Does OWASP ZAP use information from vulnerability databases like NVD, OSVDB ??
474 views
Skip to first unread message
Kenny Aondona
Mar 1, 2016, 7:20:46 PM3/1/16
to OWASP ZAP Developer Group
Hi all,
I am pretty new here so kindly pardon my ignorance :)
Still trying to figure out how OWASP ZAP identifies vulnerabilities.
Some vulnerability scanners like OpenVAS gather vulnerability information
from vulnerability sources like NVD and OSVDB and integrate this into scanning
scripts...which are eventually presented in the scanning results.
(including related CVEs, CWEs e.t.c)
Does OWASP ZAP apply a similar approach or some other style.
many thanks.
Ken
psiinon
Mar 2, 2016, 4:50:38 AM3/2/16
to OWASP ZAP Developer Group
Hi Ken,
No need to apologize - we all had to start somewhere, and this group is for ZAP users of all levels of experience :)
I havnt used OpenVAS, so hopefully someone will correct me if I'm wrong :)
I _think_ tools like that are looking for known vulnerabilities in standard software packages.
ZAP is really targeted at custom applications where this approach falls down - there are no sets of known vulnerabilities.
ZAP will typically inject attacks into all of the input vectors it knows about and then tries to determine if they were successful.
Each type of test will work in a different ways - we try to document how they work in the help, eg Release Ascanrules
The effectiveness of ZAP will depend on how effectively it has explored and understood the application.
Proxying via ZAP and thoroughly exploring it manually is ideal, but its manual and time-consuming. If you have a good set of regression tests (eg using Selenium) then proxying these through ZAP is also recommended (and what we do at Mozilla).
Otherwise you'll have to rely on the traditional and ajax spiders which can be very effective but also may not find everything.
ZAP also needs to understand how the application is structured. If its a 'traditional' app then you should be fine, but if its a 'single page app' and/or uses a lot of data driven content then you may well need to configure ZAP in order for it to be more effective.
Does that help?
Cheers,
Simon
No need to apologize - we all had to start somewhere, and this group is for ZAP users of all levels of experience :)
I havnt used OpenVAS, so hopefully someone will correct me if I'm wrong :)
I _think_ tools like that are looking for known vulnerabilities in standard software packages.
ZAP is really targeted at custom applications where this approach falls down - there are no sets of known vulnerabilities.
ZAP will typically inject attacks into all of the input vectors it knows about and then tries to determine if they were successful.
Each type of test will work in a different ways - we try to document how they work in the help, eg Release Ascanrules
The effectiveness of ZAP will depend on how effectively it has explored and understood the application.
Proxying via ZAP and thoroughly exploring it manually is ideal, but its manual and time-consuming. If you have a good set of regression tests (eg using Selenium) then proxying these through ZAP is also recommended (and what we do at Mozilla).
Otherwise you'll have to rely on the traditional and ajax spiders which can be very effective but also may not find everything.
ZAP also needs to understand how the application is structured. If its a 'traditional' app then you should be fine, but if its a 'single page app' and/or uses a lot of data driven content then you may well need to configure ZAP in order for it to be more effective.
Does that help?
Cheers,
Simon
Kenny Aondona
Jul 4, 2016, 7:31:59 AM7/4/16
to psi...@gmail.com, zaproxy...@googlegroups.com
Hi Simon,
Thanks a lot for your last mail, in which you provided some really useful pointers as to the differences between OWASP ZAP and OpenVAS.
I have been playing around ZAP since then, but there is still a lot to learn. One thing that has been on my mind is how to
integrate ZAP into a cloud infrastructure like OpenStack ...for security scanning. I would like to do this, as a
research project. It seems that SalesForce has adopted such an integration (Chimera) but their
design is not open to the public. I also see that there was an unsuccessful attempt by OWASP here for a similar effort.
Could you give me some tips or insights into the possibilities for this, or just your thoughts.
Do you know of similar efforts ?
Many thanks,
Ken
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/qtnksws2ibs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages