Difference between revisions of "ZAPpingTheTop10-2013"

From OWASP
Jump to: navigation, search
(Updated links to point to github)
(Updated per https://github.com/zaproxy/zaproxy/issues/3883)
Line 18: Line 18:
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>)  </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> SQLMap Injection Engine (Beta<tt>*</tt>)  </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr>
 
  
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]</font> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A2 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]</font> </td></tr>
Line 25: Line 24:
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsBruteForceConcepts Forced Browse (Beta)] </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/AddOn_tokengen Token Generator (Beta)]<tt>*</tt> </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr>
 
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Vehicle (Alpha)<tt>*</tt> </td></tr>
 
  
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]] </font> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A3 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5">[[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]] </font> </td></tr>
Line 32: Line 29:
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPlugnhackPlugnhack Plug-n-Hack (Beta)] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr>
 
  
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]] </font> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A4 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]] </font> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsParams Params tab] </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTabsParams Params tab] </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr>
 
  
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]] </font> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A5 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]] </font> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha Alpha]<tt>*</tt>) </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsPscan Passive Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules Release], [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesBetaPscanbeta Beta]<tt>*</tt> and [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPscanrulesAlphaPscanalpha Alpha]<tt>*</tt>) </td></tr>
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> <tt>HttpsInfo</tt>  (Alpha)<tt>*</tt> </td></tr>
+
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsHttpsinfoHttpsinfo HttpsInfo (Alpha)]<tt>*</tt> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsPortscanConcepts Port Scanner (Beta)]<tt>*</tt> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsWappalyzerWappalyzer Technology detection (Alpha)]<tt>*</tt> </td></tr>
Line 53: Line 48:
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsSpiderAjaxConcepts Ajax Spider (Beta)] </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpUiTlmenuReport#Compare_with_another_Session... Session comparison] </td></tr>
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Access Control (Currently only available in Weekly release) </td></tr>
+
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAccessControlConcepts Access Control (Alpha)] </td></tr>
  
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]] </font> </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> A8 </font> </td><td style="border: 1px solid #ccc; padding: 5px;"> <font size="5"> [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]] </font> </td></tr>
Line 67: Line 62:
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Automated </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAscan Active Scan Rules] ([https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules Release]) </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
 
  <tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> [https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsFuzz Fuzzer], combined with the [https://github.com/zaproxy/zap-extensions/wiki/AddOn_fuzzdb FuzzDb (Release)]<tt>*</tt> and SVN Digger (Beta)<tt>*</tt> files </td></tr>
<tr><td style="border: 1px solid #ccc; padding: 5px;"> Manual </td><td style="border: 1px solid #ccc; padding: 5px;"> Diviner (Alpha)<tt>*</tt> </td></tr>
 
 
  </table>
 
  </table>
  
 
<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>
 
<tt>*</tt> The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the [https://github.com/zaproxy/zap-extensions/wiki/Introduction ‘Manage add-ons’] button on the ZAP main toolbar. </p>

Revision as of 12:17, 13 October 2017

ZAPping the OWASP Top 10

This document gives an overview of the automatic and manual components provided by the OWASP Zed Attack Proxy Project (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2013 risks.

Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’!

A printable (pdf) version of this document is also available: ZAPpingTheOwaspTop10.pdf

The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

Common Components
The 'common components' can be used for pretty much everything, so can be used to help detect all of the Top 10
Manual Intercepting proxy
Manual Manual request / resend
Manual Scripts
Manual Search
A1 A1 Injection
Automated Active Scan Rules (Release, Beta* and Alpha*)
Automated SQLMap Injection Engine (Beta*)
Manual Fuzzer, combined with the FuzzDb (Release)* and SVN Digger (Beta)* files
A2 A2 Broken Authentication and Session Management
Manual Http Sessions
Manual Spider
Manual Forced Browse (Beta)
Manual Token Generator (Beta)*
A3 A3 Cross-Site Scripting (XSS)
Automated Active Scan Rules (Release)
Manual Fuzzer, combined with the FuzzDb (Release)* and SVN Digger (Beta)* files
Manual Plug-n-Hack (Beta)
A4 A4 Insecure Direct Object References
Manual Params tab
A5 A5 Security Misconfiguration
Automated Active Scan Rules (Release, Beta* and Alpha*)
Automated Passive Scan Rules (Release, Beta* and Alpha*)
Manual HttpsInfo (Alpha)*
Manual Port Scanner (Beta)*
Manual Technology detection (Alpha)*
A6 A6 Sensitive Data Exposure
Automated Active Scan Rules (Release, Beta* and Alpha*)
Automated Passive Scan Rules (Release, Beta* and Alpha*)
A7 A7 Missing Function Level Access Control
Manual Spider
Manual Ajax Spider (Beta)
Manual Session comparison
Manual Access Control (Alpha)
A8 A8 Cross-Site Request Forgery (CSRF)
Automated Active Scan Rules (Beta)*
Automated Passive Scan Rules (Beta)*
Manual Generate Anti CSRF Test Form
A9 A9 Using Components with Known Vulnerabilities
Automated Passive Scan Rules (Alpha)* and Retire (Alpha)*
Manual Technology detection (Alpha)*
A10 A10 Unvalidated Redirects and Forwards
Automated Active Scan Rules (Release)
Manual Fuzzer, combined with the FuzzDb (Release)* and SVN Digger (Beta)* files
* The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the ‘Manage add-ons’ button on the ZAP main toolbar.