Initial commit
This commit is contained in:
Zhongwei Li
255
skills/appsec/dast-zap/references/owasp_mapping.md
Normal file
255
skills/appsec/dast-zap/references/owasp_mapping.md
Normal file
@@ -0,0 +1,255 @@
|
||||
# OWASP ZAP Alert Mapping to OWASP Top 10 2021 and CWE
|
||||
|
||||
This reference maps common OWASP ZAP alerts to OWASP Top 10 2021 categories and CWE (Common Weakness Enumeration) identifiers for compliance and reporting.
|
||||
|
||||
## OWASP Top 10 2021 Coverage
|
||||
|
||||
### A01:2021 - Broken Access Control
|
||||
|
||||
**ZAP Alerts:**
|
||||
- Path Traversal (CWE-22)
|
||||
- Directory Browsing (CWE-548)
|
||||
- Cross-Domain Misconfiguration (CWE-346)
|
||||
- Bypassing Access Controls (CWE-284)
|
||||
|
||||
**Risk Level:** High to Medium
|
||||
|
||||
**Remediation:**
|
||||
- Implement proper access control checks on server-side
|
||||
- Use allowlists for file access patterns
|
||||
- Disable directory listing
|
||||
- Enforce CORS policies strictly
|
||||
|
||||
### A02:2021 - Cryptographic Failures
|
||||
|
||||
**ZAP Alerts:**
|
||||
- Weak SSL/TLS Ciphers (CWE-327)
|
||||
- Cookie Without Secure Flag (CWE-614)
|
||||
- Password Autocomplete (CWE-522)
|
||||
- Sensitive Information in URL (CWE-598)
|
||||
|
||||
**Risk Level:** High to Medium
|
||||
|
||||
**Remediation:**
|
||||
- Use TLS 1.2+ with strong cipher suites
|
||||
- Set Secure and HttpOnly flags on all cookies
|
||||
- Disable autocomplete for sensitive fields
|
||||
- Never transmit sensitive data in URLs
|
||||
|
||||
### A03:2021 - Injection
|
||||
|
||||
**ZAP Alerts:**
|
||||
- SQL Injection (CWE-89)
|
||||
- Cross-Site Scripting (XSS) (CWE-79)
|
||||
- Command Injection (CWE-78)
|
||||
- LDAP Injection (CWE-90)
|
||||
- XML Injection (CWE-91)
|
||||
- XPath Injection (CWE-643)
|
||||
|
||||
**Risk Level:** High
|
||||
|
||||
**Remediation:**
|
||||
- Use parameterized queries (prepared statements)
|
||||
- Implement context-aware output encoding
|
||||
- Validate and sanitize all user input
|
||||
- Use allowlists for input validation
|
||||
- Implement Content Security Policy (CSP)
|
||||
|
||||
### A04:2021 - Insecure Design
|
||||
|
||||
**ZAP Alerts:**
|
||||
- Application Error Disclosure (CWE-209)
|
||||
- Insufficient Anti-automation (CWE-799)
|
||||
- Missing Rate Limiting
|
||||
|
||||
**Risk Level:** Medium to Low
|
||||
|
||||
**Remediation:**
|
||||
- Implement proper error handling (generic error messages)
|
||||
- Add CAPTCHA or rate limiting for sensitive operations
|
||||
- Design security controls during architecture phase
|
||||
- Implement anti-automation measures
|
||||
|
||||
### A05:2021 - Security Misconfiguration
|
||||
|
||||
**ZAP Alerts:**
|
||||
- Missing Security Headers (CWE-693)
|
||||
- X-Content-Type-Options
|
||||
- X-Frame-Options (CWE-1021)
|
||||
- Content-Security-Policy
|
||||
- Strict-Transport-Security (HSTS)
|
||||
- Server Leaks Information (CWE-200)
|
||||
- Default Credentials
|
||||
- Unnecessary HTTP Methods Enabled (CWE-650)
|
||||
|
||||
**Risk Level:** Medium to Low
|
||||
|
||||
**Remediation:**
|
||||
- Configure all security headers properly
|
||||
- Remove server version headers
|
||||
- Disable unnecessary HTTP methods (PUT, DELETE, TRACE)
|
||||
- Change default credentials
|
||||
- Implement minimal privilege principle
|
||||
|
