[Owasp-leaders] Bring balance: force verification in scanning tools

johanna curiel curiel johanna.curiel at owasp.org
Sun May 22 02:51:08 UTC 2016


Bev made a question which triggered an idea

>>Why couldn't we think about implementing some types of OWASP forensic
features into all of our code projects so that we could at least have some
way to investigate if / when they are misused?

Now, when she said that I though why ZAP does not implement a feature that
already exists is SaaS products which REQUIRES that you set a file in the
hosting application before in order to be able to pen test it? If the file
is not found in the URL domain server hosting the application, you cannot
attack it.

I don't want to advertise which commercial vendors do that but this is the
way they avoid that a hackers go and misuse their services.

Building a module into ZAP that requires this file first to verify you own
the web app and then attack will make it harder for hackers to just
download and use ZAP for evil purpose

I know the project is open source and a hacker can go and modify the module
but that will be more work for him and will refrain the lazy hackers or the
ones without Java knowledge and resources, they will have better to move to
another tool without this feature.

This way we are helping the white hats and not the black ones. Is not the
final solution but I think in this way OWASP builds breakers attempting to
also help Applications security.


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160521/5c5427a6/attachment.html>


More information about the OWASP-Leaders mailing list