[Owasp-leaders] ZAPping the OWASP Top 10

Dirk Wetter dirk at owasp.org
Fri Aug 29 17:17:12 UTC 2014

Hi Simon,

looks better .

Excuse my stubbornness ;-) but from my perspective it's still kind of
misleading as the view (well, to be honest: my view) on testing is different.

The OWASP Top 10 is still an awareness document. As opposed to the
testing guide the OWASP Top 10 are not for testing neither with ZAP or
Nessus (cough) or anything else. The OWASP Top 10 are also not complete
as the underlying vulnerabilities are concerned. Just think about logic flaws,
timing attacks, local/remote file inclusion, etc...

It's also simplifying the view within the Top 10: In the world of awareness
I understand that DOM XSS, reflected and persistent XSS as risks go into
one category (well besides stored XSS, but that's off topic).
>From a testers perspective I would definitely distinguish between those

I would put that more into perspective, if now change the approach.



Am 08/29/2014 10:21 AM, schrieb psiinon:
> Dirk,
> Its definitely ZAP specific, but its not meant to be marketing bumf.
> Its a cheat sheet which helps people understand which ZAP components they should use for detecting vulnerabilities associated with each of the OWASP Top 10 risks.
> Thats something I get asked quite a lot, so I think theres a need for this sort of doc.
> It also states which of the components are automated and which are manual - I'm not trying to imply that ZAP can detect all of the vulnerabilities automatically.
> I'm happy to add a statement to the effect that no black box scanner will find all issues - I always try to stress that ZAP is not a silver bullet.
> Cheers,
> Simon
> On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org <mailto:dirk at owasp.org>> wrote:
>     Hi Simon,
>     Am 08/28/2014 01:21 PM, schrieb psiinon:
>     > Leaders,
>     >
>     > I often get asked if ZAP scans for the "OWASP Top 10".
>     > As I'm sure you're all aware, its not really possible to automatically scan for all of the vulnerabilities behind the OWASP Top 10 _risks_.
>     >
>     > But I still think its a question that should be answered, and so I've added this page to the OWASP wiki based on input from the ZAP contributors:
>     >
>     > https://www.owasp.org/index.php/ZAPpingTheTop10
>     >
>     > I just wanted to make sure that no one objects before I start publicizing it.
>     my 2 bits... you basically answered the question yourself
>     though ("As I'm sure you're all aware, its not really possible ...")
>     You should be clear whether you want to marketing ZAP
>     or whether you want to provide technical insights.
>     For the latter everybody knows no scanner / tool
>     also if used by a trained professional has nearly complete
>     coverage from the blackbox perspective. It never will.
>     And to cite others here -- OWASP Top 10 is an
>     awareness document -- it's not complete and
>     by using a scanner / tool you won't get security.
>     This would be insinuated though.
>     Bottom line: I would not recommend publishing it at
>     all or at least not without modifications.
>     The picture is too simple and misleading. If you really
>     want to do it: Put some of the constraints I mentioned
>     in the wiki, and add what ZAP can't do as of now.
>     And then again have others to have a look.
>     Cheers! Dirk
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> -- 
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

German OWASP Board, (Chair AppSec Research 2013)
Send me encrypted mails (Key ID 0xB818C039)

More information about the OWASP-Leaders mailing list