[Owasp-topten] A7 2013 - "Some proxies support this type of analysis"

Michael Coates michael.coates at owasp.org
Fri May 31 20:15:36 UTC 2013


Simon,

How does ZAP look for this item? Supported? Planned?


--
Michael Coates | OWASP | @_mwc



On Fri, May 31, 2013 at 11:26 AM, Dave Wichers <dave.wichers at owasp.org>wrote:

> Jeff Williams said he used the feature in Burp Pro to good effect in a pen
> test late last year. I personally have never used the feature.****
>
> ** **
>
> -Dave****
>
> ** **
>
> *From:* Ryan Dewhurst [mailto:ryandewhurst at gmail.com]
> *Sent:* Friday, May 31, 2013 2:26 PM
> *To:* Dave Wichers
> *Cc:* OWASP TopTen
> *Subject:* Re: [Owasp-topten] A7 2013 - "Some proxies support this type
> of analysis"****
>
> ** **
>
> The feature is there in Burp but I'm not sure if it is working properly or
> if I am doing something wrong. I've opened a bug report -
> http://forum.portswigger.net/thread/658/compare-site-ignores-session-config
> ****
>
> ** **
>
> On Fri, May 31, 2013 at 8:20 PM, Dave Wichers <dave.wichers at owasp.org>
> wrote:****
>
> I know that Burp Pro does. I’m not personally aware of any others that do.
> I’m hesitant to add a comment about Burp Pro to the Top 10 since it’s a
> commercial tool.****
>
>  ****
>
> If anyone knows of any others that do, commercial or otherwise, please let
> us know.****
>
>  ****
>
> -Dave****
>
>  ****
>
> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Ryan Dewhurst
> *Sent:* Friday, May 31, 2013 11:09 AM
> *To:* OWASP TopTen
> *Subject:* [Owasp-topten] A7 2013 - "Some proxies support this type of
> analysis"****
>
>  ****
>
> Hi,****
>
>  ****
>
> On "Top 10 2013-A7-Missing Function Level Access Control" under the "Am I
> Vulnerable To 'Missing Function Level Access Control'?" section it states
> "Some proxies support this type of analysis.". -
> https://www.owasp.org/index.php/Top_10_2013-A7****
>
>  ****
>
> Does anyone know which proxies support this kind of analysis? Burp, Zap,
> others?****
>
>  ****
>
> I ask out of personal curiosity but not sure if it is also worth adding
> which proxies to that text.****
>
>  ****
>
> Thanks,****
>
> Ryan****
>
> ** **
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130531/344bdf71/attachment.html>


More information about the Owasp-topten mailing list