[Owasp-leaders] ZAPping the OWASP Top 10

psiinon psiinon at gmail.com
Fri Aug 29 08:41:50 UTC 2014


I completely agree that testing access control is not easy.
But we're working on automating as much access control testing as possible
in ZAP - this was the subject of one of the ZAP Google Summer of Code
projects this year.
Initial support will be in the next ZAP release, but you can try it out
right now in the most recent Weekly release :)

Cheers,

Simon



On Thu, Aug 28, 2014 at 6:16 PM, Aaron Guzman <aaron.guzman at owasp.org>
wrote:

> I agree.For example, .access control and proper session management testing
> cannot be easily detected by third party devices/software
>
>
> On Thu, Aug 28, 2014 at 7:44 AM, Timur 'x' Khrotko (owasp) <
> timur at owasp.org> wrote:
>
>> +10
>> On Aug 28, 2014 3:46 PM, "Achim" <achim at owasp.org> wrote:
>>
>>> Leaders,
>>>
>>> additional to Simons suggestion:
>>>
>>>         there is often the question if this or that tool can find/protect
>>>         all OWASP Top 10 vulnerabilities
>>>
>>> As Simon said, we all know that it is not possible to find *all* types of
>>> vulnerabilities listed in the Top 10 (i.e. A7 from Top 10 2010).
>>> The same applies to protect against such vulnerabilities (i.e. with a
>>> WAF).
>>>
>>>
>>> Does it make sense to *clearly write* on the Top 10 page, that some
>>> vulnerabilities
>>> cannot easily be detected/protected automatically by third party
>>> devices/software.
>>>
>>> There're so many marketing papers out in the wild, where products claim
>>> to find/
>>> protect all. BS.
>>>
>>>
>>> Ciao
>>> Achim
>>>
>>>
>>> Am 28.08.2014 13:21, schrieb psiinon:
>>> > Leaders,
>>> >
>>> > I often get asked if ZAP scans for the "OWASP Top 10".
>>> > As I'm sure you're all aware, its not really possible to automatically
>>> scan
>>> > for all of the vulnerabilities behind the OWASP Top 10 _risks_.
>>> >
>>> > But I still think its a question that should be answered, and so I've
>>> added
>>> > this page to the OWASP wiki based on input from the ZAP contributors:
>>> >
>>> > https://www.owasp.org/index.php/ZAPpingTheTop10
>>> >
>>> > I just wanted to make sure that no one objects before I start
>>> publicizing
>>> > it.
>>> >
>>> > Note that the pdf points to the page on the ZAP wiki - I'll change that
>>> > before publicizing it outside of this list.
>>> >
>>> > Of course if anyone has any suggestions as to features we could add to
>>> make
>>> > detecting any vulnerabilities any easier then dont hesitate to get in
>>> touch
>>> > ;)
>>> >
>>> > Cheers,
>>> >
>>> > Simon
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>> Email us to enforce secure link with your mail servers (domain).
>> This message may contain confidential information - you should handle it
>> accordingly.
>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Aaron G
> Twitter: @scriptingxss
> Linkedin: http://lnkd.in/bds3MgN
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140829/f87e71cc/attachment.html>


More information about the OWASP-Leaders mailing list