Add OWASP scanning

.github/workflows/security-check.yaml

@@ -1,4 +1,4 @@
-name: Django Security Check
+name: Security Checks
 
 on:
   push:
@@ -34,3 +34,20 @@ jobs:
         with:
           name: security-check-output
           path: output.txt
+
+  owasp-scan:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out
+        uses: actions/checkout@v3
+      - name: OWASP scan
+        run: docker compose run owasp
+        working-directory: ./src
+      - name: Upload output
+        uses: actions/upload-artifact@v2
+        with:
+          name: owasp-scan-output
+          path: ./src/zap_report.html
+

src/docker-compose.yml

@@ -22,7 +22,7 @@ services:
       # Tell Django where to find its configuration
       - DJANGO_SETTINGS_MODULE=registrar.config.settings
       # Set a local key for Django
-      - DJANGO_SECRET_KEY=feedabee
+      - DJANGO_SECRET_KEY=really-long-random-string-BNPecI7+s8jMahQcGHZ3XQ5yUfRrSibdapVLIz0UemdktVPofDKcoy
       # Run Django in debug mode on local
       - DJANGO_DEBUG=True
       # Tell Django where it is being hosted
@@ -71,3 +71,11 @@ services:
       - app
     profiles:
       - pa11y
+
+  owasp:
+    image: owasp/zap2docker-weekly
+    command: zap-baseline.py -t http://app:8080 -c zap.conf -I -r zap_report.html
+    volumes:
+      - .:/zap/wrk/
+    links: ["app"]
+    profiles: ["owasp-scan"]

