Skip to content

Commit 13c1233

Browse files
committed
Document web application vulnerability scanning procedure (#7021)
1 parent 169624e commit 13c1233

File tree

1 file changed

+137
-0
lines changed

1 file changed

+137
-0
lines changed

OPERATOR.rst

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -665,6 +665,143 @@ one branch (see ``deployments/*.browser/environment.py``) and it will always use
665665
the tarball from the most recent pipeline on that branch.
666666

667667

668+
Running a ZAP vulnerability scan
669+
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
670+
671+
ZAP Setup
672+
"""""""""
673+
674+
- Download ZAP from https://www.zaproxy.org/
675+
676+
- Install & open ZAP
677+
678+
- From the popup, select the *No, I do not want to persis this session at this
679+
moment in time* option and click *Start*
680+
681+
- From the menu, select *Edit* – *ZAP Mode* – *Standard Mode* (This should be
682+
the default option)
683+
684+
- From the menu, select *Tools* – *Options*:
685+
686+
- *Network* – *Rate Limit*, add and enable a 3 request per second rule for the
687+
match string ``anvilprod.org``, and another rule for the match string
688+
``humancellatlas.org``. This is required to prevent the scans from exceeding
689+
the WAF rate limits for the Azul APIs, and being temporarily blocked by the
690+
WAF.
691+
692+
- *Check for Updates*:
693+
694+
- Check the *Check for updates on startup* option
695+
696+
- Check the *Check for updates to the add-ons you have installed* option
697+
698+
- You may now close the ZAP application. The next time you open the application,
699+
the settings you set above will be used.
700+
701+
Running an authenticated scan
702+
"""""""""""""""""""""""""""""
703+
704+
The scans you run need be run with authenticated requests. The process for
705+
running an authenticated scan is to first obtain an Azul authentication token,
706+
and then launch the ZAP application with the token set as an environment
707+
variable. The token will then automatically be added as a header to all requests
708+
made during the scan. See the `ZAP documentation`_ for more information.
709+
710+
.. _`ZAP documentation`: https://www.zaproxy.org/docs/getting-further/authentication/handling-auth-yourself/
711+
712+
- To get an authorization token from Azul:
713+
714+
- Open the Swagger UI for the appropriate (HCA or AnVIL) Azul service
715+
716+
- Click *Authorize* and complete the authorization
717+
718+
- Using the Swagger UI, execute an endpoint such as ``/index/catalogs``
719+
720+
- Note the example ``curl`` command, and copy the token from the
721+
``Authorization`` header option (e.g. ``Bearer ya29.a0…``)
722+
723+
- To set the environment variable and launch ZAP from the command line, open a
724+
terminal and run:
725+
726+
- ``export ZAP_AUTH_HEADER_VALUE="<TOKEN-VALUE-HERE>"``
727+
728+
- ``/Applications/ZAP.app/Contents/MacOS/ZAP.sh``
729+
730+
- After the ZAP application has opened, follow the steps below to create a new
731+
session and run a scan. After your scan has completed and you have generated
732+
a report, close the ZAP application, and repeat the steps above with a new
733+
authentication token for each additional scan you wish to run.
734+
735+
ZAP Sessions
736+
""""""""""""
737+
738+
With the ZAP application open, you must start a new session prior to running a
739+
new scan. Failure to do so can pollute the scan results with the findings from
740+
the previous scan.
741+
742+
If you are prompted with options to persist the ZAP session, select the *No, I
743+
do not want to persis this session at this moment in time* option and click
744+
*Start*. You may now continue with the scan of your choice.
745+
746+
Running a Portal / Browser scan
747+
"""""""""""""""""""""""""""""""
748+
749+
- From the *Quick Start* tab, click *Automated Scan*
750+
751+
- Enter the desired URL (e.g. https://anvilproject.org/) in the *URL to
752+
attack* field
753+
754+
- Check the *Use traditional spider* option
755+
756+
- Select *If modern* from the *Use ajax spider* option
757+
758+
- Select *Firefox Headless* from the *With* option
759+
760+
- Click *Attack*
761+
762+
- Wait until all the scans (Ajax spider, passive scans, etc.) have completed. In
763+
practice, this can take up to four hours depending on the target URL. Note
764+
that you will not receive a notification when the scans have completed,
765+
instead, take note of the *Current Status* values in the ZAP window footer.
766+
Proceed when all scan counts show ``0``.
767+
768+
- Generate a report (see section below)
769+
770+
Running an Azul Indexer / Service API scan
771+
""""""""""""""""""""""""""""""""""""""""""
772+
773+
In order to run an API scan you must first import the OpenAPI definition.
774+
775+
- From the menu, select *Import* – *Import an OpenAPI Definition*
776+
777+
- Enter the URL of the OpenAPI definition (e.g.
778+
https://service.explore.anvilproject.org/openapi.json) in the *URL* field
779+
780+
- Click *Import*
781+
782+
After importing the OpenAPI definition, you may now follow the instructions
783+
above for running an ``Automated Scan``. When entering the URL to attack, use
784+
the base URL of the Azul indexer or service with no additional path components
785+
(e.g. https://service.explore.anvilproject.org/).
786+
787+
Generating a ZAP Report
788+
"""""""""""""""""""""""
789+
790+
After a scan has completed, use the following steps to save a PDF export of the
791+
scan results.
792+
793+
- From the menu, select *Report* – *Generate Report*
794+
795+
- Select *Traditional PDF Report* from the *Template* option
796+
797+
- Enter a value such as "AnVIL Data Portal" in the *Report Title* field
798+
799+
- Enter a value such as "2025-01-01-anvil-data-portal.pdf" in the *Report
800+
Name* field
801+
802+
- Click *Generate Report*
803+
804+
668805
Troubleshooting
669806
---------------
670807

0 commit comments

Comments
 (0)