How to remove/reduce false positive in OWASP ZAP
1,563 views
Skip to first unread message
Vimit Saxena
May 13, 2014, 1:18:04 AM5/13/14
to zaprox...@googlegroups.com
Hi Everyone,
I am looking for solution to remove/reduce false positive in OWASP ZAP. I am also looking for reason of false positive in ZAP.
Kindly help me out with this.
Thanks in Advance.
I am looking for solution to remove/reduce false positive in OWASP ZAP. I am also looking for reason of false positive in ZAP.
Kindly help me out with this.
Thanks in Advance.
Simon Bennetts
May 13, 2014, 3:44:59 AM5/13/14
to zaprox...@googlegroups.com
Hi Vimit,
Well, at a very high level its because reliably detecting a wide range of vulnerabilities across custom applications is hard :)
But that doesnt mean we shouldnt do our best to reduce them.
I think the place to start is finding our which false positives are most common. followed by looking at the root causes of them.
Users are encouraged to raise issues for false positives, but I suspect most dont.
I'm very open to any other suggestions, eg people posting to the group or using a survey etc.
We can (and do) test ZAP against deliberately vulnerable applications, but in practice these are usually very artificial and so dont give us realistic examples.
I've also thought about adding a feedback mechanism which could collect stats including which rules were flagged by the user as false positives. However this would have to be opt in, and we wouldnt be able to collect the sort of details that would allow us to identify the root causes.
All suggestions gratefully received :)
Cheers,
Simon
Well, at a very high level its because reliably detecting a wide range of vulnerabilities across custom applications is hard :)
But that doesnt mean we shouldnt do our best to reduce them.
I think the place to start is finding our which false positives are most common. followed by looking at the root causes of them.
Users are encouraged to raise issues for false positives, but I suspect most dont.
I'm very open to any other suggestions, eg people posting to the group or using a survey etc.
We can (and do) test ZAP against deliberately vulnerable applications, but in practice these are usually very artificial and so dont give us realistic examples.
I've also thought about adding a feedback mechanism which could collect stats including which rules were flagged by the user as false positives. However this would have to be opt in, and we wouldnt be able to collect the sort of details that would allow us to identify the root causes.
All suggestions gratefully received :)
Cheers,
Simon
Vimit Saxena
May 15, 2014, 5:54:25 AM5/15/14
to zaprox...@googlegroups.com
Hi Simon,
Thanks for replying to my post.
How do they find out difference between responses which they mark as issue, is it by comparing HTML DOM tree, bi-section algorithms, is it pure error match or something else ? Can you provide me the possible reasons due to which false positives are caused ?
Thanks,
Vimit
Thanks for replying to my post.
How do they find out difference between responses which they mark as issue, is it by comparing HTML DOM tree, bi-section algorithms, is it pure error match or something else ? Can you provide me the possible reasons due to which false positives are caused ?
Thanks,
Vimit
Simon Bennetts
May 15, 2014, 6:07:23 AM5/15/14
to zaprox...@googlegroups.com
Hi Vimit,
Every rule is different.
An overview of the reflected XSS and SQLi rules are given on https://code.google.com/p/zap-extensions/wiki/AddOn_ascanrules
But the best way to really understand them is to read the code. See http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-4-active-scan-rules.html for details of how to write active scan rules and links to the 3 packages that contain them.
As I said before, reliably detecting a wide range of vulnerabilities across custom applications is hard!
It might be better to start by focusing on one specific type of vulnerability at a time :)
Cheers,
Simon
Every rule is different.
An overview of the reflected XSS and SQLi rules are given on https://code.google.com/p/zap-extensions/wiki/AddOn_ascanrules
But the best way to really understand them is to read the code. See http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-4-active-scan-rules.html for details of how to write active scan rules and links to the 3 packages that contain them.
As I said before, reliably detecting a wide range of vulnerabilities across custom applications is hard!
It might be better to start by focusing on one specific type of vulnerability at a time :)
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages