zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-agentsecops-secopsagentkit/skills/appsec/dast-zap/references/owasp_mapping.md
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

7.9 KiB
Raw Permalink Blame History

OWASP ZAP Alert Mapping to OWASP Top 10 2021 and CWE

This reference maps common OWASP ZAP alerts to OWASP Top 10 2021 categories and CWE (Common Weakness Enumeration) identifiers for compliance and reporting.

OWASP Top 10 2021 Coverage

A01:2021 - Broken Access Control

ZAP Alerts:

  • Path Traversal (CWE-22)
  • Directory Browsing (CWE-548)
  • Cross-Domain Misconfiguration (CWE-346)
  • Bypassing Access Controls (CWE-284)

Risk Level: High to Medium

Remediation:

  • Implement proper access control checks on server-side
  • Use allowlists for file access patterns
  • Disable directory listing
  • Enforce CORS policies strictly

A02:2021 - Cryptographic Failures

ZAP Alerts:

  • Weak SSL/TLS Ciphers (CWE-327)
  • Cookie Without Secure Flag (CWE-614)
  • Password Autocomplete (CWE-522)
  • Sensitive Information in URL (CWE-598)

Risk Level: High to Medium

Remediation:

  • Use TLS 1.2+ with strong cipher suites
  • Set Secure and HttpOnly flags on all cookies
  • Disable autocomplete for sensitive fields
  • Never transmit sensitive data in URLs

A03:2021 - Injection

ZAP Alerts:

  • SQL Injection (CWE-89)
  • Cross-Site Scripting (XSS) (CWE-79)
  • Command Injection (CWE-78)
  • LDAP Injection (CWE-90)
  • XML Injection (CWE-91)
  • XPath Injection (CWE-643)

Risk Level: High

Remediation:

  • Use parameterized queries (prepared statements)
  • Implement context-aware output encoding
  • Validate and sanitize all user input
  • Use allowlists for input validation
  • Implement Content Security Policy (CSP)

A04:2021 - Insecure Design

ZAP Alerts:

  • Application Error Disclosure (CWE-209)
  • Insufficient Anti-automation (CWE-799)
  • Missing Rate Limiting

Risk Level: Medium to Low

Remediation:

  • Implement proper error handling (generic error messages)
  • Add CAPTCHA or rate limiting for sensitive operations
  • Design security controls during architecture phase
  • Implement anti-automation measures

A05:2021 - Security Misconfiguration

ZAP Alerts:

  • Missing Security Headers (CWE-693)
    • X-Content-Type-Options
    • X-Frame-Options (CWE-1021)
    • Content-Security-Policy
    • Strict-Transport-Security (HSTS)
  • Server Leaks Information (CWE-200)
  • Default Credentials
  • Unnecessary HTTP Methods Enabled (CWE-650)

Risk Level: Medium to Low

Remediation:

  • Configure all security headers properly
  • Remove server version headers
  • Disable unnecessary HTTP methods (PUT, DELETE, TRACE)
  • Change default credentials
  • Implement minimal privilege principle

A06:2021 - Vulnerable and Outdated Components

ZAP Alerts:

  • Outdated Software Version Detected
  • Known Vulnerable Components (requires integration with CVE databases)

Risk Level: High to Medium

Remediation:

  • Maintain software inventory
  • Regularly update dependencies and libraries
  • Subscribe to security advisories
  • Use dependency scanning tools (OWASP Dependency-Check, Snyk)

A07:2021 - Identification and Authentication Failures

ZAP Alerts:

  • Weak Authentication (CWE-287)
  • Session Fixation (CWE-384)
  • Session ID in URL Rewrite (CWE-598)
  • Cookie No HttpOnly Flag (CWE-1004)
  • Credential Enumeration (CWE-209)

Risk Level: High

Remediation:

  • Implement multi-factor authentication (MFA)
  • Use secure session management
  • Regenerate session IDs after login
  • Set HttpOnly and Secure flags on session cookies
  • Implement account lockout mechanisms
  • Use generic error messages for authentication failures

A08:2021 - Software and Data Integrity Failures

ZAP Alerts:

  • Missing Subresource Integrity (SRI) (CWE-353)
  • Insecure Deserialization (CWE-502)

Risk Level: High to Medium

Remediation:

  • Implement Subresource Integrity for CDN resources
  • Avoid deserializing untrusted data
  • Use digital signatures for critical data
  • Implement integrity checks

