ZAP versus webinspect results
131 views
Skip to first unread message
benjam...@csra.com
Aug 3, 2018, 3:11:37 PM8/3/18
to OWASP ZAP User Group
Hello,
I would like to understand how to have ZAP execute all passive and active scanners via the user interface and then via python script. My results comparing webinspect results with those from zap 2.7 don't show correlation. I mapped most of the CWEs from webinspect to WASCs below. The mappings are based on projects.webappsec.org Threat Classification Taxonomy Cross Reference.
What ZAP scans can potentially find similar results using ZAP?
Ben
webinspect scan Results:
Listed as high:
1) Weak Password policy (CWE 521 indirectly relates to WASC-11 under Brute Forcing Log-in Credentials)
2) Session Fixation (CWE-384 WASC-37)
3) cross frame scripting (CWE-352 WASC-9)
4) Weak SSL Protocol (CWE 327 not sure of mapping here)
Medium
5) Web Server Misconfiguration Unprotected Directory (CWE-284 WASC-2) (CWE-200 WASC-13)
6) Cross site request forgery (CWE-284 WASC-2)
7) cross frame scripting (CWE 352 WASC-9)
8) Insecure Transport Misconfigured Public Key Pinning CWE-297 (CWE-693 could be WASC-40)
Low
9) Poor Error Handling, Server Error Message CWE 388 CWE-497 (CWE-200 WASC-13)
10) Insecure Transport: Insufficient HSTS Expiration Time (CWE-319 WASC-4)
For that web app we ran ZAP 2.7 user interface using a context and then ran spidering, ajax-spidering and then active scanning.
The ZAP appears to be running as desired and connecting to the application. For instance with AJAX spidering using Firefox, the login is successful and URLs are discovered The active scan options used are as follows. In scope tab, starting point, default policy, our context and user. We checked "Recurse". On the input vectors, with selected the default so none of "URL Path", "HTTP Headers", "Cookie Data", and "Enable Script Input Vectors". All technologies checked in Technology tab. No changes to Custom Vectors tab or Policy tab.
ZAP scan results:
High
SQL Injection CWE-89 WASC-19
Low
Incomplete or No Cache-control and Pragman HTTP Header Set CWE-525 WASC-13
Web Browser XSS Protection is not enabled CWE-933 to WASC-14
Reply all
Reply to author
Forward
Message has been deleted
0 new messages