[Owasp-leaders] ZAPping the OWASP Top 10

Andrew Muller andrew.muller at owasp.org
Mon Sep 1 14:24:41 UTC 2014


Sorry Johanna I didn't realise you were doing this. Great stuff! :)

I'll talk to Simon about how we might achieve the referencing in zap. Have
you already raised a ticket for this feature request?

On Tuesday, 2 September 2014, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >It might end up being better to write a separate "testing with ZAP guide"
> to avoid the testing guide testing any bigger.
>
>  I'm busy right now writing content on a Getting started guide for new ZAP
> users. I think using the testing guide as a reference in a practical way
> with ZAP can be a huge success among new users and early adapters.
>
>
> On Mon, Sep 1, 2014 at 10:09 AM, Andrew Muller <andrew.muller at owasp.org
> <javascript:_e(%7B%7D,'cvml','andrew.muller at owasp.org');>> wrote:
>
>> Hi Johanna,
>>   Couldn't agree more. Simon and I have been discussing this both during
>> the development of v4 of the Testing Guide and more recently.
>> It's something that we are very keen on and will be working together to
>> better integrate the two products.
>>
>> However we don't want the test guide to become a "ZAP how to guide", so
>> we want to provide generic advice for how to use a proxy to find security
>> issues as well as advice for specific tools.
>>
>> It might end up being better to write a separate "testing with ZAP guide"
>> to avoid the testing guide testing any bigger.
>>
>> Mat and I will also be working with Simon to build a Testing Guide
>> checklist for ZAP.
>>
>> Exciting times! :)
>>
>> Andrew
>>
>> On Tuesday, 2 September 2014, johanna curiel curiel <
>> johanna.curiel at owasp.org
>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>
>>> Many commercial pen tools use the TOP ten as a reference to understand
>>> how you can test security vulnerabilities and how they match to the
>>> features in their product. I think that having this page helps to
>>> understand faster the ZAP features against testing security flaws.
>>>
>>> The OWASP testing guide is a more detailed document at code level of the
>>> issue, but does anyone know how to implement the testing guide with ZAP?
>>>
>>> Let me provide you an example:
>>> SQL injections are known as a top vulnerability (reference to OWASP top
>>> 10). For a new ZAP user, testing against this is much easier explained if
>>> you tell them that they can use *'Active Scanner'* or *'Passive scanner*'
>>> to find SQL injections
>>>
>>> Active scanner are automated tests (rules) and Passive are manual that
>>> you can create on your own.Active Scanner contains Scan policies with the
>>> tests (see image beneath).
>>>
>>> So in the supposition we want to integrate testing guide with ZAP, the
>>> testing guide should provide a couple of "Passive rules" that I can
>>> Upload(new Scan Policy) to my set of tests in ZAP.
>>>
>>> IMHO, If you mention the feature alone, it does not says much to the new
>>> user, by referencing it with a specific security flaw it makes it clear.
>>> [image: Inline image 4]
>>>
>>> [image: Inline image 3]
>>> [image: Inline image 5]
>>>
>>>
>>> On Mon, Sep 1, 2014 at 6:58 AM, psiinon <psiinon at gmail.com> wrote:
>>>
>>>> Stubbornness is 'de rigueur' for security professionals ;)
>>>>
>>>> I certainly dont want to mislead people, and I realized this could be a
>>>> slightly controversial page which is why I drew attention to it on the
>>>> leaders list.
>>>>
>>>> I'm very happy to add extra caveats at the top so that it is not
>>>> misleading. At least on the web version - I want the printed version to
>>>> stay within 2 sides, but we can always just include a "See the web version
>>>> at... for caveats" type message.
>>>>
>>>> Can you (or anyone else) suggest some suitable text to include?
>>>>
>>>> Cheers,
>>>>
>>>> Simon
>>>>
>>>>
>>>>
>>>> On Fri, Aug 29, 2014 at 6:17 PM, Dirk Wetter <dirk at owasp.org> wrote:
>>>>
>>>>> Hi Simon,
>>>>>
>>>>> looks better .
>>>>>
>>>>> Excuse my stubbornness ;-) but from my perspective it's still kind of
>>>>> misleading as the view (well, to be honest: my view) on testing is
>>>>> different.
>>>>>
>>>>> The OWASP Top 10 is still an awareness document. As opposed to the
>>>>> testing guide the OWASP Top 10 are not for testing neither with ZAP or
>>>>> Nessus (cough) or anything else. The OWASP Top 10 are also not complete
>>>>> as the underlying vulnerabilities are concerned. Just think about
>>>>> logic flaws,
>>>>> timing attacks, local/remote file inclusion, etc...
>>>>>
>>>>> It's also simplifying the view within the Top 10: In the world of
