[Owasp-leaders] Bring balance: force verification in scanning tools

Gregory Disney gregory.disney at owasp.org
Mon May 23 21:48:05 UTC 2016


The EULA covers this. If you make it annoying then people will just use
burp.
On Saturday, May 21, 2016, johanna curiel curiel <johanna.curiel at owasp.org>
wrote:

> Bev made a question which triggered an idea
>
> >>Why couldn't we think about implementing some types of OWASP forensic
> features into all of our code projects so that we could at least have some
> way to investigate if / when they are misused?
>
> Now, when she said that I though why ZAP does not implement a feature that
> already exists is SaaS products which REQUIRES that you set a file in the
> hosting application before in order to be able to pen test it? If the file
> is not found in the URL domain server hosting the application, you cannot
> attack it.
>
> I don't want to advertise which commercial vendors do that but this is the
> way they avoid that a hackers go and misuse their services.
>
> Building a module into ZAP that requires this file first to verify you own
> the web app and then attack will make it harder for hackers to just
> download and use ZAP for evil purpose
>
> I know the project is open source and a hacker can go and modify the
> module but that will be more work for him and will refrain the lazy hackers
> or the ones without Java knowledge and resources, they will have better to
> move to another tool without this feature.
>
> This way we are helping the white hats and not the black ones. Is not the
> final solution but I think in this way OWASP builds breakers attempting to
> also help Applications security.
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160523/91979ae8/attachment-0001.html>


More information about the OWASP-Leaders mailing list