Risk field with blank value for many alerts in OWASP ZAP alert details

0
votes

Could someone please suggest why Risk data is blank for many alerts in OWASP ZAP alert details available at following ZAP official site:

https://www.zaproxy.org/docs/alerts/

For example -

Id      Alert                                                               Risk

10011   Cookie Without Secure Flag                                          Low
10009   In Page Banner Information Leak
10015   Incomplete or No Cache-control and Pragma HTTP Header Set
10017   Cross-Domain JavaScript Source File Inclusion
10019   Content-Type Header Missing
10020   X-Frame-Options Header
10020-1 X-Frame-Options Header Not Set                                      Medium

How, in such cases, risk or severity should be defined. Should it be based on whether risk is applicable for a specific web application.

Also, for some alerts, in the ZAP reports, Risk is populated as for example Low(Medium). Should it be considered as Low or medium.

1
securityowaspzapwebsecurity

1 Answers

0
votes

That documentation is still a work in progress. Some scan rules raise multiple alerts (at different risks). The active and passive scan rules have different default methods/values. The team is working to address both situations in the scan rules and by association the alert description docs.

The Low(Medium) is Risk(Confidence). (Not risk and risk.)