src/zap.conf

@@ -0,0 +1,121 @@
+# zap-full-scan rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Active scan rules set to IGNORE will not be run which will speed up the scan
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+0	WARN	(Directory Browsing - Active/release)
+10003	WARN	(Vulnerable JS Library - Passive/release)
+10010	FAIL	(Cookie No HttpOnly Flag - Passive/release)
+10011	FAIL	(Cookie Without Secure Flag - Passive/release)
+10015	WARN	(Incomplete or No Cache-control Header Set - Passive/release)
+10016	FAIL	(Web Browser XSS Protection Not Enabled)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion - Passive/release)
+10019	WARN	(Content-Type Header Missing - Passive/release)
+10020	FAIL	(X-Frame-Options Header - Passive/release)
+10021	WARN	(X-Content-Type-Options Header Missing - Passive/release)
+10023	WARN	(Information Disclosure - Debug Error Messages - Passive/release)
+10024	FAIL	(Information Disclosure - Sensitive Information in URL - Passive/release)
+10025	FAIL	(Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
+10026	WARN	(HTTP Parameter Override - Passive/beta)
+10027	WARN	(Information Disclosure - Suspicious Comments - Passive/release)
+10028	FAIL	(Open Redirect - Passive/beta)
+10029	WARN	(Cookie Poisoning - Passive/beta)
+10030	WARN	(User Controllable Charset - Passive/beta)
+10031	WARN	(User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
+10032	WARN	(Viewstate - Passive/release)
+10033	WARN	(Directory Browsing - Passive/beta)
+10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
+10035	FAIL	(Strict-Transport-Security Header - Passive/beta)
+10036	WARN	(HTTP Server Response Header - Passive/beta)
+10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
+10038	FAIL	(Content Security Policy (CSP) Header Not Set - Passive/beta)
+10039	WARN	(X-Backend-Server Header Information Leak - Passive/beta)
+10040	FAIL	(Secure Pages Include Mixed Content - Passive/release)
+10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
+10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
+10043	FAIL	(User Controllable JavaScript Event (XSS) - Passive/beta)
+10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
+10045	WARN	(Source Code Disclosure - /WEB-INF folder - Active/release)
+10047	WARN	(HTTPS Content Available via HTTP - Active/beta)
+10048	FAIL	(Remote Code Execution - Shell Shock - Active/beta)
+10050	WARN	(Retrieved from Cache - Passive/beta)
+10051	WARN	(Relative Path Confusion - Active/beta)
+10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
+10053	WARN	(Apache Range Header DoS (CVE-2011-3192) - Active/beta)
+10054	WARN	(Cookie without SameSite Attribute - Passive/release)
+10055	WARN	(CSP - Passive/release)
+10056	WARN	(X-Debug-Token Information Leak - Passive/release)
+10057	WARN	(Username Hash Found - Passive/release)
+10058	FAIL	(GET for POST - Active/beta)
+10061	WARN	(X-AspNet-Version Response Header - Passive/release)
+10062	FAIL	(PII Disclosure - Passive/beta)
+10095	IGNORE	(Backup File Disclosure - Active/beta)
+10096	WARN	(Timestamp Disclosure - Passive/release)
+10097	WARN	(Hash Disclosure - Passive/beta)
+10098	WARN	(Cross-Domain Misconfiguration - Passive/release)
+10104	WARN	(User Agent Fuzzer - Active/beta)
+10105	WARN	(Weak Authentication Method - Passive/release)
+10106	IGNORE	(HTTP Only Site - Active/beta)
+10107	WARN	(Httpoxy - Proxy Header Misuse - Active/beta)
+10108	WARN	(Reverse Tabnabbing - Passive/beta)
+10109	WARN	(Modern Web Application - Passive/beta)
+10202	FAIL	(Absence of Anti-CSRF Tokens - Passive/release)
+2	WARN	(Private IP Disclosure - Passive/release)
+20012	FAIL	(Anti-CSRF Tokens Check - Active/beta)
+20014	WARN	(HTTP Parameter Pollution - Active/beta)
+20015	WARN	(Heartbleed OpenSSL Vulnerability - Active/beta)
+20016	WARN	(Cross-Domain Misconfiguration - Active/beta)
+20017	FAIL	(Source Code Disclosure - CVE-2012-1823 - Active/beta)
+20018	FAIL	(Remote Code Execution - CVE-2012-1823 - Active/beta)
+20019	WARN	(External Redirect - Active/release)
+3	WARN	(Session ID in URL Rewrite - Passive/release)
+30001	WARN	(Buffer Overflow - Active/release)
+30002	WARN	(Format String Error - Active/release)
+30003	WARN	(Integer Overflow Error - Active/beta)
+40003	WARN	(CRLF Injection - Active/release)
+40008	WARN	(Parameter Tampering - Active/release)
+40009	WARN	(Server Side Include - Active/release)
+40012	FAIL	(Cross Site Scripting (Reflected) - Active/release)
+40013	FAIL	(Session Fixation - Active/beta)
+40014	FAIL	(Cross Site Scripting (Persistent) - Active/release)
+40016	FAIL	(Cross Site Scripting (Persistent) - Prime - Active/release)
+40017	FAIL	(Cross Site Scripting (Persistent) - Spider - Active/release)
+40018	FAIL	(SQL Injection - Active/release)
+40019	FAIL	(SQL Injection - MySQL - Active/beta)
+40020	FAIL	(SQL Injection - Hypersonic SQL - Active/beta)
+40021	FAIL	(SQL Injection - Oracle - Active/beta)
+40022	FAIL	(SQL Injection - PostgreSQL - Active/beta)
+40023	FAIL	(Possible Username Enumeration - Active/beta)
+40024	FAIL	(SQL Injection - SQLite - Active/beta)
+40025	FAIL	(Proxy Disclosure - Active/beta)
+40026	FAIL	(Cross Site Scripting (DOM Based) - Active/beta)
+40027	FAIL	(SQL Injection - MsSQL - Active/beta)
+40028	WARN	(ELMAH Information Leak - Active/release)
+40029	WARN	(Trace.axd Information Leak - Active/beta)
+40032	FAIL	(.htaccess Information Leak - Active/release)
+40034	FAIL	(.env Information Leak - Active/beta)
+40035	FAIL	(Hidden File Finder - Active/beta)
+41	FAIL	(Source Code Disclosure - Git  - Active/beta)
+42	WARN	(Source Code Disclosure - SVN - Active/beta)
+43	WARN	(Source Code Disclosure - File Inclusion - Active/beta)
+50000	WARN	(Script Active Scan Rules - Active/release)
+50001	WARN	(Script Passive Scan Rules - Passive/release)
+6	WARN	(Path Traversal - Active/release)
+7	WARN	(Remote File Inclusion - Active/release)
+90001	WARN	(Insecure JSF ViewState - Passive/release)
+90011	WARN	(Charset Mismatch - Passive/release)
+90017	WARN	(XSLT Injection - Active/beta)
+90019	WARN	(Server Side Code Injection - Active/release)
+90020	FAIL	(Remote OS Command Injection - Active/release)
+90021	WARN	(XPath Injection - Active/beta)
+90022	WARN	(Application Error Disclosure - Passive/release)
+90023	WARN	(XML External Entity Attack - Active/beta)
+90024	WARN	(Generic Padding Oracle - Active/beta)
+90025	WARN	(Expression Language Injection - Active/beta)
+90026	WARN	(SOAP Action Spoofing - Active/alpha)
+90027	IGNORE	(Cookie Slack Detector - Active/beta)
+90028	WARN	(Insecure HTTP Method - Active/beta)
+90029	WARN	(SOAP XML Injection - Active/alpha)
+90030	WARN	(WSDL File Detection - Passive/alpha)
+90033	WARN	(Loosely Scoped Cookie - Passive/release)
+90034	WARN	(Cloud Metadata Potentially Exposed - Active/beta)