||||
### A06:2021 - Vulnerable and Outdated Components
|
||||
|
||||
**ZAP Alerts:**
|
||||
- Outdated Software Version Detected
|
||||
- Known Vulnerable Components (requires integration with CVE databases)
|
||||
|
||||
**Risk Level:** High to Medium
|
||||
|
||||
**Remediation:**
|
||||
- Maintain software inventory
|
||||
- Regularly update dependencies and libraries
|
||||
- Subscribe to security advisories
|
||||
- Use dependency scanning tools (OWASP Dependency-Check, Snyk)
|
||||
|
||||
### A07:2021 - Identification and Authentication Failures
|
||||
|
||||
**ZAP Alerts:**
|
||||
- Weak Authentication (CWE-287)
|
||||
- Session Fixation (CWE-384)
|
||||
- Session ID in URL Rewrite (CWE-598)
|
||||
- Cookie No HttpOnly Flag (CWE-1004)
|
||||
- Credential Enumeration (CWE-209)
|
||||
|
||||
**Risk Level:** High
|
||||
|
||||
**Remediation:**
|
||||
- Implement multi-factor authentication (MFA)
|
||||
- Use secure session management
|
||||
- Regenerate session IDs after login
|
||||
- Set HttpOnly and Secure flags on session cookies
|
||||
- Implement account lockout mechanisms
|
||||
- Use generic error messages for authentication failures
|
||||
|
||||
### A08:2021 - Software and Data Integrity Failures
|
||||
|
||||
**ZAP Alerts:**
|
||||
- Missing Subresource Integrity (SRI) (CWE-353)
|
||||
- Insecure Deserialization (CWE-502)
|
||||
|
||||
**Risk Level:** High to Medium
|
||||
|
||||
**Remediation:**
|
||||
- Implement Subresource Integrity for CDN resources
|
||||
- Avoid deserializing untrusted data
|
||||
- Use digital signatures for critical data
|
||||
- Implement integrity checks
|
||||
|
||||
### A09:2021 - Security Logging and Monitoring Failures
|
||||
|
||||
**ZAP Alerts:**
|
||||
- Authentication attempts not logged
|
||||
- No monitoring of security events
|
||||
|
||||
**Risk Level:** Low (detection issue, not vulnerability)
|
||||
|
||||
**Remediation:**
|
||||
- Log all authentication attempts
|
||||
- Monitor for security anomalies
|
||||
- Implement centralized logging
|
||||
- Set up alerts for suspicious activities
|
||||
|
||||
### A10:2021 - Server-Side Request Forgery (SSRF)
|
||||
|
||||
**ZAP Alerts:**
|
||||
- Server-Side Request Forgery (CWE-918)
|
||||
- External Redirect (CWE-601)
|
||||
|
||||
**Risk Level:** High
|
||||
|
||||
**Remediation:**
|
||||
- Validate and sanitize all URLs
|
||||
- Use allowlists for allowed domains
|
||||
- Disable unnecessary URL schemas (file://, gopher://)
|
||||
- Implement network segmentation
|
||||
|
||||
## ZAP Alert ID to OWASP/CWE Quick Reference
|
||||
|
||||
| Alert ID | Alert Name | OWASP 2021 | CWE | Risk |
|
||||
|----------|-----------|------------|-----|------|
|
||||
| 40018 | SQL Injection | A03 | CWE-89 | High |
|
||||
| 40012 | Cross-Site Scripting (Reflected) | A03 | CWE-79 | High |
|
||||
| 40014 | Cross-Site Scripting (Persistent) | A03 | CWE-79 | High |
|
||||
| 40013 | Cross-Site Scripting (DOM) | A03 | CWE-79 | High |
|
||||
| 6 | Path Traversal | A01 | CWE-22 | High |
|
||||
| 7 | Remote File Inclusion | A01 | CWE-98 | High |
|
||||
| 90019 | Server-Side Code Injection | A03 | CWE-94 | High |
|
||||
| 90020 | Remote OS Command Injection | A03 | CWE-78 | High |
|
||||
| 90033 | Loosely Scoped Cookie | A07 | CWE-565 | Medium |
|
||||
| 10021 | X-Content-Type-Options Missing | A05 | CWE-693 | Low |
