Investigate OWASP ZAP for single page web apps

[ntknguyen]

Definition of Ready

• Does this meet the INVEST criteria?
• Does this have a clearly defined user?
• Does this have acceptance criteria?
• Does this have sufficient context for the specific functionality being developed (design, business rules, etc.)

User Story

As a developer and maintainer
I want to ensure that the application is secure and protected against common threats
So that sensitive systems can be protected

Acceptance Criteria

Given a dynamic javascript web app
When content changes on a single page
Then the OWASP ZAP scan should be able to scan the changes

Development Notes

Potentially achievable with Structural Parameters or via plugins like this article mentions: https://blog.xaviermaso.com/2018/10/01/Scanning-modern-web-applications-with-OWASP-ZAP.html

Testing

Test Description

Verify OWASP ZAP scan can scan all the pages within the web app and all the forms

Assumptions and Pre-Conditions

n/a

Test Data

Create some obvious issues OWASP ZAP can pick up and place them in places that are rendered in dynamic content

Steps to be Executed

1. Generate known OWASP issue
2. Place this issue in the web app that are not rendered on the home page
3. Scan the app with OWASP ZAP scan and see if it finds the pages

Definition of Done

• Have all Acceptance Criteria been agreed to and validated by the scrum team?
• Has the code been unit tested and peer reviewed?
• Have the functional tests been executed?
• Have all defects been reviewed and dispositioned, resolved, or deferred?
• Is the user story ready to be deployed to the test/staging environments?