ZAPping the OWASP Top 10 (2017)

This document gives an overview of the automatic and manual components provided by OWASP Zed Attack Proxy (ZAP) that are recommended for testing each of the OWASP Top Ten Project 2017 risks.

For the latest Top Ten see ZAPping the OWASP Top 10 (2021)

Note that the OWASP Top Ten Project risks cover a wide range of underlying vulnerabilities, some of which are not really possible to test for in a completely automated way. If a completely automated tool claims to protect you against the full OWASP Top Ten then you can be sure they are being ‘economical with the truth’!

The component links take you to the relevant places in an online version of the ZAP User Guide from which you can learn more.


Common Components		The ‘common components’ can be used for pretty much everything, so can be used to help detect all of the Top 10
	Manual	Manipulator-in-the-middle proxy
	Manual	Manual request / resend
	Manual	Scripts
	Manual	Search
A1 Injection
	Automated	Active Scan Rules (Release, Beta, and Alpha)
	Automated	Advanced SQLInjection Scanner* (Based on SQLMap)
	Manual	Fuzzer, combined with the FuzzDb* and SVN Digger* files
A2 Broken Authentication
	Manual	HTTP Sessions
	Manual	Spider
	Manual	Forced Browse
	Manual	Token Generator*
	Automatic	Access Control Testing*
A3 Sensitive Data Exposure
	Automated	Active Scan Rules (Release, Beta, and Alpha)
	Automated	Passive Scan Rules (Release, Beta, and Alpha)
A4 XML External Entities (XXE)
	Automatic	Active Scan Rules (Release, Beta, and Alpha)
A5 Broken Access Control
	Automated	Active Scan Rules (Release, Beta, and Alpha)
	Automated	Passive Scan Rules (Release, Beta, and Alpha)
	Automated	Access Control Testing*
	Manual	HttpsInfo*
	Manual	Port Scanner*
	Manual	Wappalyzer - Technology detection*
A6 Security Misconfiguration
	Manual	Spider
	Manual	Ajax Spider
	Manual	Session comparison
	Manual	Access Control Testing*
	Manual	HttpsInfo*
A7 Cross-Site Scripting (XSS)
	Automated	Active Scan Rules (Release)
	Manual	Fuzzer, combined with the FuzzDb* files
A8 Insecure Deserialization
	Automated	There are two outstanding issues that are relevant to this Top 10 entry: Insecure deserialization active scanner & Java Serialization Handling
A9 Using Components with Known Vulnerabilities
	Automated	Passive Scan Rules (Alpha*) and the Retire.js add-on
	Manual	Wappalyzer - Technology detection*
A10 Insufficient Logging & Monitoring
	Automated / Manual	The Spider(s), Active Scanner, Fuzzer, and Access Control addon can all be used to generate traffic and “attacks” which are potential sources/causes for logging and alerting.

* The stared add-ons are not included by default in the full ZAP release but can be downloaded from the ZAP Marketplace via the ‘Manage add-ons’ button on the ZAP main toolbar.

ZAP Toolbar - Marketplace Button

ZAPping the OWASP Top 10 (2017)

Common Components

A1 Injection

A2 Broken Authentication

A3 Sensitive Data Exposure

A4 XML External Entities (XXE)

A5 Broken Access Control

A6 Security Misconfiguration

A7 Cross-Site Scripting (XSS)

A8 Insecure Deserialization

A9 Using Components with Known Vulnerabilities

A10 Insufficient Logging & Monitoring