ZAP proxy covers which Top 10 security vulnerabilities that OWASP has released for 2013
1,075 views
Skip to first unread message
Rochit Sen
Aug 13, 2014, 12:28:11 PM8/13/14
to zaprox...@googlegroups.com
Hi All,
Our organization is planning to use ZAP to security test out application. Wanted to know does ZAP proxy tool cover all of the Top 10 OWASP defined security vulnerabilities? If not then which one of the following are covered by latest release of ZAP v2.3.1:
A1 - Injection
A2 - Broken Authentication
A3 - XSS
A4 - Insecure Direct Object Reference
A5 - Security Misconfiguration
A6 - Sensitive data
A7 - Missing function level
A8 - CSRF
A9 - Components with known vulnerabilities
A10 - Unvalidated redirects or forwards
Information and help much appreciate.
Thanks
Simon Bennetts
Aug 16, 2014, 7:26:12 AM8/16/14
to zaprox...@googlegroups.com
Hi Rochit,
The OWASP Top Ten defines the most common application security _risks_ which is different from the most common vulnerabilities :)
Some of these risks are very difficult to test in a completely automated way - if a tool claims to find all of the OWASP Top Ten automatically then you can be sure that they are being 'economical with the truth'!
ZAP has both automated and manual components and a combination of these used by a pentester will be able to find all of the vulnerabilities that can be detected while blackbox testing of a web app.
I've been meaning to write a cheat sheet explaining which components can be used for each of the Top Ten and whether they are automatable or manual only.
ZAP is an ideal tool for security testing web apps but its not a silver bullet, and none of the equivalent tools are either :)
ZAP is a Dynamic Application Security Testing (DAST) tool. Its great for finding some issues, but other issues might be found more effectively with a Static Application Security Tool (SAST).
For example, consider "A9 - Using Components with known vulnerabilities".
If we are talking JavaScript libs then ZAP can help you find out of date ones.
But it wont find 'backend' libs that are out of date, whereas a SAST tool that examines your source code could find those.
Does that help?
I'll try and progress that cheat sheet asap!
Cheers,
Simon
The OWASP Top Ten defines the most common application security _risks_ which is different from the most common vulnerabilities :)
Some of these risks are very difficult to test in a completely automated way - if a tool claims to find all of the OWASP Top Ten automatically then you can be sure that they are being 'economical with the truth'!
ZAP has both automated and manual components and a combination of these used by a pentester will be able to find all of the vulnerabilities that can be detected while blackbox testing of a web app.
I've been meaning to write a cheat sheet explaining which components can be used for each of the Top Ten and whether they are automatable or manual only.
ZAP is an ideal tool for security testing web apps but its not a silver bullet, and none of the equivalent tools are either :)
ZAP is a Dynamic Application Security Testing (DAST) tool. Its great for finding some issues, but other issues might be found more effectively with a Static Application Security Tool (SAST).
For example, consider "A9 - Using Components with known vulnerabilities".
If we are talking JavaScript libs then ZAP can help you find out of date ones.
But it wont find 'backend' libs that are out of date, whereas a SAST tool that examines your source code could find those.
Does that help?
I'll try and progress that cheat sheet asap!
Cheers,
Simon
Simon Bennetts
Aug 18, 2014, 9:31:36 AM8/18/14
to zaprox...@googlegroups.com
I've just started a thread on the ZAP Dev Group for comments on that cheat sheet: https://groups.google.com/d/msg/zaproxy-develop/8eVRZ5wbMf0/raafD7U9sLoJ :)
Cheers,
Simon
Cheers,
Simon
Simon Bennetts
Aug 28, 2014, 10:04:37 AM8/28/14
to zaprox...@googlegroups.com
I've now created a page on the OWASP wiki (which also links to a downloadable pdf version) thanks to input from the other ZAP contributors:
https://www.owasp.org/index.php/ZAPpingTheTop10
Cheers,
Simon
https://www.owasp.org/index.php/ZAPpingTheTop10
Cheers,
Simon
Rochit Sen
Aug 29, 2014, 10:33:33 PM8/29/14
to zaprox...@googlegroups.com
Thanks a lot for the details Simon. The cheat sheet will be great help.
Thanks.
Rochit
Reply all
Reply to author
Forward
0 new messages