DAST Requirements
For our DAST initiatives, we have chosen OWASP ZAP (Zed Attack Proxy) as our primary tool. OWASP ZAP stands out in the realm of open-source security tools for its effectiveness in discovering vulnerabilities in web applications while they are active. This tool is adept at revealing a wide range of security weaknesses, which makes it a perfect fit for our security testing requirements.
Rules
As it comes to the rules which were used in scans, we're utilizing the default policy created by experts at OWASP. This policy is a comprehensive set of rules and configurations that have been conscientiously developed to cover a vast array of current security vulnerabilities.
Category | Rule Name | Threshold | Strength | Status |
---|---|---|---|---|
Client Browser | Cross Site Scripting (DOM Based) | Default | Default | Release |
Information Gathering | .env Information Leak | Default | Default | Release |
Information Gathering | .htaccess Information Leak | Default | Default | Release |
Information Gathering | Directory Browsing | Default | Default | Release |
Information Gathering | ELMAH Information Leak | Default | Default | Release |
Information Gathering | Heartbleed OpenSSL Vulnerability | Default | Default | Release |
Information Gathering | Hidden File Finder | Default | Default | Release |
Information Gathering | Remote Code Execution - CVE-2012-1823 | Default | Default | Release |
Information Gathering | Source Code Disclosure - /WEB-INF folder | Default | Default | Release |
Information Gathering | Source Code Disclosure - CVE-2012-1823 | Default | Default | Release |
Information Gathering | Spring Actuator Information Leak | Default | Default | Release |
Information Gathering | Trace.axd Information Leak | Default | Default | Release |
Information Gathering | User Agent Fuzzer | Default | Default | Release |
Injection | Buffer Overflow | Default | Default | Release |
Injection | Cloud Metadata Potentially Exposed | Default | Default | Release |
Injection | CRLF Injection | Default | Default | Release |
Injection | Cross Site Scripting (Persistent) | Default | Default | Release |
Injection | Cross Site Scripting (Persistent) - Prime | Default | Default | Release |
Injection | Cross Site Scripting (Persistent) - Spider | Default | Default | Release |
Injection | Cross Site Scripting (Reflected) | Default | Default | Release |
Injection | Format String Error | Default | Default | Release |
Injection | Parameter Tampering | Default | Default | Release |
Injection | Remote OS Command Injection | Default | Default | Release |
Injection | Server Side Code Injection | Default | Default | Release |
Injection | Server Side Include | Default | Default | Release |
Injection | Server Side Template Injection | Default | Default | Release |
Injection | Server Side Template Injection (Blind) | Default | Default | Release |
Injection | Spring4Shell | Default | Default | Release |
Injection | SQL Injection | Default | Default | Release |
Injection | SQL Injection - Hypersonic SQL | Default | Default | Release |
Injection | SQL Injection - MsSQL | Default | Default | Release |
Injection | SQL Injection - MySQL | Default | Default | Release |
Injection | SQL Injection - Oracle | Default | Default | Release |
Injection | SQL Injection - PostgreSQL | Default | Default | Release |
Injection | SQL Injection - SQLite | Default | Default | Release |
Injection | XML External Entity Attack | Default | Default | Release |
Injection | XPath Injection | Default | Default | Release |
Injection | XSLT Injection | Default | Default | Release |
Miscellaneous | External Redirect | Default | Default | Release |
Miscellaneous | Generic Padding Oracle | Default | Default | Release |
Miscellaneous | GET for POST | Default | Default | Release |
Miscellaneous | Log4Shell | Default | Default | Release |
Miscellaneous | Script Active Scan Rules | Default | Default | Release |
Miscellaneous | SOAP Action Spoofing | Default | Default | Beta |
Miscellaneous | SOAP XML Injection | Default | Default | Beta |
Server Security | Path Traversal | Default | Default | Release |
Server Security | Remote File Inclusion | Default | Default | Release |