Skip to content

Commit 2d10b12

Browse files
committed
fixup! Document web application vulnerability scanning procedure (#7021)
1 parent 13c1233 commit 2d10b12

File tree

1 file changed

+36
-19
lines changed

1 file changed

+36
-19
lines changed

OPERATOR.rst

Lines changed: 36 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -668,8 +668,12 @@ the tarball from the most recent pipeline on that branch.
668668
Running a ZAP vulnerability scan
669669
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
670670

671-
ZAP Setup
672-
"""""""""
671+
Setting up ZAP
672+
""""""""""""""
673+
674+
Follow these steps to set up the ZAP application for scanning of the HCA and
675+
AnVIL systems. After completing this set up once, you can skip this step in the
676+
future, and instead jump down to `Launching ZAP`_.
673677

674678
- Download ZAP from https://www.zaproxy.org/
675679

@@ -698,14 +702,14 @@ ZAP Setup
698702
- You may now close the ZAP application. The next time you open the application,
699703
the settings you set above will be used.
700704

701-
Running an authenticated scan
702-
"""""""""""""""""""""""""""""
705+
Launching ZAP
706+
"""""""""""""
703707

704-
The scans you run need be run with authenticated requests. The process for
705-
running an authenticated scan is to first obtain an Azul authentication token,
706-
and then launch the ZAP application with the token set as an environment
707-
variable. The token will then automatically be added as a header to all requests
708-
made during the scan. See the `ZAP documentation`_ for more information.
708+
All scans need be run with authenticated requests. The process for running an
709+
authenticated scan is to first obtain an Azul authentication token, and then
710+
launch the ZAP application with the token set as an environment variable. The
711+
token will then automatically be added as a header to all requests made during
712+
the scan. See the `ZAP documentation`_ for more information.
709713

710714
.. _`ZAP documentation`: https://www.zaproxy.org/docs/getting-further/authentication/handling-auth-yourself/
711715

@@ -727,24 +731,33 @@ made during the scan. See the `ZAP documentation`_ for more information.
727731

728732
- ``/Applications/ZAP.app/Contents/MacOS/ZAP.sh``
729733

730-
- After the ZAP application has opened, follow the steps below to create a new
731-
session and run a scan. After your scan has completed and you have generated
732-
a report, close the ZAP application, and repeat the steps above with a new
733-
authentication token for each additional scan you wish to run.
734+
- After the ZAP application has opened, follow the steps below to `create a new
735+
session`_ and run a scan. After your scan has completed and you have
736+
generated a report, close the ZAP application, and repeat the steps above with
737+
a new authentication token for each additional scan you wish to run.
738+
739+
.. _`create a new session`: #zap-sessions
734740

735741
ZAP Sessions
736742
""""""""""""
737743

738744
With the ZAP application open, you must start a new session prior to running a
739745
new scan. Failure to do so can pollute the scan results with the findings from
740-
the previous scan.
746+
the previous scan. A new session is created each time you launch ZAP, or to
747+
manually open a new session, from the menu, select *File* – *New Session*.
741748

742749
If you are prompted with options to persist the ZAP session, select the *No, I
743750
do not want to persis this session at this moment in time* option and click
744-
*Start*. You may now continue with the scan of your choice.
751+
*Start*.
752+
753+
You may now continue with either a `Data Portal / Browser scan`_ or `Indexer /
754+
Service API scan`_.
745755

746-
Running a Portal / Browser scan
747-
"""""""""""""""""""""""""""""""
756+
.. _`Portal / Browser scan`: #running-a-portal-browser-scan
757+
.. _`Indexer / Service API scan`: #running-an-azul-indexer-service-api-scan
758+
759+
Running a Data Portal / Browser scan
760+
""""""""""""""""""""""""""""""""""""
748761

749762
- From the *Quick Start* tab, click *Automated Scan*
750763

@@ -765,7 +778,9 @@ Running a Portal / Browser scan
765778
instead, take note of the *Current Status* values in the ZAP window footer.
766779
Proceed when all scan counts show ``0``.
767780

768-
- Generate a report (see section below)
781+
- Continue with the steps below to `generate a report`_.
782+
783+
.. _`generate a report`: #generating-a-zap-report
769784

770785
Running an Azul Indexer / Service API scan
771786
""""""""""""""""""""""""""""""""""""""""""
@@ -780,10 +795,12 @@ In order to run an API scan you must first import the OpenAPI definition.
780795
- Click *Import*
781796

782797
After importing the OpenAPI definition, you may now follow the instructions
783-
above for running an ``Automated Scan``. When entering the URL to attack, use
798+
above for running an `Automated Scan`_. When entering the URL to attack, use
784799
the base URL of the Azul indexer or service with no additional path components
785800
(e.g. https://service.explore.anvilproject.org/).
786801

802+
.. _`Automated Scan`: #running-a-data-portal-browser-scan
803+
787804
Generating a ZAP Report
788805
"""""""""""""""""""""""
789806

0 commit comments

Comments
 (0)