ZAPping the OWASP Top 10

This document gives an overview of the automatic and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2017 risks.

Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’!

The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.

Common Components
The ‘common components’ can be used for pretty much everything, so can be used to help detect all of the Top 10
Manual Man-in-the-middle proxy
Manual Manual request / resend
Manual Scripts
Manual Search
A1 Injection
Automated Active Scan Rules (Release, Beta*, and Alpha*)
Automated Advanced SQLInjection Scanner* (Based on SQLMap)
Manual Fuzzer, combined with the FuzzDb* and SVN Digger* files
A2 Broken Authentication
Manual HTTP Sessions
Manual Spider
Manual Forced Browse
Manual Token Generator*
Automatic Access Control Testing*
A3 Sensitive Data Exposure
Automated Active Scan Rules (Release, Beta*, and Alpha*)
Automated Passive Scan Rules (Release, Beta*, and Alpha*)
A4 XML External Entities (XXE)
Automatic Active Scan Rules (Release, Beta*, and Alpha*)
A5 Broken Access Control
Automated Active Scan Rules (Release, Beta*, and Alpha*)
Automated Passive Scan Rules (Release, Beta*, and Alpha*)
Automated Access Control Testing*
Manual HttpsInfo*
Manual Port Scanner*
Manual Wappalyzer - Technology detection*
A6 Security Misconfiguration
Manual Spider
Manual Ajax Spider
Manual Session comparison
Manual Access Control Testing*
Manual HttpsInfo*
A7 Cross-Site Scripting (XSS)
Automated Active Scan Rules (Release
Manual Fuzzer, combined with the FuzzDb* files
Manual Plug-n-Hack
A8 Insecure Deserialization
Automated There are two outstanding issues that are relevant to this Top 10 entry: Insecure deserialization active scanner & Java Serialization Handling
A9 Using Components with Known Vulnerabilities
Automated Passive Scan Rules (Alpha*) and Retire
Manual Wappalyzer - Technology detection*
A10 Insufficient Logging & Monitoring
Automated / Manual The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and “attacks” which are potential sources/causes for logging and alerting.

* The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the ‘Manage add-ons’ button on the ZAP main toolbar.

ZAP Toolbar - Marketplace Button