Burp Suite User Forum

Login to post

OWASP Top 10

david | Last updated: Jan 26, 2022 01:06PM UTC

Hi, Quick question, I am trying to identify when performing a scan against a site if the OWASP Top 10 are inclusive in the scan against the target or if there is additional configurations when setting up the job? When researching I found the following write up: https://portswigger.net/support/using-burp-to-test-for-the-owasp-top-ten as I reviewed the post, it appears that this might be older as the links within the a particular item, it is noted that the "Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page." I found the following KB - https://portswigger.net/kb/issues which leads me to believe that these issues will be reported upon completion of the scan in the results? Just hoping to get clarification.

Michelle, PortSwigger Agent | Last updated: Jan 26, 2022 02:16PM UTC

Thanks for your message. The article you found on the OWASP Top Ten is one that is due to be reviewed, the methodology within the article can still be applied in recent versions of Burp and would need to be compared against the current OWASP Top 10. Issues listed in https://portswigger.net/kb/issues will be detected by a scan in Burp Suite Professional if they are enabled in the scan's auditing configuration. For some items in the current OWASP Top 10 you will find that additional manual testing is also required.

Samson | Last updated: Mar 22, 2023 08:07AM UTC

Dear Michelle, In reply, you mentioned not any items will be tested automate during the passive or active scan. Which parts needs to be test manually in Burp professional? I mean which part are not tested with scans? Thank you for your reply!

Michelle, PortSwigger Agent | Last updated: Mar 23, 2023 11:05AM UTC

Hi The OWASP top 10 also covers topics such as security logging, software, and data integrity failures, insecure design, etc that would not be covered by automated scans.

You need to Log in to post a reply. Or register here, for free.