Critical Severity in ZAP alerts

202 views
Skip to first unread message

Antero Silva

unread,
May 17, 2023, 5:13:56 AM5/17/23
to OWASP ZAP User Group
Hi,

Currently ZAP supports the severities addressed in the following url https://www.zaproxy.org/docs/desktop/start/features/alerts/ 

Is ZAP considering also supporting the new Critical Severity addresses by OWASP when there is a High impact and Likelihood

Regards,
Antero

kingthorin+owaspzap

unread,
May 17, 2023, 8:26:28 AM5/17/23
to OWASP ZAP User Group
ZAP doesn't have access to all of the contextual data to calculate Risk.

kingthorin+owaspzap

unread,
May 29, 2023, 10:58:59 AM5/29/23
to OWASP ZAP User Group
To be clear, ZAP does call the field on the Alerts "Risk" but in reality it's more like "Severity".

No there isn't a way to "add" another, you can however:
- Add an alert tag.
- Set the confidence to "Confirmed".

Antero Silva

unread,
May 29, 2023, 11:09:40 AM5/29/23
to OWASP ZAP User Group
Hi,

Sorry but i'm not getting it. Alerts are being raised by ZAP components such as active scanning. Each scanner/rule is determining the severity of the alert. therefore it should be possible to add a new severity call Critical right ?

kingthorin+owaspzap

unread,
May 29, 2023, 11:59:07 AM5/29/23
to OWASP ZAP User Group
Logically it's is "Possible" but the number of things that it would impact makes it VERY impractical.

Simon Bennetts

unread,
May 30, 2023, 4:53:14 AM5/30/23
to OWASP ZAP User Group
I guess we _could_ add a new level, but I cant see us changing any of the rules to support it directly.
Instead it would be like "False Positive" which is only set manually, via the API or alert filters.

Would that be useful to anyone?

Cheers,

Simon

Antero Silva

unread,
May 30, 2023, 5:36:17 AM5/30/23
to OWASP ZAP User Group
Hi Simon,

Yes it would be useful. 

Regards,
Antero

Reply all
Reply to author
Forward
0 new messages