[Owasp-leaders] ZAPping the OWASP Top 10

johanna curiel curiel johanna.curiel at owasp.org
Mon Sep 1 14:18:51 UTC 2014


>It might end up being better to write a separate "testing with ZAP guide"
to avoid the testing guide testing any bigger.

 I'm busy right now writing content on a Getting started guide for new ZAP
users. I think using the testing guide as a reference in a practical way
with ZAP can be a huge success among new users and early adapters.


On Mon, Sep 1, 2014 at 10:09 AM, Andrew Muller <andrew.muller at owasp.org>
wrote:

> Hi Johanna,
>   Couldn't agree more. Simon and I have been discussing this both during
> the development of v4 of the Testing Guide and more recently.
> It's something that we are very keen on and will be working together to
> better integrate the two products.
>
> However we don't want the test guide to become a "ZAP how to guide", so we
> want to provide generic advice for how to use a proxy to find security
> issues as well as advice for specific tools.
>
> It might end up being better to write a separate "testing with ZAP guide"
> to avoid the testing guide testing any bigger.
>
> Mat and I will also be working with Simon to build a Testing Guide
> checklist for ZAP.
>
> Exciting times! :)
>
> Andrew
>
> On Tuesday, 2 September 2014, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Many commercial pen tools use the TOP ten as a reference to understand
>> how you can test security vulnerabilities and how they match to the
>> features in their product. I think that having this page helps to
>> understand faster the ZAP features against testing security flaws.
>>
>> The OWASP testing guide is a more detailed document at code level of the
>> issue, but does anyone know how to implement the testing guide with ZAP?
>>
>> Let me provide you an example:
>> SQL injections are known as a top vulnerability (reference to OWASP top
>> 10). For a new ZAP user, testing against this is much easier explained if
>> you tell them that they can use *'Active Scanner'* or *'Passive scanner*'
>> to find SQL injections
>>
>> Active scanner are automated tests (rules) and Passive are manual that
>> you can create on your own.Active Scanner contains Scan policies with the
>> tests (see image beneath).
>>
>> So in the supposition we want to integrate testing guide with ZAP, the
>> testing guide should provide a couple of "Passive rules" that I can
>> Upload(new Scan Policy) to my set of tests in ZAP.
>>
>> IMHO, If you mention the feature alone, it does not says much to the new
>> user, by referencing it with a specific security flaw it makes it clear.
>> [image: Inline image 4]
>>
>> [image: Inline image 3]
>> [image: Inline image 5]
>>
>>
>> On Mon, Sep 1, 2014 at 6:58 AM, psiinon <psiinon at gmail.com> wrote:
>>
>>> Stubbornness is 'de rigueur' for security professionals ;)
>>>
>>> I certainly dont want to mislead people, and I realized this could be a
>>> slightly controversial page which is why I drew attention to it on the
>>> leaders list.
>>>
>>> I'm very happy to add extra caveats at the top so that it is not
>>> misleading. At least on the web version - I want the printed version to
>>> stay within 2 sides, but we can always just include a "See the web version
>>> at... for caveats" type message.
>>>
>>> Can you (or anyone else) suggest some suitable text to include?
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>>
>>>
>>> On Fri, Aug 29, 2014 at 6:17 PM, Dirk Wetter <dirk at owasp.org> wrote:
>>>
>>>> Hi Simon,
>>>>
>>>> looks better .
>>>>
>>>> Excuse my stubbornness ;-) but from my perspective it's still kind of
>>>> misleading as the view (well, to be honest: my view) on testing is
>>>> different.
>>>>
>>>> The OWASP Top 10 is still an awareness document. As opposed to the
>>>> testing guide the OWASP Top 10 are not for testing neither with ZAP or
>>>> Nessus (cough) or anything else. The OWASP Top 10 are also not complete
>>>> as the underlying vulnerabilities are concerned. Just think about logic
>>>> flaws,
>>>> timing attacks, local/remote file inclusion, etc...
>>>>
>>>> It's also simplifying the view within the Top 10: In the world of
>>>> awareness
>>>> I understand that DOM XSS, reflected and persistent XSS as risks go into
