@@ -665,6 +665,143 @@ one branch (see ``deployments/*.browser/environment.py``) and it will always use
665
665
the tarball from the most recent pipeline on that branch.
666
666
667
667
668
+ Running a ZAP vulnerability scan
669
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
670
+
671
+ ZAP Setup
672
+ """""""""
673
+
674
+ - Download ZAP from https://www.zaproxy.org/
675
+
676
+ - Install & open ZAP
677
+
678
+ - From the popup, select the *No, I do not want to persis this session at this
679
+ moment in time * option and click *Start *
680
+
681
+ - From the menu, select *Edit * – *ZAP Mode * – *Standard Mode * (This should be
682
+ the default option)
683
+
684
+ - From the menu, select *Tools * – *Options *:
685
+
686
+ - *Network * – *Rate Limit *, add and enable a 3 request per second rule for the
687
+ match string ``anvilprod.org ``, and another rule for the match string
688
+ ``humancellatlas.org ``. This is required to prevent the scans from exceeding
689
+ the WAF rate limits for the Azul APIs, and being temporarily blocked by the
690
+ WAF.
691
+
692
+ - *Check for Updates *:
693
+
694
+ - Check the *Check for updates on startup * option
695
+
696
+ - Check the *Check for updates to the add-ons you have installed * option
697
+
698
+ - You may now close the ZAP application. The next time you open the application,
699
+ the settings you set above will be used.
700
+
701
+ Running an authenticated scan
702
+ """""""""""""""""""""""""""""
703
+
704
+ The scans you run need be run with authenticated requests. The process for
705
+ running an authenticated scan is to first obtain an Azul authentication token,
706
+ and then launch the ZAP application with the token set as an environment
707
+ variable. The token will then automatically be added as a header to all requests
708
+ made during the scan. See the `ZAP documentation `_ for more information.
709
+
710
+ .. _`ZAP documentation` : https://www.zaproxy.org/docs/getting-further/authentication/handling-auth-yourself/
711
+
712
+ - To get an authorization token from Azul:
713
+
714
+ - Open the Swagger UI for the appropriate (HCA or AnVIL) Azul service
715
+
716
+ - Click *Authorize * and complete the authorization
717
+
718
+ - Using the Swagger UI, execute an endpoint such as ``/index/catalogs ``
719
+
720
+ - Note the example ``curl `` command, and copy the token from the
721
+ ``Authorization `` header option (e.g. ``Bearer ya29.a0… ``)
722
+
723
+ - To set the environment variable and launch ZAP from the command line, open a
724
+ terminal and run:
725
+
726
+ - ``export ZAP_AUTH_HEADER_VALUE="<TOKEN-VALUE-HERE>" ``
727
+
728
+ - ``/Applications/ZAP.app/Contents/MacOS/ZAP.sh ``
729
+
730
+ - After the ZAP application has opened, follow the steps below to create a new
731
+ session and run a scan. After your scan has completed and you have generated
732
+ a report, close the ZAP application, and repeat the steps above with a new
733
+ authentication token for each additional scan you wish to run.
734
+
735
+ ZAP Sessions
736
+ """"""""""""
737
+
738
+ With the ZAP application open, you must start a new session prior to running a
739
+ new scan. Failure to do so can pollute the scan results with the findings from
740
+ the previous scan.
741
+
742
+ If you are prompted with options to persist the ZAP session, select the *No, I
743
+ do not want to persis this session at this moment in time * option and click
744
+ *Start *. You may now continue with the scan of your choice.
745
+
746
+ Running a Portal / Browser scan
747
+ """""""""""""""""""""""""""""""
748
+
749
+ - From the *Quick Start * tab, click *Automated Scan *
750
+
751
+ - Enter the desired URL (e.g. https://anvilproject.org/) in the *URL to
752
+ attack * field
753
+
754
+ - Check the *Use traditional spider * option
755
+
756
+ - Select *If modern * from the *Use ajax spider * option
757
+
758
+ - Select *Firefox Headless * from the *With * option
759
+
760
+ - Click *Attack *
761
+
762
+ - Wait until all the scans (Ajax spider, passive scans, etc.) have completed. In
763
+ practice, this can take up to four hours depending on the target URL. Note
764
+ that you will not receive a notification when the scans have completed,
765
+ instead, take note of the *Current Status * values in the ZAP window footer.
766
+ Proceed when all scan counts show ``0 ``.
767
+
768
+ - Generate a report (see section below)
769
+
770
+ Running an Azul Indexer / Service API scan
771
+ """"""""""""""""""""""""""""""""""""""""""
772
+
773
+ In order to run an API scan you must first import the OpenAPI definition.
774
+
775
+ - From the menu, select *Import * – *Import an OpenAPI Definition *
776
+
777
+ - Enter the URL of the OpenAPI definition (e.g.
778
+ https://service.explore.anvilproject.org/openapi.json) in the *URL * field
779
+
780
+ - Click *Import *
781
+
782
+ After importing the OpenAPI definition, you may now follow the instructions
783
+ above for running an ``Automated Scan ``. When entering the URL to attack, use
784
+ the base URL of the Azul indexer or service with no additional path components
785
+ (e.g. https://service.explore.anvilproject.org/).
786
+
787
+ Generating a ZAP Report
788
+ """""""""""""""""""""""
789
+
790
+ After a scan has completed, use the following steps to save a PDF export of the
791
+ scan results.
792
+
793
+ - From the menu, select *Report * – *Generate Report *
794
+
795
+ - Select *Traditional PDF Report * from the *Template * option
796
+
797
+ - Enter a value such as "AnVIL Data Portal" in the *Report Title * field
798
+
799
+ - Enter a value such as "2025-01-01-anvil-data-portal.pdf" in the *Report
800
+ Name * field
801
+
802
+ - Click *Generate Report *
803
+
804
+
668
805
Troubleshooting
669
806
---------------
670
807
0 commit comments