Mapping pluginID of passive scanners to wasc and/or cwe ID.
413 views
Skip to first unread message
skzaproxy
Jan 19, 2017, 5:53:36 AM1/19/17
to OWASP ZAP User Group
Hi,
ZAP Active scanner lists clearly
a. which scan ID is mapped to a cwe and wasc ID, so when a report is generated it is easy to understand mapping of cwe/wasca dn plugin id
b. Example:
"allDependenciesAvailable": "true",
"policyId": "2",
"cweId": "98",
"attackStrength": "DEFAULT",
"alertThreshold": "DEFAULT",
"name": "Remote File Inclusion",
"wascId": "5",
"id": "7",
"enabled": "true",
"quality": "release",
"dependencies": []
ZAP Passive scan list only plugin ID, where can we get mapping of pluginID to CWE/WASC ID.
Example:
1. Passive scanner show following information:
{
"alertThreshold": "MEDIUM",
"name": "Cookie No HttpOnly Flag",
"id": "10010",
"enabled": "true",
"quality": "release"
}
2. ZAP Report for different plugin ID shows same CWEID "16" but different WASC IDs, how zap mapped different plugin ID to same CWE ID "16" and WASC IDs "15 or 13":
All three issues in screenshot are from same report and all three issue have different plugin ID and WASC ID but same CWE ID 16.
From where ZAP is fetching information about WASC and CWE ID for a patcular plugin ID of passive scan? Is there any document which states the mapping of passive scan plugin ID to CWE/WASC ID
ZAP Active scanner lists clearly
a. which scan ID is mapped to a cwe and wasc ID, so when a report is generated it is easy to understand mapping of cwe/wasca dn plugin id
b. Example:
"allDependenciesAvailable": "true",
"policyId": "2",
"cweId": "98",
"attackStrength": "DEFAULT",
"alertThreshold": "DEFAULT",
"name": "Remote File Inclusion",
"wascId": "5",
"id": "7",
"enabled": "true",
"quality": "release",
"dependencies": []
ZAP Passive scan list only plugin ID, where can we get mapping of pluginID to CWE/WASC ID.
Example:
1. Passive scanner show following information:
{
"alertThreshold": "MEDIUM",
"name": "Cookie No HttpOnly Flag",
"id": "10010",
"enabled": "true",
"quality": "release"
}
2. ZAP Report for different plugin ID shows same CWEID "16" but different WASC IDs, how zap mapped different plugin ID to same CWE ID "16" and WASC IDs "15 or 13":
All three issues in screenshot are from same report and all three issue have different plugin ID and WASC ID but same CWE ID 16.
From where ZAP is fetching information about WASC and CWE ID for a patcular plugin ID of passive scan? Is there any document which states the mapping of passive scan plugin ID to CWE/WASC ID
kingthorin+owaspzap
Jan 19, 2017, 9:22:18 AM1/19/17
to OWASP ZAP User Group
Determination of CWE and WASC IDs is done by the author of the particular scanner/code with a little bit of scrutiny during review (I know I've been challenged on a few when I submitted the code). If there are some you feel are wrong or inaccurate that's open to community debate/discussion.
Much of it is likely based on this WASC mapping: http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View
Ref:
CWE-16 Configuration: http://cwe.mitre.org/data/definitions/16.html
WASC-13 Information Leakage:http://projects.webappsec.org/w/page/13246936/Information%20Leakage
WASC-15 Application Misconfiguration: http://projects.webappsec.org/w/page/13246914/Application%20Misconfiguration
As for the differences in API output you could raise an issue for that https://github.com/zaproxy/zaproxy/issues, I can see value in including the wasc and cwe info for consistency. Please include the specific API endpoint you're using when retrieving the details.
Much of it is likely based on this WASC mapping: http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View
Ref:
CWE-16 Configuration: http://cwe.mitre.org/data/definitions/16.html
WASC-13 Information Leakage:http://projects.webappsec.org/w/page/13246936/Information%20Leakage
WASC-15 Application Misconfiguration: http://projects.webappsec.org/w/page/13246914/Application%20Misconfiguration
As for the differences in API output you could raise an issue for that https://github.com/zaproxy/zaproxy/issues, I can see value in including the wasc and cwe info for consistency. Please include the specific API endpoint you're using when retrieving the details.
Ferda Özdemir Sönmez
May 5, 2018, 7:01:22 AM5/5/18
to OWASP ZAP User Group
Ferda Özdemir Sönmez
May 5, 2018, 7:03:25 AM5/5/18
to OWASP ZAP User Group
Hi,
Thank you for the information which associates active scans to CWE and WASC standards. Is there a list which includes associations of passive scan rules to the CWE and WASC similarly.
Best Regards,
Ferda Özdemir Sönmez
On Thursday, January 19, 2017 at 1:53:36 PM UTC+3, skzaproxy wrote:
Message has been deleted
kingthorin+owaspzap
May 5, 2018, 8:44:38 AM5/5/18
to OWASP ZAP User Group
Unfortunately no there isn't a list, you'd have to read through the code of the passive scanners.
kingthorin+owaspzap
May 5, 2018, 10:25:10 PM5/5/18
to OWASP ZAP User Group
I posted a bunch of options to your stackoverflow question as well as some script code, sample output, and a screenshot.
https://stackoverflow.com/questions/50187141/how-can-i-can-list-of-alerts-associated-with-scan-rules-in-owasp-zap/50192116#50192116
https://stackoverflow.com/questions/50187141/how-can-i-can-list-of-alerts-associated-with-scan-rules-in-owasp-zap/50192116#50192116
Reply all
Reply to author
Forward
0 new messages