-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
TestingWavsep
ZAP is designed to be as effective as possible when used against real applications.
But it also makes sense for us to test it against well known test suites and vulnerable applications.
wavsep is the most comprehensive open source evaluation project we are aware of, and so we test ZAP against wavsep, and will keep this page updated with the latest results.
To run these tests yourself:
- Download and install wavsep
- Start ZAP
- Open the 2 main top pages in your browser while proxying through ZAP, eg * http://localhost:8080/wavsep/index-active.jsp * http://localhost:8080/wavsep/index-passive.jsp
- Spider from the top node, eg http://localhost:8080/wavsep/
- Set the active scan options you want to test with
- Active scan the subtree http://localhost:8080/wavsep/
For these tests ZAP was run against wavsep 1.2 with just the release quality rules and the default options except for using 20 threads per host. The attack strength was also set as per the Strength column (the default is Medium).
The html reports were created using the wavsep.py script which retrieves the alerts via the ZAP REST API, works out which tests passed and failed and then generates the html page.
| Strength | # Reqs 2.0.0 | 2.0.0 | # Reqs 2.2.* |
2.2.* |
|---|---|---|---|---|
| Low | 40,490 | 31% | 134,296 | 32% |
| Medium | 58,013 | 58% | 221,991 | 61% |
| High | 79,852 | 76% | 279,928 | 76% |
| Insane | 185,042 | 86% | 875,397 | 87% |
Click %'s for full reports.
Note that at 2.2.* header fields are also scanned by default (this can be disabled) - hence the significant increase in the number of requests.
| Category | 1.4.1 | 2.1.0 | 2.2.0 | Trunk | Notes |
|---|---|---|---|---|---|
| Audit Features Comparison (33) | 9 | 13 | 13 | 13 | 2.0.0 adds support for RFI, LDAPi, CSRF. Alpha Ascan rules add support for PXSS |
| Input Vector Support (19) | 2 | 3 | 6 | 6 | 2.0.0 adds support for: WebSock, 2.2.0 adds support for Header, XML, JSON |
| Coverage Features Comparison (15) | 3 | 4 | 4 | 4 | 2.0.0 adds support for: Ajax Crawler |
| Authentication Features Comparison (17) | 14 | 15 | 15 | 15 | 2.0.0 adds support for: Logout Detection |
See the Testing page for more information about tests run.