This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ZAPpingTheTop10-2013"
(Updated links to point to github) |
|||
Line 9: | Line 9: | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> Common Components </font> </td></tr> | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> </td><td style="border: 1px solid #ccc; padding: 5px;"> The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsIntercept Intercepting proxy] </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsMan_req Manual request] / [https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsResend resend] </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsScriptsScripts Scripts] </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSearch Search] </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A1-Injection | A1 Injection]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A1 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A1-Injection | A1 Injection]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>) </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]</font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]</font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsHttpsessions Http Sessions] </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Vehicle (Alpha)<tt>*</tt> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Vehicle (Alpha)<tt>*</tt> </td></tr> | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsParams Params tab] </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> <tt>HttpsInfo</tt> (Alpha)<tt>*</tt> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> <tt>HttpsInfo</tt> (Alpha)<tt>*</tt> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A6 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A7 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A7 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsSpider Spider] </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Access Control (Currently only available in Weekly release) </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Access Control (Currently only available in Weekly release) </td></tr> | ||
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta])<tt>*</tt> </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta])<tt>*</tt> </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsSites#Generate_anti_CSRF_test_form Generate Anti CSRF Test Form] </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A9 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha])<tt>*</tt> and Retire (Alpha)<tt>*</tt> </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]] </font> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A10 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]] </font> </td></tr> | ||
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr> |
− | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https:// | + | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr> |
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr> | ||
</table> | </table> | ||
− | <tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https:// | + | <tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p> |
Revision as of 08:51, 18 June 2015
ZAPping the OWASP Top 10
This document gives an overview of the automatic and manual components provided by the OWASP Zed Attack Proxy Project (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2013 risks.
Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’!
A printable (pdf) version of this document is also available: ZAPpingTheOwaspTop10.pdf
The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.
Common Components | |
The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10 | |
Manual | Intercepting proxy |
Manual | Manual request / resend |
Manual | Scripts |
Manual | Search |
A1 | A1 Injection |
Automated | Active Scan Rules (Release, Beta* and Alpha*) |
Automated | SQLMap Injection Engine (Beta*) |
Manual | Fuzzer, combined with the FuzzDb (Release)* and SVN Digger (Beta)* files |
Manual | Diviner (Alpha)* |
A2 | A2 Broken Authentication and Session Management |
Manual | Http Sessions |
Manual | Spider |
Manual | Forced Browse (Beta) |
Manual | Token Generator (Beta)* |
Manual | Diviner (Alpha)* |
Manual | Vehicle (Alpha)* |
A3 | A3 Cross-Site Scripting (XSS) |
Automated | Active Scan Rules (Release) |
Manual | Fuzzer, combined with the FuzzDb (Release)* and SVN Digger (Beta)* files |
Manual | Plug-n-Hack (Beta) |
Manual | Diviner (Alpha)* |
A4 | A4 Insecure Direct Object References |
Manual | Params tab |
Manual | Diviner (Alpha)* |
A5 | A5 Security Misconfiguration |
Automated | Active Scan Rules (Release, Beta* and Alpha*) |
Automated | Passive Scan Rules (Release, Beta* and Alpha*) |
Manual | HttpsInfo (Alpha)* |
Manual | Port Scanner (Beta)* |
Manual | Technology detection (Alpha)* |
A6 | A6 Sensitive Data Exposure |
Automated | Active Scan Rules (Release, Beta* and Alpha*) |
Automated | Passive Scan Rules (Release, Beta* and Alpha*) |
A7 | A7 Missing Function Level Access Control |
Manual | Spider |
Manual | Ajax Spider (Beta) |
Manual | Session comparison |
Manual | Access Control (Currently only available in Weekly release) |
A8 | A8 Cross-Site Request Forgery (CSRF) |
Automated | Active Scan Rules (Beta)* |
Automated | Passive Scan Rules (Beta)* |
Manual | Generate Anti CSRF Test Form |
A9 | A9 Using Components with Known Vulnerabilities |
Automated | Passive Scan Rules (Alpha)* and Retire (Alpha)* |
Manual | Technology detection (Alpha)* |
A10 | A10 Unvalidated Redirects and Forwards |
Automated | Active Scan Rules (Release) |
Manual | Fuzzer, combined with the FuzzDb (Release)* and SVN Digger (Beta)* files |
Manual | Diviner (Alpha)* |