A09:2021 - Security Logging and Monitoring Failures

ZAP Alerts:

  • Authentication attempts not logged
  • No monitoring of security events

Risk Level: Low (detection issue, not vulnerability)

Remediation:

  • Log all authentication attempts
  • Monitor for security anomalies
  • Implement centralized logging
  • Set up alerts for suspicious activities

A10:2021 - Server-Side Request Forgery (SSRF)

ZAP Alerts:

  • Server-Side Request Forgery (CWE-918)
  • External Redirect (CWE-601)

Risk Level: High

Remediation:

  • Validate and sanitize all URLs
  • Use allowlists for allowed domains
  • Disable unnecessary URL schemas (file://, gopher://)
  • Implement network segmentation

ZAP Alert ID to OWASP/CWE Quick Reference

Alert ID Alert Name OWASP 2021 CWE Risk
40018 SQL Injection A03 CWE-89 High
40012 Cross-Site Scripting (Reflected) A03 CWE-79 High
40014 Cross-Site Scripting (Persistent) A03 CWE-79 High
40013 Cross-Site Scripting (DOM) A03 CWE-79 High
6 Path Traversal A01 CWE-22 High
7 Remote File Inclusion A01 CWE-98 High
90019 Server-Side Code Injection A03 CWE-94 High
90020 Remote OS Command Injection A03 CWE-78 High
90033 Loosely Scoped Cookie A07 CWE-565 Medium
10021 X-Content-Type-Options Missing A05 CWE-693 Low
10020 X-Frame-Options Missing A05 CWE-1021 Medium
10038 Content Security Policy Missing A05 CWE-693 Medium
10035 Strict-Transport-Security Missing A05 CWE-319 Low
10054 Cookie Without Secure Flag A02 CWE-614 Medium
10010 Cookie No HttpOnly Flag A07 CWE-1004 Medium
10098 Cross-Domain Misconfiguration A01 CWE-346 Medium
10055 CSP Scanner: Wildcard Directive A05 CWE-693 Medium
10096 Timestamp Disclosure A05 CWE-200 Low
10049 Weak Authentication Method A07 CWE-287 Medium
40029 Server-Side Request Forgery A10 CWE-918 High

Risk Level Priority Matrix

High Risk (Immediate Action Required)

  • SQL Injection
  • Remote Code Execution
  • Authentication Bypass
  • SSRF
  • XXE (XML External Entity)

Medium Risk (Fix in Current Sprint)

  • XSS (Cross-Site Scripting)
  • CSRF (Cross-Site Request Forgery)
  • Missing Security Headers (CSP, X-Frame-Options)
  • Insecure Cookie Configuration
  • Path Traversal (with limited impact)

Low Risk (Fix in Backlog)

  • Information Disclosure (version headers)
  • Missing Informational Headers
  • Timestamp Disclosure
  • Autocomplete on Form Fields

Informational (Documentation/Awareness)

  • Server Technology Disclosure
  • Application Error Messages
  • Charset Mismatch

Compliance Mapping

PCI-DSS 3.2.1

  • Requirement 6.5.1 (Injection): SQL Injection, Command Injection, XSS
  • Requirement 6.5.3 (Insecure Cryptography): Weak SSL/TLS, Insecure Cookies
  • Requirement 6.5.7 (XSS): All XSS variants
  • Requirement 6.5.8 (Access Control): Path Traversal, Broken Access Control
  • Requirement 6.5.10 (Authentication): Weak Authentication, Session Management

NIST 800-53

  • AC-3 (Access Enforcement): Path Traversal, Authorization Issues
  • IA-5 (Authenticator Management): Weak Authentication
  • SC-8 (Transmission Confidentiality): Missing HTTPS, Weak TLS
  • SI-10 (Information Input Validation): All Injection Flaws

GDPR

  • Article 32 (Security of Processing): All High/Medium findings affecting data security
  • Article 25 (Data Protection by Design): Security Misconfigurations

Usage in Reports

When generating compliance reports, reference this mapping to:

  1. Categorize findings by OWASP Top 10 category
  2. Assign CWE IDs for standardized vulnerability classification
  3. Map to compliance requirements for audit trails
  4. Prioritize remediation based on risk level and compliance impact
  5. Track metrics by OWASP category over time

Additional Resources

Reference in New Issue View Git Blame Copy Permalink