Getting started with ZAP and the OWASP top 10: common questions

I recently received an email from a developer who was gearing up to use OWASP ZAP to test the security of their code. The developer had some questions about OWASP ZAP, testing for the OWASP Top 10 2013, and ZAP configuration. After I answered the email, I asked if I could repost it here because I thought it might be a useful resource for other developers getting started using ZAP – so here we go:

Hi. I work at a company called [redacted]. We are beginning to use the OWASP Zap tool to test for security on one of our web applications. We are trying to implement all of the OWASP 2013 top ten in our web application. I was hoping you could provide insight to the below or possibly point me to somebody who could if you cannot:

1. If I run OWASP Zap out of the box on a web application, which tests does it perform that satisfy the OWASP Top 10 for 2013?

I don’t have a definitive list, but I would expect OWASP ZAP to test for:

• A1 (injection)
• A3 (cross-site scripting)
• A5 (security misconfiguration) (some instances)
• A6 (sensitive data exposure) (some instances)
• A8 (cross site request forgery) (some instances)
• A10 (unvalidated redirects and forwards)

The other vulnerabilities (as well as certain cases of some of those listed above) are hard or impossible to test for using automation and require manual testing. This usually involves surfing around with a browser proxied through OWASP ZAP, setting breakpoints, and then manually modifying requests before they are sent to the server. More info on that can be found here:

https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsBreakpoints

Also you will want to make sure that ZAP is getting a full crawl of your application – meaning that you have configured it to log in before crawling and attacking. Otherwise you will only get coverage of pages that an unauthenticated user can access. To do this, you should use OWASP ZAP Contexts. More information on configuring those for Authentication can be found here:

https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsSessionContexts

2. I’m guessing it does not perform all of the OWASP Top 10 for 2013 so I am wondering if there is documentation or a video that would explain how to do that if it is even possible?

As mentioned above, OWASP ZAP’s automated scan can help to test for a subset of the OWASP Top 10. The manual testing capabilities of ZAP can be used to test for most of the remainder of the OWASP Top 10, but that requires manual penetration testing skills. A good guide for how these types of tests can be performed can be found in the OWASP Testing Guide:

https://www.owasp.org/index.php/OWASP_Testing_Project

I don’t know that it has ZAP-specific instructions, but it will show you the sort of test cases you would need to perform with ZAP.

Another OWASP tool you may want to look at for testing for A9 (using components with know vulnerabilities) is the OWASP Dependency Check project:

https://www.owasp.org/index.php/OWASP_Dependency_Check

That works for applications written in Java, and they have recently added support for .NET and Python applications. They have a mailing list where they can answer questions here:

https://groups.google.com/forum/?fromgroups#!forum/dependency-check

3. One of my teammates here at [redacted] has started to use OWASP Zap on our web application using the AJAX spider attack. Below is the tests that he saw that it runs on each page:

What does Default Default Release mean? Also, do we need to tweak any of these tests or do they perform strong enough testing?

Those three columns refer to Threshold, Strength, and Quality:

• Threshold – How strictly should ZAP check for vulnerabilities? Low may mean more false positives, or vulnerability reports that aren’t actually vulnerabilities. Medium is the default level, and High may mean that vulnerabilities would not be reported (false negatives) because of a higher “bar” for what ZAP would consider a vulnerability.
• Strength – How many attacks should the rule perform to try and identify a vulnerability? Low limits attacks to around 6 requests per scan call. Medium limits to around 12, and High limits to around 24. There is also an Insane level that where a rule may call for performing any number of requests per scan call. I believe the default here is Medium.
• Quality – How mature is this particular rule? Alpha are for really immature rules. Beta is for more mature, but not extensively tested rules, and Release is for rules that have been extensively tested and are mature.

You can find out some more info on the internals of OWASP ZAP and how it handles Threshold, Strength and Quality for scan configurations here:

http://zaproxy.blogspot.co.uk/2014/04/hacking-zap-3-passive-scan-rules.html

http://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html

https://blog.mozilla.org/security/2013/07/10/how-to-speed-up-owasp-zap-scans/

I’m a big fan of ZAP and happy to help out. In addition, another resource for these types of ZAP usage questions would be the OWASP ZAP User Group on Google Groups:

https://groups.google.com/forum/#!forum/zaproxy-users

There’s a whole community of folks who can help answer questions.

Hope this is helpful information!

Thanks,

Dan

Update: The OWASP ZAP project continues to be a tremendous resource for the application security community. One of their most recent innovations is their ZAP HUD (“Heads Up Display”) https://github.com/zaproxy/zap-hud that provides ZAP’s functionality directly in the browser. This really opens up ZAP’s testing capabilities to whole new possible users by providing a browser-based testing environment.

Contact us for help getting security testing into your development lifecycle.