This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ZAPpingTheTop10"
m |
m (Added A10 and A8 details.) |
||
Line 56: | Line 56: | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A8-Insecure_Deserialization | A8 Insecure Deserialization]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A8-Insecure_Deserialization | A8 Insecure Deserialization]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> There are currently two outstanding issue that are relevant to this Top 10 entry: [https://github.com/zaproxy/zaproxy/issues/4112 Insecure deserialization active scanner] & [https://github.com/zaproxy/zaproxy/issues/4509 Java Serialization Handling]</td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr> | ||
Line 63: | Line 63: | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A10-Insufficient_Logging%26Monitoring | A10 Insufficient Logging & Monitoring]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10-2017_A10-Insufficient_Logging%26Monitoring | A10 Insufficient Logging & Monitoring]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated / Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and "attacks" which are potential sources/causes for logging and alerting. </td></tr> |
</table> | </table> | ||
<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p> | <tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p> |
Revision as of 19:49, 26 April 2018
ZAPping the OWASP Top 10
This content is currently a work in progress (as of Dec-2017), complete mapping for the 2013 edition of the OWASP Top 10 can be found here.
This document gives an overview of the automatic and manual components provided by the OWASP Zed Attack Proxy Project (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2017 risks.
Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’!
A printable (pdf) version of this document is also available (based on the Top 10 - 2013 edition): ZAPpingTheOwaspTop10.pdf
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.
Common Components | |
The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 | |
Manual | Man-in-the-middle proxy |
Manual | Manual request / resend |
Manual | Scripts |
Manual | Search |
A1 | A1 Injection |
Automated | Active Scan Rules (Release, Beta* and Alpha*) |
Automated | SQLMap Injection Engine (Beta*) |
Manual | Fuzzer, combined with the FuzzDb (Release)* and SVN Digger (Beta)* files |
A2 | A2 Broken Authentication |
Manual | Http Sessions |
Manual | Spider |
Manual | Forced Browse (Beta) |
Manual | Token Generator (Beta)* |
Automatic | Access Control Testing* |
A3 | A3 Sensitive Data Exposure |
Automated | Active Scan Rules (Release, Beta* and Alpha*) |
Automated | Passive Scan Rules (Release, Beta* and Alpha*) |
A4 | A4 XML External Entities (XXE) |
Automatic | Active scan rules Beta* |
A5 | A5 Broken Access Control |
Automated | Active Scan Rules (Release, Beta* and Alpha*) |
Automated | Passive Scan Rules (Release, Beta* and Alpha*) |
Manual | HttpsInfo (Alpha)* |
Manual | Port Scanner (Beta)* |
Manual | Technology detection (Alpha)* |
A6 | A6 Security Misconfiguration |
Manual | Spider |
Manual | Ajax Spider (Beta) |
Manual | Session comparison |
Manual | Access Control (Alpha) |
Manual | HttpsInfo (Alpha)* |
A3 | A7 Cross-Site Scripting (XSS) |
Automated | Active Scan Rules (Release) |
Manual | Fuzzer, combined with the FuzzDb (Release)* files |
Manual | Plug-n-Hack (Beta) |
A8 | A8 Insecure Deserialization |
Automated | There are currently two outstanding issue that are relevant to this Top 10 entry: Insecure deserialization active scanner & Java Serialization Handling |
A9 | A9 Using Components with Known Vulnerabilities |
Automated | Passive Scan Rules (Alpha)* and Retire (Alpha)* |
Manual | Technology detection (Alpha)* |
A10 | A10 Insufficient Logging & Monitoring |
Automated / Manual | The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and "attacks" which are potential sources/causes for logging and alerting. |