Is Owasp ZAP CVE Compatible. ? Or does it have a list of CVEs in built ?
1,494 views
Skip to first unread message
Salman Khwaja
May 9, 2016, 9:33:24 AM5/9/16
to OWASP ZAP User Group
Hi,
I am tasked with comparing how much is the reach of OWASP ZAP in terms of finding the Web Vulnerabilities. While I have grabbed the list of OWASP Top 10 being covered by ZAP (Zapping the Top 10.) - (https://www.owasp.org/index.php/ZAPpingTheTop10), I need to know if the OWASP ZAP is compatible with CVE.
(https://cve.mitre.org/about/faqs.html#e), so that I could compare other tools with this CVE.
A reply would be very much appreciated.
Also, I would really appreciate if you could point me if OWASP ZAP holds a list of CVEs in it's XML / CSV files, which is given out when OWASP ZAP's Report is generated.
Simon Bennetts
May 9, 2016, 9:44:29 AM5/9/16
to OWASP ZAP User Group
We have a FAQ which explains what ZAP tests for: https://github.com/zaproxy/zaproxy/wiki/FAQzaptests
As you'll see, theres no absolute answer as you can install any number of ZAP add-ons and scripts which extend its capabilities.
We do include relevant CVE and WASC Ids in ZAP reports when relevant.
However you should be aware that ZAP is really focussed on testing custom web applications, ie its a DAST tool.
It does not just run through a built in set of tests for CVEs.
Cheers,
Simon
As you'll see, theres no absolute answer as you can install any number of ZAP add-ons and scripts which extend its capabilities.
We do include relevant CVE and WASC Ids in ZAP reports when relevant.
However you should be aware that ZAP is really focussed on testing custom web applications, ie its a DAST tool.
It does not just run through a built in set of tests for CVEs.
Cheers,
Simon
kingthorin+owaspzap
May 9, 2016, 10:32:06 AM5/9/16
to OWASP ZAP User Group
Let's not confuse CVE (Common Vulnerabilities and Exposures) and CWE (Common Weakness Enumeration) :-)
Most issues reported by ZAP list the relevant CWE and WASC IDs.
Most issues reported by ZAP list the relevant CWE and WASC IDs.
Simon Bennetts
May 9, 2016, 10:55:56 AM5/9/16
to OWASP ZAP User Group
Ugh, yeah, that - I always confuse them :P
Salman Khwaja
May 10, 2016, 9:23:39 AM5/10/16
to OWASP ZAP User Group
Thanks Simon.
Does OWASP ZAP has an list of CWEs that it can detect ? May be in some XML file, or does it access CWE Database on run time. ?
As in my questions, I want to know the complete reach of OWASP ZAP.
Does OWASP ZAP has an list of CWEs that it can detect ? May be in some XML file, or does it access CWE Database on run time. ?
As in my questions, I want to know the complete reach of OWASP ZAP.
kingthorin+owaspzap
May 10, 2016, 1:27:37 PM5/10/16
to OWASP ZAP User Group
You could modify this: https://github.com/zaproxy/community-scripts/blob/master/standalone/Active%20scan%20rule%20list.js to get all the CWEs for the active scanners (assuming you have all 3 packages installed).
With even heavier modifications it could probably also do the passive checks.
With even heavier modifications it could probably also do the passive checks.
thc...@gmail.com
May 11, 2016, 9:32:17 AM5/11/16
to zaprox...@googlegroups.com
For an accurate result you might need to install other add-ons (other
than the usual Active scanner rules add-ons), for example, Advanced
SQLInjection Scanner, SOAP Scanner.
Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
than the usual Active scanner rules add-ons), for example, Advanced
SQLInjection Scanner, SOAP Scanner.
Best regards.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages