diff --git a/docs/Technical-Documentation/Zap-Scan-HTML-Report.md b/docs/Technical-Documentation/Zap-Scan-HTML-Report.md index b7fa723bd..6d9b20cfe 100644 --- a/docs/Technical-Documentation/Zap-Scan-HTML-Report.md +++ b/docs/Technical-Documentation/Zap-Scan-HTML-Report.md @@ -24,3 +24,39 @@ link to view the running process at CircleCI 4. Click the `owasp_report.html` link to view the report. ![image](images/report.png) + +### Configuring Report Output + +We use separate files for configuring the ZAP scanner for the front and back end applications +Backend: [tdrs-backend/reports/zap.conf](../../tdrs-backend/reports/zap.conf) +Frontend: [tdrs-frontend/reports/zap.conf](../../tdrs-frontend/reports/zap.conf) + +These files have a list of error codes and what to do with them. We have some of these set +to IGNORE because they do not apply to our configuration but were returning false positives +for test failures. For each of these, we should have a comment as to why the test is being +ignored. + +Can use Postman to mimic the test parameters before ignoring to verify +The [free version of Postman](https://www.postman.com/downloads/), the app or web version, can be used for this. +examples: +![image](images/postman_example1.png) +![image](images/postman_example2.png) + +### Invoking the OWASP Zap Scanner + +We build out how we invoke the zap scanner using our [zap-scanner](../../scripts/zap-scanner.sh) script. + +As part of that, we pass some additional configuration that includes a list of urls to exclude from the +scan. +`ZAP_CLI_OPTIONS` contains this list. +It is important to note, not to include the frontend or backend endpoint we want to test the scanner out +on. + +e.g. do not include something like this in the `-config globalexcludeurl.url_list.url` configuration options: +``` + -config globalexcludeurl.url_list.url\(3\).regex='^https?://.*\.hhs.gov\/.*$' \ + -config globalexcludeurl.url_list.url\(3\).description='Site - acf.hhs.gov' \ + -config globalexcludeurl.url_list.url\(3\).enabled=true \ +``` + +It will not be able to find the endpoint for the tests and the output is confusing as to what is happening. diff --git a/docs/Technical-Documentation/images/postman_example1.png b/docs/Technical-Documentation/images/postman_example1.png new file mode 100644 index 000000000..9c79e5400 Binary files /dev/null and b/docs/Technical-Documentation/images/postman_example1.png differ diff --git a/docs/Technical-Documentation/images/postman_example2.png b/docs/Technical-Documentation/images/postman_example2.png new file mode 100644 index 000000000..bfd35224a Binary files /dev/null and b/docs/Technical-Documentation/images/postman_example2.png differ diff --git a/tdrs-backend/reports/zap.conf b/tdrs-backend/reports/zap.conf index eaec6ae5c..46748a939 100644 --- a/tdrs-backend/reports/zap.conf +++ b/tdrs-backend/reports/zap.conf @@ -79,7 +79,11 @@ 40014 FAIL (Cross Site Scripting (Persistent) - Active/release) 40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release) 40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release) -40018 WARN (SQL Injection - Active/release) +##### IGNORE (SQL Injection - Active/release) as it doesn't apply to us and is giving +##### false positives because it takes us to a default django page notifying us +##### of the 403 forbidden, instead of just a 403 being returned. The test is +##### treating this as though the SQL injection worked, since a page is returned. +40018 IGNORE (SQL Injection - Active/release) 40019 FAIL (SQL Injection - MySQL - Active/beta) 40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta) 40021 FAIL (SQL Injection - Oracle - Active/beta) @@ -93,7 +97,10 @@ 40029 FAIL (Trace.axd Information Leak - Active/beta) 40032 FAIL (.htaccess Information Leak - Active/release) 40034 FAIL (.env Information Leak - Active/beta) -40035 FAIL (Hidden File Finder - Active/beta) +##### IGNORE (Hidden File Finder - Active/beta) due to false failing similar to SQL +##### Injection false positive above. Replicating parameters of the test +##### result in +40035 IGNORE (Hidden File Finder - Active/beta) 41 FAIL (Source Code Disclosure - Git - Active/beta) 42 FAIL (Source Code Disclosure - SVN - Active/beta) 43 FAIL (Source Code Disclosure - File Inclusion - Active/beta) diff --git a/tdrs-frontend/reports/zap.conf b/tdrs-frontend/reports/zap.conf index 854c0ea39..763647dc2 100644 --- a/tdrs-frontend/reports/zap.conf +++ b/tdrs-frontend/reports/zap.conf @@ -79,6 +79,12 @@ 40014 FAIL (Cross Site Scripting (Persistent) - Active/release) 40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release) 40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release) +##### IGNORE (SQL Injection - Active/release, MySQL, Hypersonig SQL, Oracle) +##### as they don't apply to us and is giving false positives because +##### it takes us to a default django page notifying us of the 403 +##### forbidden, instead of just a 403 being returned. The test is +##### treating this as though the SQL injection worked, since a page +##### is returned. 40018 IGNORE (SQL Injection - Active/release) 40019 IGNORE (SQL Injection - MySQL - Active/beta) 40020 IGNORE (SQL Injection - Hypersonic SQL - Active/beta) @@ -93,7 +99,10 @@ 40029 FAIL (Trace.axd Information Leak - Active/beta) 40032 FAIL (.htaccess Information Leak - Active/release) 40034 FAIL (.env Information Leak - Active/beta) -40035 FAIL (Hidden File Finder - Active/beta) +##### IGNORE (Hidden File Finder - Active/beta) due to false failing similar to SQL +##### Injection false positive above. Replicating parameters of the test +##### result in +40035 IGNORE (Hidden File Finder - Active/beta) 41 FAIL (Source Code Disclosure - Git - Active/beta) 42 FAIL (Source Code Disclosure - SVN - Active/beta) 43 FAIL (Source Code Disclosure - File Inclusion - Active/beta)