ASVS testing guide and automtic check of ASVS controls with ZAP scripts

275 views
Skip to first unread message

Sylwia Budzynska

unread,
Jan 22, 2021, 6:49:31 AM1/22/21
to OWASP ZAP User Group
Hi all! 

I started making an ASVS "testing guide" of level 1 controls (penetration testable ones from blackbox perspective). I documented 4/5ish sections, which you can check out here: 


The guide describes what each L1 control exactly tests, what could it mean if the control is failed, how to test it (usually I provide a short guide to some known open source tools) and the criteria for the control to be valid. The aim of this project is to make it easier to get started with using OWASP ASVS and have a place to refer to when in doubt how to test a control.

To around 25ish controls I wrote scripts using ZAP scripting engine or just in bash, that would check if the control is valid. I used ZAP becauseI can use a spider on a website gives me better coverage of a web app and in fact I have found areas that were not secured or misconfigured, which I haven't seen before.


Simon Bennetts

unread,
Jan 22, 2021, 7:08:14 AM1/22/21
to OWASP ZAP User Group
Thats great, thanks for sharing it!
Were there any tests that you thought you should have been able to implement in ZAP but were not able to for any reason?

Many thanks,

Simon

Sylwia Budzynska

unread,
Jan 22, 2021, 8:14:25 AM1/22/21
to OWASP ZAP User Group
Thanks! :-)

I had several issues when creating active scan scripts. 

One came from the fact that ZAP automatically sets the Host header and I wanted to change it to a few values, but couldn't. I see there already is an issue about it here: https://github.com/zaproxy/zaproxy/issues/1318

Another came from the fact I couldn't change the protocol (HTTP) in the first line, because there is a regex check. I wrote about it in ZAP scripts group: https://groups.google.com/u/1/g/zaproxy-scripts/c/t23J9AAZ90g

I had a few others, but I would need to try to trigger the errors that I got previously, because I can't remember much about them - for example I know I couldn't use HTTP method CONNECT. I'll look into it.

Best regards,
Sylwia

Scott Gerlach

unread,
Jan 22, 2021, 12:07:16 PM1/22/21
to OWASP ZAP User Group
Wow! this is really great information. Thanks for publishing and sharing Sylwia!

Sylwia Budzynska

unread,
Jan 22, 2021, 12:21:38 PM1/22/21
to OWASP ZAP User Group
Thank you so much Scott! :-)
Reply all
Reply to author
Forward
0 new messages