OWASP top 10 Website Scanning

Hi Team,

Please let me know if we can use OpenVAS for OWASP Top 10 vulnerability scanning for websire URL or API security testing scanning?

Please see the following existing thread:

1 Like

I would say that post linked by @cfi is somewhat accurate, but wit some caveats. A lot has changed since 2019.

First of all, some OWASP weaknesses are identified in individual applications and then CVEs are issued for those vulnerabilities. This results in some coverage by Greenbone. Mant of the OWASP categories listed in that post are CWE, such as " Broken Authentication", " Injection" and " Insecure Deserialization" and these CWE are grounds for issuing a CVE, which we see quite often.

Secondly, secure by design is becoming more of a buzz-term in both CVE descriptions and the IT security industry. As we get closer to Cyber Resillience Act (CRA) enforcement - more and more insecure by design flaws will be tracked as CVEs as they are patched. Some are already cropping up on a monthly basis.

Thirdly, Greenbone does include some vulnerability tests which are not directly the result of CVEs - so, coverage is not limited to ONLY CVEs.

So, while Greenbone is not the best general purpose web-application scanner such as OWASP ZAP, nor an API fuzzer, it does address these OWASP Top 10 vulnerabiities when they are identified in a particular application, plugin, or library. etc.

1 Like