Security test scannersBurp vs ZAP

Tomasz Fajks

Security testing process intended to reveal flaws in the security mechanisms of an information system that protect

data and maintain functionality as intended

Security tests in objectivity

The OWASP Top 10 vulnerabilities:

• A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

https://portswigger.net/burp/

DEMO

www.dvwa.co.uk

https://github.com/WebGoat/WebGoat/wiki

DEMO

False positive – vulnerability does not exist, but found

False negative – vulnerability exists, but not found

      Burp on DVWA

points   priority default deep no Int.no Int.

MinFalseNegno Int.

MinFalsePos5

CertainHigh 16 16 18 17 17

3 Medium 0 0 0 0 01 Low 2 2 2 4 45

FirmHigh 9 10 12 13 9

3 Medium 1 0 0 1 11 Low 0 0 0 0 0-5

TentativeHigh 2 16 13 17 4

-3 Medium 5 8 10 11 9-1 Low 0 0 0 0 0

summary     105 28 57 39 90

QUESTIONS?