>>>> one category (well besides stored XSS, but that's off topic).
>>>> From a testers perspective I would definitely distinguish between those
>>>> three.
>>>>
>>>> I would put that more into perspective, if now change the approach.
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Dirk
>>>>
>>>>
>>>>
>>>> Am 08/29/2014 10:21 AM, schrieb psiinon:
>>>> > Dirk,
>>>> >
>>>> > Its definitely ZAP specific, but its not meant to be marketing bumf.
>>>> > Its a cheat sheet which helps people understand which ZAP components
>>>> they should use for detecting vulnerabilities associated with each of the
>>>> OWASP Top 10 risks.
>>>> > Thats something I get asked quite a lot, so I think theres a need for
>>>> this sort of doc.
>>>> > It also states which of the components are automated and which are
>>>> manual - I'm not trying to imply that ZAP can detect all of the
>>>> vulnerabilities automatically.
>>>> >
>>>> > I'm happy to add a statement to the effect that no black box scanner
>>>> will find all issues - I always try to stress that ZAP is not a silver
>>>> bullet.
>>>> >
>>>> > Cheers,
>>>> >
>>>> > Simon
>>>> >
>>>> >
>>>> > On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org <mailto:
>>>> dirk at owasp.org>> wrote:
>>>> >
>>>> >     Hi Simon,
>>>> >
>>>> >     Am 08/28/2014 01:21 PM, schrieb psiinon:
>>>> >     > Leaders,
>>>> >     >
>>>> >     > I often get asked if ZAP scans for the "OWASP Top 10".
>>>> >     > As I'm sure you're all aware, its not really possible to
>>>> automatically scan for all of the vulnerabilities behind the OWASP Top 10
>>>> _risks_.
>>>> >     >
>>>> >     > But I still think its a question that should be answered, and
>>>> so I've added this page to the OWASP wiki based on input from the ZAP
>>>> contributors:
>>>> >     >
>>>> >     > https://www.owasp.org/index.php/ZAPpingTheTop10
>>>> >     >
>>>> >     > I just wanted to make sure that no one objects before I start
>>>> publicizing it.
>>>> >
>>>> >     my 2 bits... you basically answered the question yourself
>>>> >     though ("As I'm sure you're all aware, its not really possible
>>>> ...")
>>>> >
>>>> >     You should be clear whether you want to marketing ZAP
>>>> >     or whether you want to provide technical insights.
>>>> >
>>>> >     For the latter everybody knows no scanner / tool
>>>> >     also if used by a trained professional has nearly complete
>>>> >     coverage from the blackbox perspective. It never will.
>>>> >
>>>> >     And to cite others here -- OWASP Top 10 is an
>>>> >     awareness document -- it's not complete and
>>>> >     by using a scanner / tool you won't get security.
>>>> >     This would be insinuated though.
>>>> >
>>>> >     Bottom line: I would not recommend publishing it at
>>>> >     all or at least not without modifications.
>>>> >     The picture is too simple and misleading. If you really
>>>> >     want to do it: Put some of the constraints I mentioned
>>>> >     in the wiki, and add what ZAP can't do as of now.
>>>> >     And then again have others to have a look.
>>>> >
>>>> >     Cheers! Dirk
>>>> >
>>>> >
>>>> >
>>>> >     _______________________________________________
>>>> >     OWASP-Leaders mailing list
>>>> >     OWASP-Leaders at lists.owasp.org <mailto:
>>>> OWASP-Leaders at lists.owasp.org>
>>>> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > OWASP-Leaders mailing list
>>>> > OWASP-Leaders at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >
>>>>
>>>>
>>>> --
>>>> German OWASP Board, (Chair AppSec Research 2013)
>>>> Send me encrypted mails (Key ID 0xB818C039)
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
> --
> ____________________
> *Andrew Muller*
> Canberra OWASP Chapter Leader
> OWASP Testing Guide Co-Leader
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140901/8da1da8d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 57615 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140901/8da1da8d/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 60092 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140901/8da1da8d/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 60092 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140901/8da1da8d/attachment-0005.png>


More information about the OWASP-Leaders mailing list