Automated testing for OWASP A1-A10

Question

I am wondering out of OWASP top 10 (A1-A10) which all can be automated. Is it possible to automate their testing using Selenium, if not which tool can be used to automate them ? Also are there any documents or guidelines or any examples that can be followed or referred.

Thanks in advance.

Answer 1

I'd say:

1. Injection: automation is pretty effective
2. Auth / Session mgmt: tools help but manual testing is really needed
3. XSS: automation is pretty effective
4. IDOR: tools help but manual testing is really needed
5. Sec misconfig: ditto
6. Data exposure: can be automated to a fair degree by manual verification important
7. Missing AC: elements can be automated, but def needs significant manual involvement
8. CSRF: automation is pretty effective
9. Comps with vulns: automation can be effective but you'll need prob static + dynamic scanning
10. Fwds and redir: automation is pretty effective

Finding security vulnerabilities is hard, automation should be seen as a way to cut down the time and effort spent doing manual testing rather than replacing it. One of the advantages of automated testing is that you can do it at any time (eg as part of CI/CD) rather than waiting until near the end and getting the pentesters in.

In all cases manual verification of any potential vulnerabilities found using automation is important.

Have a look at https://www.owasp.org/index.php/ZAPpingTheTop10 which is focused on ZAP. Automation is definitely a focus for ZAP (and one of the key ways we use it in Mozilla) and not surprisingly its something I'd recommend using (I'm the ZAP project lead;)