Revision as of 14:31, 18 December 2017

ZAPping the OWASP Top 10

This document gives an overview of the automatic and manual components provided by the OWASP Zed Attack Proxy Project (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2017 risks.

Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’!

A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): ZAPpingTheOwaspTop10.pdf

The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

	Common Components
	The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10
Manual	Man-in-the-middle proxy
Manual	Manual request / resend
Manual	Scripts
Manual	Search
A1	A1 Injection
Automated	Active Scan Rules (Release, Beta`` and Alpha``)
Automated	SQLMap Injection Engine (Beta`*`)
Manual	Fuzzer, combined with the FuzzDb (Release)`` and SVN Digger (Beta)`` files
A2	A2 Broken Authentication and Session Management
Manual	Http Sessions
Manual	Spider
Manual	Forced Browse (Beta)
Manual	Token Generator (Beta)`*`
A3	A3 Cross-Site Scripting (XSS)
Automated	Active Scan Rules (Release)
Manual	Fuzzer, combined with the FuzzDb (Release)`` and SVN Digger (Beta)`` files
Manual	Plug-n-Hack (Beta)
A4	A4 Insecure Direct Object References
Manual	Params tab
A5	A5 Security Misconfiguration
Automated	Active Scan Rules (Release, Beta`` and Alpha``)
Automated	Passive Scan Rules (Release, Beta`` and Alpha``)
Manual	HttpsInfo (Alpha)`*`
Manual	Port Scanner (Beta)`*`
Manual	Technology detection (Alpha)`*`
A6	A6 Sensitive Data Exposure
Automated	Active Scan Rules (Release, Beta`` and Alpha``)
Automated	Passive Scan Rules (Release, Beta`` and Alpha``)
A7	A7 Missing Function Level Access Control
Manual	Spider
Manual	Ajax Spider (Beta)
Manual	Session comparison
Manual	Access Control (Alpha)
A8	A8 Cross-Site Request Forgery (CSRF)
Automated	Active Scan Rules (Beta)`*`
Automated	Passive Scan Rules (Beta)`*`
Manual	Generate Anti CSRF Test Form
A9	A9 Using Components with Known Vulnerabilities
Automated	Passive Scan Rules (Alpha)`` and Retire (Alpha)``
Manual	Technology detection (Alpha)`*`
A10	A10 Unvalidated Redirects and Forwards
Automated	Active Scan Rules (Release)
Manual	Fuzzer, combined with the FuzzDb (Release)`` and SVN Digger (Beta)`` files

* The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the ‘Manage add-ons’ button on the ZAP main toolbar.

@@ Line 1: / Line 1: @@
 = ZAPping the OWASP Top 10 =
-<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2013 risks.
+<p>This document gives an overview of the automatic and manual components provided by the [[OWASP Zed Attack Proxy Project ]] (ZAP) that are recommended for testing each of the [[OWASP Top Ten Project]] 2017 risks.
-</p><p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p><p>A printable (pdf) version of this document is also available: [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
+</p><p>Note that the [[OWASP Top Ten Project]] risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’! </p>
+<p>A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): [https://www.owasp.org/index.php/File:ZAPpingTheOwaspTop10.pdf ZAPpingTheOwaspTop10.pdf] </p><p>
 The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.
@@ Line 9: / Line 10: @@
 <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr>
 <tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The &#x27;common components&#x27; can be used for pretty much everything, so can be used to help detect all of the Top 10  </td></tr>
-<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Intercepting proxy] </td></tr>
+<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Man-in-the-middle proxy] </td></tr>
 <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr>
 <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr>

Difference between revisions of "ZAPpingTheTop10"

Revision as of 14:31, 18 December 2017

ZAPping the OWASP Top 10

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools