Critical Severity in ZAP alerts
202 views
Skip to first unread message
Antero Silva
May 17, 2023, 5:13:56 AM5/17/23
to OWASP ZAP User Group
Hi,
Currently ZAP supports the severities addressed in the following url https://www.zaproxy.org/docs/desktop/start/features/alerts/
Is ZAP considering also supporting the new Critical Severity addresses by OWASP when there is a High impact and Likelihood
Regards,
Antero
kingthorin+owaspzap
May 17, 2023, 8:26:28 AM5/17/23
to OWASP ZAP User Group
ZAP doesn't have access to all of the contextual data to calculate Risk.
kingthorin+owaspzap
May 29, 2023, 10:58:59 AM5/29/23
to OWASP ZAP User Group
To be clear, ZAP does call the field on the Alerts "Risk" but in reality it's more like "Severity".
No there isn't a way to "add" another, you can however:
- Add an alert tag.
- Set the confidence to "Confirmed".
Antero Silva
May 29, 2023, 11:09:40 AM5/29/23
to OWASP ZAP User Group
Hi,
Sorry but i'm not getting it. Alerts are being raised by ZAP components such as active scanning. Each scanner/rule is determining the severity of the alert. therefore it should be possible to add a new severity call Critical right ?
kingthorin+owaspzap
May 29, 2023, 11:59:07 AM5/29/23
to OWASP ZAP User Group
Logically it's is "Possible" but the number of things that it would impact makes it VERY impractical.
Simon Bennetts
May 30, 2023, 4:53:14 AM5/30/23
to OWASP ZAP User Group
I guess we _could_ add a new level, but I cant see us changing any of the rules to support it directly.
Instead it would be like "False Positive" which is only set manually, via the API or alert filters.
Would that be useful to anyone?
Cheers,
Simon
Antero Silva
May 30, 2023, 5:36:17 AM5/30/23
to OWASP ZAP User Group
Hi Simon,
Yes it would be useful.
Regards,
Antero
Reply all
Reply to author
Forward
0 new messages