>>>>> awareness
>>>>> I understand that DOM XSS, reflected and persistent XSS as risks go
>>>>> into
>>>>> one category (well besides stored XSS, but that's off topic).
>>>>> From a testers perspective I would definitely distinguish between those
>>>>> three.
>>>>>
>>>>> I would put that more into perspective, if now change the approach.
>>>>>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Dirk
>>>>>
>>>>>
>>>>>
>>>>> Am 08/29/2014 10:21 AM, schrieb psiinon:
>>>>> > Dirk,
>>>>> >
>>>>> > Its definitely ZAP specific, but its not meant to be marketing bumf.
>>>>> > Its a cheat sheet which helps people understand which ZAP components
>>>>> they should use for detecting vulnerabilities associated with each of the
>>>>> OWASP Top 10 risks.
>>>>> > Thats something I get asked quite a lot, so I think theres a need
>>>>> for this sort of doc.
>>>>> > It also states which of the components are automated and which are
>>>>> manual - I'm not trying to imply that ZAP can detect all of the
>>>>> vulnerabilities automatically.
>>>>> >
>>>>> > I'm happy to add a statement to the effect that no black box scanner
>>>>> will find all issues - I always try to stress that ZAP is not a silver
>>>>> bullet.
>>>>> >
>>>>> > Cheers,
>>>>> >
>>>>> > Simon
>>>>> >
>>>>> >
>>>>> > On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org
>>>>> <mailto:dirk at owasp.org>> wrote:
>>>>> >
>>>>> >     Hi Simon,
>>>>> >
>>>>> >     Am 08/28/2014 01:21 PM, schrieb psiinon:
>>>>> >     > Leaders,
>>>>> >     >
>>>>> >     > I often get asked if ZAP scans for the "OWASP Top 10".
>>>>> >     > As I'm sure you're all aware, its not really possible to
>>>>> automatically scan for all of the vulnerabilities behind the OWASP Top 10
>>>>> _risks_.
>>>>> >     >
>>>>> >     > But I still think its a question that should be answered, and
>>>>> so I've added this page to the OWASP wiki based on input from the ZAP
>>>>> contributors:
>>>>> >     >
>>>>> >     > https://www.owasp.org/index.php/ZAPpingTheTop10
>>>>> >     >
>>>>> >     > I just wanted to make sure that no one objects before I start
>>>>> publicizing it.
>>>>> >
>>>>> >     my 2 bits... you basically answered the question yourself
>>>>> >     though ("As I'm sure you're all aware, its not really possible
>>>>> ...")
>>>>> >
>>>>> >     You should be clear whether you want to marketing ZAP
>>>>> >     or whether you want to provide technical insights.
>>>>> >
>>>>> >     For the latter everybody knows no scanner / tool
>>>>> >     also if used by a trained professional has nearly complete
>>>>> >     coverage from the blackbox perspective. It never will.
>>>>> >
>>>>> >     And to cite others here -- OWASP Top 10 is an
>>>>> >     awareness document -- it's not complete and
>>>>> >     by using a scanner / tool you won't get security.
>>>>> >     This would be insinuated though.
>>>>> >
>>>>> >     Bottom line: I would not recommend publishing it at
>>>>> >     all or at least not without modifications.
>>>>> >     The picture is too simple and misleading. If you really
>>>>> >     want to do it: Put some of the constraints I mentioned
>>>>> >     in the wiki, and add what ZAP can't do as of now.
>>>>> >     And then again have others to have a look.
>>>>> >
>>>>> >     Cheers! Dirk
>>>>> >
>>>>> >
>>>>> >
>>>>> >     _______________________________________________
>>>>> >     OWASP-Leaders mailing list
>>>>> >     OWASP-Leaders at lists.owasp.org <mailto:
>>>>> OWASP-Leaders at lists.owasp.org>
>>>>> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > OWASP-Leaders mailing list
>>>>> > OWASP-Leaders at lists.owasp.org
>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> >
>>>>>
>>>>>
>>>>> --
>>>>> German OWASP Board, (Chair AppSec Research 2013)
>>>>> Send me encrypted mails (Key ID 0xB818C039)
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>
>> --
>> ____________________
>> *Andrew Muller*
>> Canberra OWASP Chapter Leader
>> OWASP Testing Guide Co-Leader
>>
>>
>

-- 
____________________
*Andrew Muller*
Canberra OWASP Chapter Leader
OWASP Testing Guide Co-Leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140902/cdc967cd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 60092 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140902/cdc967cd/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 60092 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140902/cdc967cd/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 57615 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140902/cdc967cd/attachment-0005.png>


More information about the OWASP-Leaders mailing list