[Owasp-leaders] Bring balance: force verification in scanning tools
gregory.disney at owasp.org
Mon May 23 21:48:05 UTC 2016
The EULA covers this. If you make it annoying then people will just use
On Saturday, May 21, 2016, johanna curiel curiel <johanna.curiel at owasp.org>
> Bev made a question which triggered an idea
> >>Why couldn't we think about implementing some types of OWASP forensic
> features into all of our code projects so that we could at least have some
> way to investigate if / when they are misused?
> Now, when she said that I though why ZAP does not implement a feature that
> already exists is SaaS products which REQUIRES that you set a file in the
> hosting application before in order to be able to pen test it? If the file
> is not found in the URL domain server hosting the application, you cannot
> attack it.
> I don't want to advertise which commercial vendors do that but this is the
> way they avoid that a hackers go and misuse their services.
> Building a module into ZAP that requires this file first to verify you own
> the web app and then attack will make it harder for hackers to just
> download and use ZAP for evil purpose
> I know the project is open source and a hacker can go and modify the
> module but that will be more work for him and will refrain the lazy hackers
> or the ones without Java knowledge and resources, they will have better to
> move to another tool without this feature.
> This way we are helping the white hats and not the black ones. Is not the
> final solution but I think in this way OWASP builds breakers attempting to
> also help Applications security.
> Johanna Curiel
> OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders