ZAP Scan ignores for SQL Injection (#2679)

* Added Active SQL and Hidden File Finder to IGNORE list and updated documentation explaining why and process for reports

* added examples of using postman

---------

Co-authored-by: George Hudson <[email protected]>

Author: George-Hudson

docs/Technical-Documentation/Zap-Scan-HTML-Report.md

@@ -24,3 +24,39 @@ link to view the running process at CircleCI
 4. Click the `owasp_report.html` link to view the report.
 
 ![image](images/report.png)
+
+### Configuring Report Output
+
+We use separate files for configuring the ZAP scanner for the front and back end applications
+Backend:    [tdrs-backend/reports/zap.conf](../../tdrs-backend/reports/zap.conf)
+Frontend:   [tdrs-frontend/reports/zap.conf](../../tdrs-frontend/reports/zap.conf)
+
+These files have a list of error codes and what to do with them. We have some of these set 
+to IGNORE because they do not apply to our configuration but were returning false positives
+for test failures. For each of these, we should have a comment as to why the test is being
+ignored.
+
+Can use Postman to mimic the test parameters before ignoring to verify
+The [free version of Postman](https://www.postman.com/downloads/), the app or web version, can be used for this.
+examples:
+![image](images/postman_example1.png)
+![image](images/postman_example2.png)
+
+### Invoking the OWASP Zap Scanner
+
+We build out how we invoke the zap scanner using our [zap-scanner](../../scripts/zap-scanner.sh) script.
+
+As part of that, we pass some additional configuration that includes a list of urls to exclude from the 
+scan.
+`ZAP_CLI_OPTIONS` contains this list.
+It is important to note, not to include the frontend or backend endpoint we want to test the scanner out
+on. 
+
+e.g. do not include something like this in the `-config globalexcludeurl.url_list.url` configuration options:
+```
+  -config globalexcludeurl.url_list.url\(3\).regex='^https?://.*\.hhs.gov\/.*$' \
+  -config globalexcludeurl.url_list.url\(3\).description='Site - acf.hhs.gov' \
+  -config globalexcludeurl.url_list.url\(3\).enabled=true \
+```
+
+It will not be able to find the endpoint for the tests and the output is confusing as to what is happening. 

docs/Technical-Documentation/images/postman_example1.png

@@ -79,7 +79,11 @@
 40014	FAIL	(Cross Site Scripting (Persistent) - Active/release)
 40016	FAIL	(Cross Site Scripting (Persistent) - Prime - Active/release)
 40017	FAIL	(Cross Site Scripting (Persistent) - Spider - Active/release)
-40018	WARN	(SQL Injection - Active/release)
+#####   IGNORE  (SQL Injection - Active/release) as it doesn't apply to us and is giving
+#####           false positives because it takes us to a default django page notifying us
+#####           of the 403 forbidden, instead of just a 403 being returned. The test is 
+#####           treating this as though the SQL injection worked, since a page is returned.
+40018	IGNORE	(SQL Injection - Active/release)
 40019	FAIL	(SQL Injection - MySQL - Active/beta)
 40020	FAIL	(SQL Injection - Hypersonic SQL - Active/beta)
 40021	FAIL	(SQL Injection - Oracle - Active/beta)
@@ -93,7 +97,10 @@
 40029	FAIL	(Trace.axd Information Leak - Active/beta)
 40032	FAIL	(.htaccess Information Leak - Active/release)
 40034	FAIL	(.env Information Leak - Active/beta)
-40035	FAIL	(Hidden File Finder - Active/beta)
+#####   IGNORE	(Hidden File Finder - Active/beta) due to false failing similar to SQL
+#####           Injection false positive above. Replicating parameters of the test
+#####           result in 
+40035	IGNORE	(Hidden File Finder - Active/beta)
 41	FAIL	(Source Code Disclosure - Git  - Active/beta)
 42	FAIL	(Source Code Disclosure - SVN - Active/beta)
 43	FAIL	(Source Code Disclosure - File Inclusion - Active/beta)

docs/Technical-Documentation/images/postman_example2.png

@@ -79,6 +79,12 @@
 40014	FAIL	(Cross Site Scripting (Persistent) - Active/release)
 40016	FAIL	(Cross Site Scripting (Persistent) - Prime - Active/release)
 40017	FAIL	(Cross Site Scripting (Persistent) - Spider - Active/release)
+#####   IGNORE  (SQL Injection - Active/release, MySQL, Hypersonig SQL, Oracle) 
+#####           as they don't apply to us and is giving false positives because
+#####           it takes us to a default django page notifying us of the 403
+#####           forbidden, instead of just a 403 being returned. The test is 
+#####           treating this as though the SQL injection worked, since a page
+#####           is returned.
 40018	IGNORE	(SQL Injection - Active/release)
 40019	IGNORE	(SQL Injection - MySQL - Active/beta)
 40020	IGNORE	(SQL Injection - Hypersonic SQL - Active/beta)
@@ -93,7 +99,10 @@
 40029	FAIL	(Trace.axd Information Leak - Active/beta)
 40032	FAIL	(.htaccess Information Leak - Active/release)
 40034	FAIL	(.env Information Leak - Active/beta)
-40035	FAIL	(Hidden File Finder - Active/beta)
+#####   IGNORE	(Hidden File Finder - Active/beta) due to false failing similar to SQL
+#####           Injection false positive above. Replicating parameters of the test
+#####           result in 
+40035	IGNORE	(Hidden File Finder - Active/beta)
 41	FAIL	(Source Code Disclosure - Git  - Active/beta)
 42	FAIL	(Source Code Disclosure - SVN - Active/beta)
 43	FAIL	(Source Code Disclosure - File Inclusion - Active/beta)