add Zed Attack Proxy baseline and API penetration testing support (#544)

* Add Zed Attack Proxy baseline and API penetration testing support Set up zaproxy via Docker weekly image Add 3 npm tasks to run the baseline, api or all (both) pen testing commands Update gh-docs to include reports generated from pentest commands Touches on nearform/pathfinders#201 * Update documentation * Add API scan report to docs * Update API pentest scan to ignore Source Code Disclosure - SVN * Add baseline config file for the ZAP baseline scan * Update docs and fix typos
nearform · May 23, 2018 · 62589e5 · 62589e5
1 parent 04380c5
commit 62589e5
Show file tree

Hide file tree

Showing 10 changed files with 1,352 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -272,7 +272,7 @@ To run bench test against populated volume data (2 endpoints)
 npm run bench:volume
 ```
 
-For convenience, you can load the volume db and run the bench tests with the single command. 
+For convenience, you can load the volume db and run the bench tests with the single command.
 
 ```
 npm run bench:load-volume
@@ -306,6 +306,24 @@ The injection tests can be configured in the [sqlmap config][]. A few output con
 
 See the [sqlmap][] repository for more details.
 
+Also, Udaru, has some additional security related (penetration) testing available through npm commands based on [OWASP Zed Attack Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project).
+End results of the scans are stored as HTML reports in the Udaru documentation and should be reviewed manually post execution.
+
+**Note:** before running this, make sure you have a Docker installed and the weekly Zed Attack proxy might take quite a bit to download (1,5GB + in size). Also note that the API scan is very thorough, extensive and takes quite some time to complete (45+ mins).
+
+To run the baseline scan:
+```
+npm run test:security:pentest:baseline
+```
+
+To run the API attack scan:
+```
+npm run test:security:pentest:api
+```
+To run both:
+```
+npm run test:security:pentest
+```
 ## License
 
 [license]: ./LICENSE.md

diff --git a/docs/_sidebar.md b/docs/_sidebar.md
@@ -6,3 +6,7 @@
 -   API
     -   [Example Usage](example.md)
     -   [Swagger Documentation](swagger/index.html ":ignore")
+
+-   Security
+    -   [Pentration test scans](udaru/pentests/)
+    -   [SQL Injection](sqlinjection.md)
diff --git a/docs/contributing.md b/docs/contributing.md
@@ -50,3 +50,5 @@ We are currently supporting node 6 and 8.
 # Security testing of Udaru
 
 Udaru has been extensively tested for SQL injections, please see [sqlinjection.md](./sqlinjection.md) for more information.
+
+Aside from that, Udaru is occasionally tested with OWASP ZAProxy for any known security vulnerabilities. For a list, please see [pentests](./pentests) for more information.