|
||||
| 10020 | X-Frame-Options Missing | A05 | CWE-1021 | Medium |
|
||||
| 10038 | Content Security Policy Missing | A05 | CWE-693 | Medium |
|
||||
| 10035 | Strict-Transport-Security Missing | A05 | CWE-319 | Low |
|
||||
| 10054 | Cookie Without Secure Flag | A02 | CWE-614 | Medium |
|
||||
| 10010 | Cookie No HttpOnly Flag | A07 | CWE-1004 | Medium |
|
||||
| 10098 | Cross-Domain Misconfiguration | A01 | CWE-346 | Medium |
|
||||
| 10055 | CSP Scanner: Wildcard Directive | A05 | CWE-693 | Medium |
|
||||
| 10096 | Timestamp Disclosure | A05 | CWE-200 | Low |
|
||||
| 10049 | Weak Authentication Method | A07 | CWE-287 | Medium |
|
||||
| 40029 | Server-Side Request Forgery | A10 | CWE-918 | High |
|
||||
|
||||
## Risk Level Priority Matrix
|
||||
|
||||
### High Risk (Immediate Action Required)
|
||||
- SQL Injection
|
||||
- Remote Code Execution
|
||||
- Authentication Bypass
|
||||
- SSRF
|
||||
- XXE (XML External Entity)
|
||||
|
||||
### Medium Risk (Fix in Current Sprint)
|
||||
- XSS (Cross-Site Scripting)
|
||||
- CSRF (Cross-Site Request Forgery)
|
||||
- Missing Security Headers (CSP, X-Frame-Options)
|
||||
- Insecure Cookie Configuration
|
||||
- Path Traversal (with limited impact)
|
||||
|
||||
### Low Risk (Fix in Backlog)
|
||||
- Information Disclosure (version headers)
|
||||
- Missing Informational Headers
|
||||
- Timestamp Disclosure
|
||||
- Autocomplete on Form Fields
|
||||
|
||||
### Informational (Documentation/Awareness)
|
||||
- Server Technology Disclosure
|
||||
- Application Error Messages
|
||||
- Charset Mismatch
|
||||
|
||||
## Compliance Mapping
|
||||
|
||||
### PCI-DSS 3.2.1
|
||||
- **Requirement 6.5.1** (Injection): SQL Injection, Command Injection, XSS
|
||||
- **Requirement 6.5.3** (Insecure Cryptography): Weak SSL/TLS, Insecure Cookies
|
||||
- **Requirement 6.5.7** (XSS): All XSS variants
|
||||
- **Requirement 6.5.8** (Access Control): Path Traversal, Broken Access Control
|
||||
- **Requirement 6.5.10** (Authentication): Weak Authentication, Session Management
|
||||
|
||||
### NIST 800-53
|
||||
- **AC-3** (Access Enforcement): Path Traversal, Authorization Issues
|
||||
- **IA-5** (Authenticator Management): Weak Authentication
|
||||
- **SC-8** (Transmission Confidentiality): Missing HTTPS, Weak TLS
|
||||
- **SI-10** (Information Input Validation): All Injection Flaws
|
||||
|
||||
### GDPR
|
||||
- **Article 32** (Security of Processing): All High/Medium findings affecting data security
|
||||
- **Article 25** (Data Protection by Design): Security Misconfigurations
|
||||
|
||||
## Usage in Reports
|
||||
|
||||
When generating compliance reports, reference this mapping to:
|
||||
|
||||
1. **Categorize findings** by OWASP Top 10 category
|
||||
2. **Assign CWE IDs** for standardized vulnerability classification
|
||||
3. **Map to compliance requirements** for audit trails
|
||||
4. **Prioritize remediation** based on risk level and compliance impact
|
||||
5. **Track metrics** by OWASP category over time
|
||||
|
||||
## Additional Resources
|
||||
|
||||
- [OWASP Top 10 2021](https://owasp.org/Top10/)
|
||||
- [CWE Top 25](https://cwe.mitre.org/top25/)
|
||||
- [ZAP Alert Details](https://www.zaproxy.org/docs/alerts/)
|
||||
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
|
||||
Reference in New Issue
Block a user