To scan my API Specification against OWASP.

16 views

Skip to first unread message

Shamsudin MH

unread,

Nov 21, 2024, 12:00:38 PM11/21/24

to ZAP User Group

Hi Simon,

I’m working on mapping the OWASP API Security Top 10 (2023) risks to their corresponding CWE IDs for testing purposes. Could you confirm if ZAP natively supports detecting these CWEs?

Here’s the list I’m focusing on:

Broken Object Level Authorization - CWE-639
Broken Authentication - CWE-287, CWE-384
Broken Object Property Level Authorization - CWE-285
Unrestricted Resource Consumption - CWE-400
Broken Function Level Authorization - CWE-285
Unrestricted Access to Sensitive Business Flows - CWE-613
Server-Side Request Forgery (SSRF) - CWE-918
Security Misconfiguration - CWE-16
Improper Assets Management - CWE-20
Insufficient Logging and Monitoring - CWE-778

If these aren’t fully supported, could you suggest the ones requiring custom JavaScript-based scans?

Regards

Shamsudin

Simon Bennetts

unread,

Nov 22, 2024, 4:44:32 AM11/22/24

to ZAP User Group

Hi Shamsudin,

All of the ZAP rules report which CWEs they are related to.

We have tags for each CWE which link back to the alerts: https://www.zaproxy.org/alerttags/

Cheers,

Simon

Reply all

Reply to author

Forward

0 new messages