Getting Started with ZAP and the OWASP Top 10: Common Questions

I recently received an email from a developer who was gearing up to use OWASP ZAP to Zap128x128test the security of their code. The developer had some questions about OWASP ZAP, testing for the OWASP Top 10 2013, and ZAP configuration. After I answered the email, I asked if I could repost it here because I thought it might be a useful resource for other developers getting started using ZAP – so here we go:


Hi.  I work at a company called [redacted].  We are beginning to use the OWASP Zap tool to test for security on one of our web applications.  We are trying to implement all of the OWASP 2013 top ten in our web application.  I was hoping you could provide insight to the below or possibly point me to somebody who could if you cannot:

1. If I run OWASP Zap out of the box on a web application, which tests does it perform that satisfy the OWASP Top 10 for 2013?

I don’t have a definitive list, but I would expect OWASP ZAP to test for:

  • A1 (injection)
  • A3 (cross-site scripting)
  • A5 (security misconfiguration) (some instances)
  • A6 (sensitive data exposure) (some instances)
  • A8 (cross site request forgery) (some instances)
  • A10 (unvalidated redirects and forwards)

The other vulnerabilities (as well as certain cases of some of those listed above) are hard or impossible to test for using automation and require manual testing. This usually involves surfing around with a browser proxied through OWASP ZAP, setting breakpoints, and then manually modifying requests before they are sent to the server. More info on that can be found here:

https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBreakpoints

Also you will want to make sure that ZAP is getting a full crawl of your application – meaning that you have configured it to log in before crawling and attacking. Otherwise you will only get coverage of pages that an unauthenticated user can access. To do this, you should use OWASP ZAP Contexts. More information on configuring those for Authentication can be found here:

https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsSessionContexts

2. I’m guessing it does not perform all of the OWASP Top 10 for 2013 so I am wondering if there is documentation or a video that would explain how to do that if it is even possible?

As mentioned above, OWASP ZAP’s automated scan can help to test for a subset of the OWASP Top 10. The manual testing capabilities of ZAP can be used to test for most of the remainder of the OWASP Top 10, but that requires manual penetration testing skills. A good guide for how these types of tests can be performed can be found in the OWASP Testing Guide:

https://www.owasp.org/index.php/OWASP_Testing_Project

I don’t know that it has ZAP-specific instructions, but it will show you the sort of test cases you would need to perform with ZAP.

Another OWASP tool you may want to look at for testing for A9 (using components with know vulnerabilities) is the OWASP Dependency Check project:

https://www.owasp.org/index.php/OWASP_Dependency_Check

That works for applications written in Java, and they have recently added support for .NET and Python applications. They have a mailing list where they can answer questions here:

https://groups.google.com/forum/?fromgroups#!forum/dependency-check

3. One of my teammates here at [redacted] has started to use OWASP Zap on our web application using the AJAX spider attack.  Below is the tests that he saw that it runs on each page:

 

CRLF Injection

Default

Default

Release

Cross Site Scripting (Persistent)

Default

Default

Release

Cross Site Scripting (Persistent) – Prime

Default

Default

Release

Cross Site Scripting (Persistent) – Spider

Default

Default

Release

Cross Site Scripting (Reflected)

Default

Default

Release

Parameter Tampering

Default

Default

Release

Remote OS Command Injection

Default

Default

Release

Server Side Code Injection

Default

Default

Release

Server Side Include

Default

Default

Release

SQL Injection

Default

Default

Release

 

What does Default Default Release mean?  Also, do we need to tweak any of these tests or do they perform strong enough testing?

Those three columns refer to Threshold, Strength, and Quality:

  • Threshold – How strictly should ZAP check for vulnerabilities? Low may mean more false positives, or vulnerability reports that aren’t actually vulnerabilities. Medium is the default level, and High may mean that vulnerabilities would not be reported (false negatives) because of a higher “bar” for what ZAP would consider a vulnerability.
  • Strength – How many attacks should the rule perform to try and identify a vulnerability? Low limits attacks to around 6 requests per scan call. Medium limits to around 12, and High limits to around 24. There is also an Insane level that where a rule may call for performing any number of requests per scan call. I believe the default here is Medium.
  • Quality – How mature is this particular rule? Alpha are for really immature rules. Beta is for more mature, but not extensively tested rules, and Release is for rules that have been extensively tested and are mature.

You can find out some more info on the internals of OWASP ZAP and how it handles Threshold, Strength and Quality for scan configurations here:

http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-3-passive-scan-rules.html

http://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html

https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/

I’m a big fan of ZAP and happy to help out. In addition, another resource for these types of ZAP usage questions would be the OWASP ZAP User Group on Google Groups:

https://groups.google.com/forum/#!forum/zaproxy-users

There’s a whole community of folks who can help answer questions.

Hope this is helpful information!

Thanks,

Dan


Update: @psiinon had two excellent suggestions for additional resources:

Those do seem like great resources for developers wanting to get started with ZAP testing the OWASP Top 10 :) Many thanks for Simon for the update.

Contact us for help getting security testing into your development lifecycle.

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

One Response to “Getting Started with ZAP and the OWASP Top 10: Common Questions”

  1. Don Clifton

    Hi Guys,

    In the OWASP testing guide v4, ZAP tests A1, A2, A3, A4, A8 and A10.

    V/R,
    Don

Leave a Reply

Your email address will not be published. Required fields are marked *