Risk level of ZAP alert details
288 views
Skip to first unread message
Ford Tom
Oct 31, 2022, 5:27:04 AM10/31/22
to OWASP ZAP User Group
Hi there,
We found some risk level of alerts in url https://www.zaproxy.org/docs/alerts/ are still left blank, e.g. 「Absence of Anti-CSRF Tokens」and 「Content Security Policy (CSP) Header Not Set」, but in zap application 2.12.0 it level up from low to medium level, should these two alerts be corrected as soon as possible? we did Anti-CSRF tokens in all non-public functions(login needed), but lacking in public functions for all non-login users, Any recommendation? Thanks.
Simon Bennetts
Oct 31, 2022, 5:44:49 AM10/31/22
to OWASP ZAP User Group
This is issue https://github.com/zaproxy/zaproxy/issues/6119
I think that previously all Release status rules did have example alerts, but we've just promoted a set of rules that dont have them.
We probably shouldnt have done that :P
We should prioritize updating the new Release status rules asap (looks like they are all Passive ones) and then the Beta status ones.
Help with tasks like this is always appreciated!
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages