How do check and confirm the Buffer overflow vulnerability using OWASP ZAP ?
451 views
Skip to first unread message
Salman Khwaja
Jul 19, 2017, 3:05:34 AM7/19/17
to OWASP ZAP User Group
Hi,
How can I check buffer overflow vulnerability in Owasp Zap ?
any thoughts, links, ... ? would be highly appreciated.
Venu Kumar
Jul 19, 2017, 3:31:48 AM7/19/17
to zaprox...@googlegroups.com
Hi Salman,
I suppose that is not possible, zap is a web application testing tool not a static analysis tool.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a5cd1f91-5742-4d0e-80a7-ecdae5041f0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Simon Bennetts
Jul 19, 2017, 3:36:31 AM7/19/17
to OWASP ZAP User Group
I'd agree that static analysis tends to be better for detecting overflow vulnerabilities, but we do have some active rules that can also detect them:
- Buffer Overflow (Release)
- Integer Overflow (beta)
Cheers,
Simon
Salman Khwaja
Jul 24, 2017, 2:31:56 AM7/24/17
to OWASP ZAP User Group
I completely agree with you Venu that buffer overflow is a programming logic and design problem and should be handled by Static analysis tool but it would really help if a tool could point us in right direction.
On Wednesday, 19 July 2017 12:31:48 UTC+5, Venu Kumar wrote:
Hi Salman,I suppose that is not possible, zap is a web application testing tool not a static analysis tool.
On Wed, Jul 19, 2017 at 12:35 PM, Salman Khwaja <salman...@gmail.com> wrote:
Hi,How can I check buffer overflow vulnerability in Owasp Zap ?any thoughts, links, ... ? would be highly appreciated.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
Salman Khwaja
Jul 24, 2017, 2:32:19 AM7/24/17
to OWASP ZAP User Group
Thanks a bunch simon. will check it out.
On Wednesday, 19 July 2017 12:36:31 UTC+5, Simon Bennetts wrote:
I'd agree that static analysis tends to be better for detecting overflow vulnerabilities, but we do have some active rules that can also detect them:
- Buffer Overflow (Release)
- Integer Overflow (beta)
Cheers,
Simon
On Wednesday, 19 July 2017 09:31:48 UTC+2, Venu Kumar wrote:
Hi Salman,I suppose that is not possible, zap is a web application testing tool not a static analysis tool.
On Wed, Jul 19, 2017 at 12:35 PM, Salman Khwaja <salman...@gmail.com> wrote:
Hi,How can I check buffer overflow vulnerability in Owasp Zap ?any thoughts, links, ... ? would be highly appreciated.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
Salman Khwaja
Jul 24, 2017, 2:34:05 AM7/24/17
to OWASP ZAP User Group
So Simon correct me if I am wrong. I just have to include this SCAN rules in my ZAP installation. ?
Would it be good, If I include this in my automation environment too ?
Simon Bennetts
Jul 24, 2017, 2:57:05 AM7/24/17
to OWASP ZAP User Group
Replies inline:
On Monday, 24 July 2017 08:34:05 UTC+2, Salman Khwaja wrote:
So Simon correct me if I am wrong. I just have to include this SCAN rules in my ZAP installation. ?
Typically yes :)
That assumes you are not using a custom scan policy that excludes those particualr scan rules.
Note that you can install add-ons from the command line when you launch ZAP: https://github.com/zaproxy/zap-core-help/wiki/HelpCmdline#options
Would it be good, If I include this in my automation environment too ?
I always recommend that :)
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages