From 9a7559985a95ea19debaea58728d3441d372e249 Mon Sep 17 00:00:00 2001 From: Sven Aas <12150+svenaas@users.noreply.github.com> Date: Wed, 31 Jan 2024 14:42:42 -0500 Subject: [PATCH] OWASP ZAP is now simply ZAP --- .github/ISSUE_TEMPLATE/run_conmon_pages.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/run_conmon_pages.md b/.github/ISSUE_TEMPLATE/run_conmon_pages.md index 0d93772..fd57667 100644 --- a/.github/ISSUE_TEMPLATE/run_conmon_pages.md +++ b/.github/ISSUE_TEMPLATE/run_conmon_pages.md @@ -8,11 +8,11 @@ assignees: "" Re: [link to platform conmon ticket] -cloud.gov Pages also provides continuous monitoring artifacts. The process for creating them is detailed below. Current we only run OWASP ZAP Scans. +cloud.gov Pages also provides continuous monitoring artifacts. The process for creating them is detailed below. Current we only run ZAP Scans. -# OWASP ZAP Scans +# ZAP Scans -From the [ZAP documentation](https://www.zaproxy.org/getting-started/): "Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible." +From the [ZAP documentation](https://www.zaproxy.org/getting-started/): "Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of The Software Security Project (SSP). ZAP is designed specifically for testing web applications and is both flexible and extensible." We run ZAP from a Pages operator's local machine. ZAP opens a Firefox instance that is configured to proxy all requests through ZAP. ZAP can then analyze and modify the requests. @@ -25,15 +25,16 @@ Each user should have a support user account created in the `zap-scans` organiza ## Install, Configure, and Update - Check that you have the [latest stable version of ZAP](https://www.zaproxy.org/download/). Install/update via Homebrew with: - - `brew update; brew install owasp-zap` or - - `brew update; brew reinstall owasp-zap` + - `brew update; brew install --cask zap` or + - `brew update; brew reinstall zap` + > NOTE: If you have used ZAP in the past on your workstation you may have an older version installed from when it was known as OWASP ZAP and distributed using the Homebrew formula `owasp-zip`. If you need to remove such an older Homebrew installation, run the following from the command line: + - `brew uninstall owasp-zap` > NOTE: If you see an error running ZAP as an unsigned application, run the following from the command line: - - `xattr -dr com.apple.quarantine '/Applications/OWASP ZAP.app'` + - `xattr -dr com.apple.quarantine '/Applications/ZAP.app'` - ZAP also has a [weekly build](https://www.zaproxy.org/download/#weekly) available. If the current stable build isn't working for some reason, try the weekly build instead. Download the ZIP, `cd` to it in your terminal, and run it with `./zap.sh`. If it outputs a message like `Exiting: ZAP requires a minimum of Java 11 to run`, run `brew install java` to install the latest Java and try again. - Start ZAP and update - For "Session persistence", select "No, I do not want to persist my session..." - - For "Manage add-ons", select "Update All" - > NOTE: As of July, 2023 (ZAP 2.13.0) "Manage add-ons" did not pop up automatically and, when opened from the toolbar, rendered the "Update All" button as disabled. + - Use the Add-ons button in the toolbar to open "Manage add-ons". Check for available updates, and update all. - ZAP -> Settings -> Options: - Active Scan: - 3 hosts @@ -62,7 +63,7 @@ Running the ZAP scan takes approximately one hour but can consume a large amount - On the top line of icons, there should be a Firefox icon on the far right. Click that to open Firefox preconfigured to proxy through ZAP. - Open the `context` to see the included web applications (Context -> Included in Context) - In the ZAP-configured Firefox, log in to each site in the context list. -> NOTE: These steps should start to populate ZAP's `Sites` list. If nothing is showing up there, you may need to disable Zscaler and try these steps again. As of July, 2023 (ZAP 2.13.0) `Sites` did not populate and the `Spider` scan reported 0 URLs until Zscaler was disabled. +> NOTE: These steps should start to populate ZAP's `Sites` list. If nothing is showing up there, you may need to disable Zscaler and try these steps again. `Sites` may not populate and the `Spider` scan may reported 0 URLs until Zscaler is disabled. - To prevent getting noise in the scan results (since that causes major confusion when the FedRAMP team processes the ConMon report), review the `Sites` list to ensure only the cloud.gov sites have a small red circle/sight on them (denoting the site will be included). Remove any sites not needed by CTRL-clicking on them and selecting `Delete`. - CTRL-click on the context and run the `Spider` scan. - After the `Spider` scan is complete, again CTRL-click on the context and this time run the `Active Scan`.