CWE associated to ZAP Scan Rules

[Massimo Pichini]

Hi there,

the ZAP scan rules 10010 (Cookie No HttpOnly Flag) and 10011 (Cookie Without Secure Flag) seem to detect respectively CWE 1004 and 614. However the detail pages of the two alerts do not link the corresponding CWE values. Are the detail pages not updated or there is some other reason why they are not actually detecting these two CWEs.

Is there a document/page that lists, for each scan rule, the corresponding CWE verified without having to navigate on the details page of each alert ?

Thank you very much

Massimo

[Simon Bennetts]

Scan rules should refer to the relevant CWE and WASC Ids. In this case it just looks like those IDs are missing from the code.

I've just raised this issue for them: https://github.com/zaproxy/zaproxy/issues/6140

They are very simple changes to make - anyone fancy implementing them?

Many thanks,

Simon