ZAP result - CORS misconfiguration #2683
Comments
|
@ADPennington @andrew-jameson @Smithh-Co After reviewing the CORS failure, it seems like this only happens from my ZAP scan update branch which can be seen here on the circleci run in the generated report. This After reviewing my changes in the branch, I can see no where that we are messing with the CORS configuration. This I believe the issue we are seeing is only due to running the nightly scan against a non-standard branch and should be a non-issue once merged into develop. I can be on hand to review the nightly scan against develop as soon as my PR merges to ensure this is the case and revert if I am wrong. |
|
So the thing I was thinking couldn't happen happened: Trying to understand, but maybe the spiders have more resources to explore other things. https://www.zaproxy.org/faq/why-can-zap-scans-be-inconsistent/ So I think it is still valid to IGNORE the Active SQL issues. But yeah, maybe a deeper dive on this ticket is necessary. |
|
@andrew-jameson @ADPennington I feel we should schedule this ticket into the backlog based on agreed upon priorities. It looks at first glance that these errors coming up are not valid concerns, but I think each of the issues ZAP is bringing up as a concern should be given due diligence and then either fixing them if they are valid, or IGNOREing them like we did with the Active SQL issues. However, due to how the web-crawlers work, once we get through these CORS misconfiguration concerns, I think the same thing might happen where the web-crawlers then find some new concern. I think this is because they have more time to explore different areas. In order for this tool to be effective, we need to get the configuration whittled down to something that really matters to our app. The last thing we want from a tool like this is for it to be too noisy (as it is right now) with reporting false positives and we don't trust it. If it does find something of real concern to us, we might miss it for a long time because ZAP has been crying wolf for too long. |
|
FACT: We see CORS misconfig failure in Prod and Staging, but not in dev. The reason we don't see CORS misconfig in the scan results is we are ignoring the URL scheme using: So in order to allow crowler to scan all urls from cloud.gov domain, we need to change this regex to only match the unwanted URLs |
|
noticing non-tdp urls in the qasp-label scan too.
|
Description:
Follow on to #2663, we need to address a potential CORS misconfiguration as is getting flagged by our new ZAP scan results
Acceptance Criteria:
Create a list of functional outcomes that must be achieved to complete this issue
Tasks:
Create a list of granular, specific work items that must be completed to deliver the desired outcomes of this issue
Notes:
Add additional useful information, such as related issues and functionality that isn't covered by this specific issue, and other considerations that will be helpful for anyone reading this
Supporting Documentation:
Please include any relevant log snippets/files/screen shots
Open Questions:
Please include any questions or decisions that must be made before beginning work or to confidently call this issue complete
The text was updated successfully, but these errors were encountered: