 2023 vulnerabilities using either a Zap proxy script or Java code? If possible, please provide suggestions.

Regards
Shamsudin

kingthorin+zap

unread,
Jan 10, 2024, 1:17:31 PMJan 10
to ZAP Developer Group
https://www.zaproxy.org/docs/guides/zapping-the-top-10-2021/
Reply all
Reply to author
Forward
0 new messages