@@ -668,8 +668,12 @@ the tarball from the most recent pipeline on that branch.
668
668
Running a ZAP vulnerability scan
669
669
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
670
670
671
- ZAP Setup
672
- """""""""
671
+ Setting up ZAP
672
+ """"""""""""""
673
+
674
+ Follow these steps to set up the ZAP application for scanning of the HCA and
675
+ AnVIL systems. After completing this set up once, you can skip this step in the
676
+ future, and instead jump down to `Launching ZAP `_.
673
677
674
678
- Download ZAP from https://www.zaproxy.org/
675
679
@@ -698,14 +702,14 @@ ZAP Setup
698
702
- You may now close the ZAP application. The next time you open the application,
699
703
the settings you set above will be used.
700
704
701
- Running an authenticated scan
702
- """""""""""""""""""""""""""""
705
+ Launching ZAP
706
+ """""""""""""
703
707
704
- The scans you run need be run with authenticated requests. The process for
705
- running an authenticated scan is to first obtain an Azul authentication token,
706
- and then launch the ZAP application with the token set as an environment
707
- variable. The token will then automatically be added as a header to all requests
708
- made during the scan. See the `ZAP documentation `_ for more information.
708
+ All scans need be run with authenticated requests. The process for running an
709
+ authenticated scan is to first obtain an Azul authentication token, and then
710
+ launch the ZAP application with the token set as an environment variable. The
711
+ token will then automatically be added as a header to all requests made during
712
+ the scan. See the `ZAP documentation `_ for more information.
709
713
710
714
.. _`ZAP documentation` : https://www.zaproxy.org/docs/getting-further/authentication/handling-auth-yourself/
711
715
@@ -727,24 +731,33 @@ made during the scan. See the `ZAP documentation`_ for more information.
727
731
728
732
- ``/Applications/ZAP.app/Contents/MacOS/ZAP.sh ``
729
733
730
- - After the ZAP application has opened, follow the steps below to create a new
731
- session and run a scan. After your scan has completed and you have generated
732
- a report, close the ZAP application, and repeat the steps above with a new
733
- authentication token for each additional scan you wish to run.
734
+ - After the ZAP application has opened, follow the steps below to `create a new
735
+ session `_ and run a scan. After your scan has completed and you have
736
+ generated a report, close the ZAP application, and repeat the steps above with
737
+ a new authentication token for each additional scan you wish to run.
738
+
739
+ .. _`create a new session` : #zap-sessions
734
740
735
741
ZAP Sessions
736
742
""""""""""""
737
743
738
744
With the ZAP application open, you must start a new session prior to running a
739
745
new scan. Failure to do so can pollute the scan results with the findings from
740
- the previous scan.
746
+ the previous scan. A new session is created each time you launch ZAP, or to
747
+ manually open a new session, from the menu, select *File * – *New Session *.
741
748
742
749
If you are prompted with options to persist the ZAP session, select the *No, I
743
750
do not want to persis this session at this moment in time * option and click
744
- *Start *. You may now continue with the scan of your choice.
751
+ *Start *.
752
+
753
+ You may now continue with either a `Data Portal / Browser scan `_ or `Indexer /
754
+ Service API scan `_.
745
755
746
- Running a Portal / Browser scan
747
- """""""""""""""""""""""""""""""
756
+ .. _`Portal / Browser scan` : #running-a-portal-browser-scan
757
+ .. _`Indexer / Service API scan` : #running-an-azul-indexer-service-api-scan
758
+
759
+ Running a Data Portal / Browser scan
760
+ """"""""""""""""""""""""""""""""""""
748
761
749
762
- From the *Quick Start * tab, click *Automated Scan *
750
763
@@ -765,7 +778,9 @@ Running a Portal / Browser scan
765
778
instead, take note of the *Current Status * values in the ZAP window footer.
766
779
Proceed when all scan counts show ``0 ``.
767
780
768
- - Generate a report (see section below)
781
+ - Continue with the steps below to `generate a report `_.
782
+
783
+ .. _`generate a report` : #generating-a-zap-report
769
784
770
785
Running an Azul Indexer / Service API scan
771
786
""""""""""""""""""""""""""""""""""""""""""
@@ -780,10 +795,12 @@ In order to run an API scan you must first import the OpenAPI definition.
780
795
- Click *Import *
781
796
782
797
After importing the OpenAPI definition, you may now follow the instructions
783
- above for running an `` Automated Scan `` . When entering the URL to attack, use
798
+ above for running an `Automated Scan `_ . When entering the URL to attack, use
784
799
the base URL of the Azul indexer or service with no additional path components
785
800
(e.g. https://service.explore.anvilproject.org/).
786
801
802
+ .. _`Automated Scan` : #running-a-data-portal-browser-scan
803
+
787
804
Generating a ZAP Report
788
805
"""""""""""""""""""""""
789
806
0 commit comments