[Owasp-leaders] ZAPping the OWASP Top 10

johanna curiel curiel johanna.curiel at owasp.org
Mon Sep 1 14:00:25 UTC 2014


Many commercial pen tools use the TOP ten as a reference to understand how
you can test security vulnerabilities and how they match to the features in
their product. I think that having this page helps to understand faster the
ZAP features against testing security flaws.

The OWASP testing guide is a more detailed document at code level of the
issue, but does anyone know how to implement the testing guide with ZAP?

Let me provide you an example:
SQL injections are known as a top vulnerability (reference to OWASP top
10). For a new ZAP user, testing against this is much easier explained if
you tell them that they can use *'Active Scanner'* or *'Passive scanner*'
to find SQL injections

Active scanner are automated tests (rules) and Passive are manual that you
can create on your own.Active Scanner contains Scan policies with the tests
(see image beneath).

So in the supposition we want to integrate testing guide with ZAP, the
testing guide should provide a couple of "Passive rules" that I can
Upload(new Scan Policy) to my set of tests in ZAP.

IMHO, If you mention the feature alone, it does not says much to the new
user, by referencing it with a specific security flaw it makes it clear.
[image: Inline image 4]

[image: Inline image 3]
[image: Inline image 5]


On Mon, Sep 1, 2014 at 6:58 AM, psiinon <psiinon at gmail.com> wrote:

> Stubbornness is 'de rigueur' for security professionals ;)
>
> I certainly dont want to mislead people, and I realized this could be a
> slightly controversial page which is why I drew attention to it on the
> leaders list.
>
> I'm very happy to add extra caveats at the top so that it is not
> misleading. At least on the web version - I want the printed version to
> stay within 2 sides, but we can always just include a "See the web version
> at... for caveats" type message.
>
> Can you (or anyone else) suggest some suitable text to include?
>
> Cheers,
>
> Simon
>
>
>
> On Fri, Aug 29, 2014 at 6:17 PM, Dirk Wetter <dirk at owasp.org> wrote:
>
>> Hi Simon,
>>
>> looks better .
>>
>> Excuse my stubbornness ;-) but from my perspective it's still kind of
>> misleading as the view (well, to be honest: my view) on testing is
>> different.
>>
>> The OWASP Top 10 is still an awareness document. As opposed to the
>> testing guide the OWASP Top 10 are not for testing neither with ZAP or
>> Nessus (cough) or anything else. The OWASP Top 10 are also not complete
>> as the underlying vulnerabilities are concerned. Just think about logic
>> flaws,
>> timing attacks, local/remote file inclusion, etc...
>>
>> It's also simplifying the view within the Top 10: In the world of
>> awareness
>> I understand that DOM XSS, reflected and persistent XSS as risks go into
>> one category (well besides stored XSS, but that's off topic).
>> From a testers perspective I would definitely distinguish between those
>> three.
>>
>> I would put that more into perspective, if now change the approach.
>>
>>
>> Cheers,
>>
>> Dirk
>>
>>
>>
>> Am 08/29/2014 10:21 AM, schrieb psiinon:
>> > Dirk,
>> >
>> > Its definitely ZAP specific, but its not meant to be marketing bumf.
>> > Its a cheat sheet which helps people understand which ZAP components
>> they should use for detecting vulnerabilities associated with each of the
>> OWASP Top 10 risks.
>> > Thats something I get asked quite a lot, so I think theres a need for
>> this sort of doc.
>> > It also states which of the components are automated and which are
>> manual - I'm not trying to imply that ZAP can detect all of the
>> vulnerabilities automatically.
>> >
>> > I'm happy to add a statement to the effect that no black box scanner
>> will find all issues - I always try to stress that ZAP is not a silver
>> bullet.
>> >
>> > Cheers,
>> >
>> > Simon
>> >
>> >
>> > On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org <mailto:
>> dirk at owasp.org>> wrote:
>> >
>> >     Hi Simon,
>> >
>> >     Am 08/28/2014 01:21 PM, schrieb psiinon:
>> >     > Leaders,
>> >     >
>> >     > I often get asked if ZAP scans for the "OWASP Top 10".
>> >     > As I'm sure you're all aware, its not really possible to
>> automatically scan for all of the vulnerabilities behind the OWASP Top 10
>> _risks_.
>> >     >
>> >     > But I still think its a question that should be answered, and so
>> I've added this page to the OWASP wiki based on input from the ZAP
>> contributors:
>> >     >
>> >     > https://www.owasp.org/index.php/ZAPpingTheTop10
>> >     >
>> >     > I just wanted to make sure that no one objects before I start
>> publicizing it.
>> >
>> >     my 2 bits... you basically answered the question yourself
>> >     though ("As I'm sure you're all aware, its not really possible ...")
>> >
>> >     You should be clear whether you want to marketing ZAP
>> >     or whether you want to provide technical insights.
>> >
>> >     For the latter everybody knows no scanner / tool
>> >     also if used by a trained professional has nearly complete
>> >     coverage from the blackbox perspective. It never will.
>> >
>> >     And to cite others here -- OWASP Top 10 is an
>> >     awareness document -- it's not complete and
>> >     by using a scanner / tool you won't get security.
>> >     This would be insinuated though.
>> >
>> >     Bottom line: I would not recommend publishing it at
>> >     all or at least not without modifications.
>> >     The picture is too simple and misleading. If you really
>> >     want to do it: Put some of the constraints I mentioned
>> >     in the wiki, and add what ZAP can't do as of now.
>> >     And then again have others to have a look.
>> >
>> >     Cheers! Dirk
>> >
>> >
>> >
>> >     _______________________________________________
>> >     OWASP-Leaders mailing list
>> >     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org
>> >
>> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >
>> >
>> > --
>> > OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>>
>>
>> --
>> German OWASP Board, (Chair AppSec Research 2013)
>> Send me encrypted mails (Key ID 0xB818C039)
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140901/4832d94a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 60092 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140901/4832d94a/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 57615 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140901/4832d94a/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 60092 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140901/4832d94a/attachment-0005.png>


More information about the OWASP-Leaders mailing list