Zap vs burp
-
Upload
tomasz-fajks -
Category
Software
-
view
323 -
download
0
Transcript of Zap vs burp
Security test scannersBurp vs ZAP
Tomasz Fajks
Security testing process intended to reveal flaws in the security mechanisms of an information system that protect
data and maintain functionality as intended
Security tests in objectivity
The OWASP Top 10 vulnerabilities:
• A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
https://portswigger.net/burp/
DEMO
www.dvwa.co.uk
https://github.com/WebGoat/WebGoat/wiki
DEMO
False positive – vulnerability does not exist, but found
False negative – vulnerability exists, but not found
Burp on DVWA
points priority default deep no Int.no Int.
MinFalseNegno Int.
MinFalsePos5
CertainHigh 16 16 18 17 17
3 Medium 0 0 0 0 01 Low 2 2 2 4 45
FirmHigh 9 10 12 13 9
3 Medium 1 0 0 1 11 Low 0 0 0 0 0-5
TentativeHigh 2 16 13 17 4
-3 Medium 5 8 10 11 9-1 Low 0 0 0 0 0
summary 105 28 57 39 90
QUESTIONS?