SAST/DAST Requiremnets

DAST Requirements

For our DAST initiatives, we have chosen OWASP ZAP (Zed Attack Proxy) as our primary tool. OWASP ZAP stands out in the realm of open-source security tools for its effectiveness in discovering vulnerabilities in web applications while they are active. This tool is adept at revealing a wide range of security weaknesses, which makes it a perfect fit for our security testing requirements.

Rules

As it comes to the rules which were used in scans, we're utilizing the default policy created by experts at OWASP. This policy is a comprehensive set of rules and configurations that have been conscientiously developed to cover a vast array of current security vulnerabilities.

Category	Rule Name	Threshold	Strength	Status
Client Browser	Cross Site Scripting (DOM Based)	Default	Default	Release
Information Gathering	.env Information Leak	Default	Default	Release
Information Gathering	.htaccess Information Leak	Default	Default	Release
Information Gathering	Directory Browsing	Default	Default	Release
Information Gathering	ELMAH Information Leak	Default	Default	Release
Information Gathering	Heartbleed OpenSSL Vulnerability	Default	Default	Release
Information Gathering	Hidden File Finder	Default	Default	Release
Information Gathering	Remote Code Execution - CVE-2012-1823	Default	Default	Release
Information Gathering	Source Code Disclosure - /WEB-INF folder	Default	Default	Release
Information Gathering	Source Code Disclosure - CVE-2012-1823	Default	Default	Release
Information Gathering	Spring Actuator Information Leak	Default	Default	Release
Information Gathering	Trace.axd Information Leak	Default	Default	Release
Information Gathering	User Agent Fuzzer	Default	Default	Release
Injection	Buffer Overflow	Default	Default	Release
Injection	Cloud Metadata Potentially Exposed	Default	Default	Release
Injection	CRLF Injection	Default	Default	Release
Injection	Cross Site Scripting (Persistent)	Default	Default	Release
Injection	Cross Site Scripting (Persistent) - Prime	Default	Default	Release
Injection	Cross Site Scripting (Persistent) - Spider	Default	Default	Release
Injection	Cross Site Scripting (Reflected)	Default	Default	Release
Injection	Format String Error	Default	Default	Release
Injection	Parameter Tampering	Default	Default	Release
Injection	Remote OS Command Injection	Default	Default	Release
Injection	Server Side Code Injection	Default	Default	Release
Injection	Server Side Include	Default	Default	Release
Injection	Server Side Template Injection	Default	Default	Release
Injection	Server Side Template Injection (Blind)	Default	Default	Release
Injection	Spring4Shell	Default	Default	Release
Injection	SQL Injection	Default	Default	Release
Injection	SQL Injection - Hypersonic SQL	Default	Default	Release
Injection	SQL Injection - MsSQL	Default	Default	Release
Injection	SQL Injection - MySQL	Default	Default	Release
Injection	SQL Injection - Oracle	Default	Default	Release
Injection	SQL Injection - PostgreSQL	Default	Default	Release
Injection	SQL Injection - SQLite	Default	Default	Release
Injection	XML External Entity Attack	Default	Default	Release
Injection	XPath Injection	Default	Default	Release
Injection	XSLT Injection	Default	Default	Release
Miscellaneous	External Redirect	Default	Default	Release
Miscellaneous	Generic Padding Oracle	Default	Default	Release
Miscellaneous	GET for POST	Default	Default	Release
Miscellaneous	Log4Shell	Default	Default	Release
Miscellaneous	Script Active Scan Rules	Default	Default	Release
Miscellaneous	SOAP Action Spoofing	Default	Default	Beta
Miscellaneous	SOAP XML Injection	Default	Default	Beta
Server Security	Path Traversal	Default	Default	Release
Server Security	Remote File Inclusion	Default	Default	Release

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk