Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Pages ConMon template to reflect OWASP ZAP becaoming ZAP #2886

Merged
merged 1 commit into from
Jan 31, 2024
+10 −9
Merged

Update Pages ConMon template to reflect OWASP ZAP becaoming ZAP #2886

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 10 additions & 9 deletions .github/ISSUE_TEMPLATE/run_conmon_pages.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@ assignees: ""

Re: [link to platform conmon ticket]

cloud.gov Pages also provides continuous monitoring artifacts. The process for creating them is detailed below. Current we only run OWASP ZAP Scans.
cloud.gov Pages also provides continuous monitoring artifacts. The process for creating them is detailed below. Current we only run ZAP Scans.

# OWASP ZAP Scans
# ZAP Scans

From the [ZAP documentation](https://www.zaproxy.org/getting-started/): "Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible."
From the [ZAP documentation](https://www.zaproxy.org/getting-started/): "Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of The Software Security Project (SSP). ZAP is designed specifically for testing web applications and is both flexible and extensible."

We run ZAP from a Pages operator's local machine. ZAP opens a Firefox instance that is configured to proxy all requests through ZAP. ZAP can then analyze and modify the requests.

Expand All @@ -25,15 +25,16 @@ Each user should have a support user account created in the `zap-scans` organiza
## Install, Configure, and Update

- Check that you have the [latest stable version of ZAP](https://www.zaproxy.org/download/). Install/update via Homebrew with:
- `brew update; brew install owasp-zap` or
- `brew update; brew reinstall owasp-zap`
- `brew update; brew install --cask zap` or
- `brew update; brew reinstall zap`
> NOTE: If you have used ZAP in the past on your workstation you may have an older version installed from when it was known as OWASP ZAP and distributed using the Homebrew formula `owasp-zip`. If you need to remove such an older Homebrew installation, run the following from the command line:
- `brew uninstall owasp-zap`
> NOTE: If you see an error running ZAP as an unsigned application, run the following from the command line:
- `xattr -dr com.apple.quarantine '/Applications/OWASP ZAP.app'`
- `xattr -dr com.apple.quarantine '/Applications/ZAP.app'`
- ZAP also has a [weekly build](https://www.zaproxy.org/download/#weekly) available. If the current stable build isn't working for some reason, try the weekly build instead. Download the ZIP, `cd` to it in your terminal, and run it with `./zap.sh`. If it outputs a message like `Exiting: ZAP requires a minimum of Java 11 to run`, run `brew install java` to install the latest Java and try again.
- Start ZAP and update
- For "Session persistence", select "No, I do not want to persist my session..."
- For "Manage add-ons", select "Update All"
> NOTE: As of July, 2023 (ZAP 2.13.0) "Manage add-ons" did not pop up automatically and, when opened from the toolbar, rendered the "Update All" button as disabled.
- Use the Add-ons button in the toolbar to open "Manage add-ons". Check for available updates, and update all.
- ZAP -> Settings -> Options:
- Active Scan:
- 3 hosts
Expand Down Expand Up @@ -62,7 +63,7 @@ Running the ZAP scan takes approximately one hour but can consume a large amount
- On the top line of icons, there should be a Firefox icon on the far right. Click that to open Firefox preconfigured to proxy through ZAP.
- Open the `context` to see the included web applications (Context -> Included in Context)
- In the ZAP-configured Firefox, log in to each site in the context list.
> NOTE: These steps should start to populate ZAP's `Sites` list. If nothing is showing up there, you may need to disable Zscaler and try these steps again. As of July, 2023 (ZAP 2.13.0) `Sites` did not populate and the `Spider` scan reported 0 URLs until Zscaler was disabled.
> NOTE: These steps should start to populate ZAP's `Sites` list. If nothing is showing up there, you may need to disable Zscaler and try these steps again. `Sites` may not populate and the `Spider` scan may reported 0 URLs until Zscaler is disabled.
- To prevent getting noise in the scan results (since that causes major confusion when the FedRAMP team processes the ConMon report), review the `Sites` list to ensure only the cloud.gov sites have a small red circle/sight on them (denoting the site will be included). Remove any sites not needed by CTRL-clicking on them and selecting `Delete`.
- CTRL-click on the context and run the `Spider` scan.
- After the `Spider` scan is complete, again CTRL-click on the context and this time run the `Active Scan`.
Expand Down
Loading