@@ -665,6 +665,143 @@ one branch (see ``deployments/*.browser/environment.py``) and it will always use
665665the tarball from the most recent pipeline on that branch.
666666
667667
668+ Running a ZAP vulnerability scan
669+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
670+
671+ ZAP Setup
672+ """""""""
673+
674+ - Download ZAP from https://www.zaproxy.org/
675+
676+ - Install & open ZAP
677+
678+ - From the popup, select the *No, I do not want to persis this session at this
679+ moment in time * option and click *Start *
680+
681+ - From the menu, select *Edit * – *ZAP Mode * – *Standard Mode * (This should be
682+ the default option)
683+
684+ - From the menu, select *Tools * – *Options *:
685+
686+ - *Network * – *Rate Limit *, add and enable a 3 request per second rule for the
687+ match string ``anvilprod.org ``, and another rule for the match string
688+ ``humancellatlas.org ``. This is required to prevent the scans from exceeding
689+ the WAF rate limits for the Azul APIs, and being temporarily blocked by the
690+ WAF.
691+
692+ - *Check for Updates *:
693+
694+ - Check the *Check for updates on startup * option
695+
696+ - Check the *Check for updates to the add-ons you have installed * option
697+
698+ - You may now close the ZAP application. The next time you open the application,
699+ the settings you set above will be used.
700+
701+ Running an authenticated scan
702+ """""""""""""""""""""""""""""
703+
704+ The scans you run need be run with authenticated requests. The process for
705+ running an authenticated scan is to first obtain an Azul authentication token,
706+ and then launch the ZAP application with the token set as an environment
707+ variable. The token will then automatically be added as a header to all requests
708+ made during the scan. See the `ZAP documentation `_ for more information.
709+
710+ .. _`ZAP documentation` : https://www.zaproxy.org/docs/getting-further/authentication/handling-auth-yourself/
711+
712+ - To get an authorization token from Azul:
713+
714+ - Open the Swagger UI for the appropriate (HCA or AnVIL) Azul service
715+
716+ - Click *Authorize * and complete the authorization
717+
718+ - Using the Swagger UI, execute an endpoint such as ``/index/catalogs ``
719+
720+ - Note the example ``curl `` command, and copy the token from the
721+ ``Authorization `` header option (e.g. ``Bearer ya29.a0… ``)
722+
723+ - To set the environment variable and launch ZAP from the command line, open a
724+ terminal and run:
725+
726+ - ``export ZAP_AUTH_HEADER_VALUE="<TOKEN-VALUE-HERE>" ``
727+
728+ - ``/Applications/ZAP.app/Contents/MacOS/ZAP.sh ``
729+
730+ - After the ZAP application has opened, follow the steps below to create a new
731+ session and run a scan. After your scan has completed and you have generated
732+ a report, close the ZAP application, and repeat the steps above with a new
733+ authentication token for each additional scan you wish to run.
734+
735+ ZAP Sessions
736+ """"""""""""
737+
738+ With the ZAP application open, you must start a new session prior to running a
739+ new scan. Failure to do so can pollute the scan results with the findings from
740+ the previous scan.
741+
742+ If you are prompted with options to persist the ZAP session, select the *No, I
743+ do not want to persis this session at this moment in time * option and click
744+ *Start *. You may now continue with the scan of your choice.
745+
746+ Running a Portal / Browser scan
747+ """""""""""""""""""""""""""""""
748+
749+ - From the *Quick Start * tab, click *Automated Scan *
750+
751+ - Enter the desired URL (e.g. https://anvilproject.org/) in the *URL to
752+ attack * field
753+
754+ - Check the *Use traditional spider * option
755+
756+ - Select *If modern * from the *Use ajax spider * option
757+
758+ - Select *Firefox Headless * from the *With * option
759+
760+ - Click *Attack *
761+
762+ - Wait until all the scans (Ajax spider, passive scans, etc.) have completed. In
763+ practice, this can take up to four hours depending on the target URL. Note
764+ that you will not receive a notification when the scans have completed,
765+ instead, take note of the *Current Status * values in the ZAP window footer.
766+ Proceed when all scan counts show ``0 ``.
767+
768+ - Generate a report (see section below)
769+
770+ Running an Azul Indexer / Service API scan
771+ """"""""""""""""""""""""""""""""""""""""""
772+
773+ In order to run an API scan you must first import the OpenAPI definition.
774+
775+ - From the menu, select *Import * – *Import an OpenAPI Definition *
776+
777+ - Enter the URL of the OpenAPI definition (e.g.
778+ https://service.explore.anvilproject.org/openapi.json) in the *URL * field
779+
780+ - Click *Import *
781+
782+ After importing the OpenAPI definition, you may now follow the instructions
783+ above for running an ``Automated Scan ``. When entering the URL to attack, use
784+ the base URL of the Azul indexer or service with no additional path components
785+ (e.g. https://service.explore.anvilproject.org/).
786+
787+ Generating a ZAP Report
788+ """""""""""""""""""""""
789+
790+ After a scan has completed, use the following steps to save a PDF export of the
791+ scan results.
792+
793+ - From the menu, select *Report * – *Generate Report *
794+
795+ - Select *Traditional PDF Report * from the *Template * option
796+
797+ - Enter a value such as "AnVIL Data Portal" in the *Report Title * field
798+
799+ - Enter a value such as "2025-01-01-anvil-data-portal.pdf" in the *Report
800+ Name * field
801+
802+ - Click *Generate Report *
803+
804+
668805Troubleshooting
669806---------------
670807
0 commit comments