Testfire (AltoroJ) Quick Start section

Signed-off-by: kingthorin <[email protected]>

Author: kingthorin

site/content/docs/testapps/altoroj.md

@@ -12,9 +12,38 @@ maintained by [HCL Software](https://www.hcl-software.com/).
 
 It is a traditional app created in 2008 and is not updated very often.
 
-* Online: http://testfire.net/
+* Online: https://demo.testfire.net/
 * Repo: https://github.com/HCL-TECH-SOFTWARE/AltoroJ
 
+### Quick Start
+
+New to ZAP and just want to quickly run ZAP against Testfire (AltoroJ)?
+
+Just run these commands:
+
+```bash
+# Download the recommended plan using curl, or use any other suitable tool
+curl -O https://raw.githubusercontent.com/zaproxy/community-scripts/refs/heads/main/other/af-plans/FullScanTestfireAuth.yaml
+
+# Run ZAP using the stable Docker image, mapping the CWD so that Docker can access the file system and export the report
+docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap.sh -cmd -autorun wrk/FullScanTestfireAuth.yaml
+```
+
+To run this command on Windows see the [relevant documentation](/docs/docker/about/#mounting-the-current-directory).
+
+You will need to have Docker installed. If you do not want to use Docker then you can of course install ZAP locally.
+
+The scan should find the following High and Medium risk alerts:
+
+* 🔴 [Cross Site Scripting (Reflected](/docs/alerts/40012/)
+* 🔴 [SQL Injection](/docs/alerts/40018/)
+* 🟠 [Absence of Anti-CSRF Tokens](/docs/alerts/10202/)
+* 🟠 [Missing Anti-clickjacking Header](/docs/alerts/10020/)
+* 🟠 [Content Security Policy (CSP) Header Not Set](/docs/alerts/10038/)
+* 🟠 [Secure Pages Include Mixed Content (Including Scripts)](/docs/alerts/10040/)
+
+It will create an HTML report in your CWD containing full details of all of the issues found.
+
 ### Potential Pitfalls
 
 This is an online app which may be unavailable or broken at any point.
@@ -49,49 +78,58 @@ env:
   contexts:
   - name: testfire
     urls:
-    - http://testfire.net
+    - http://demo.testfire.net
     includePaths:
-    - http://testfire.net.*
-    excludePaths:
-    - http://testfire.net/logout.jsp
-    - http://testfire.net/doLogin
+    - https://demo.testfire.net.*
     authentication:
       method: browser
       parameters:
-        loginPageUrl: http://testfire.net/login.jsp
+        loginPageUrl: https://demo.testfire.net/login.jsp
         loginPageWait: 2
         browserId: firefox
       verification:
         method: poll
         loggedInRegex: \Q 200 OK\E
         loggedOutRegex: \Q 302 Found\E
         pollFrequency: 60
-        pollUnits: requests
-        pollUrl: http://testfire.net/bank/main.jsp
+        pollUnits: seconds
+        pollUrl: https://demo.testfire.net/bank/main.jsp
         pollPostData: ""
     sessionManagement:
       method: headers
     users:
-    - name: admin
+    - name: jsmith
       credentials:
-        password: admin
-        username: admin
+        password: demo1234
+        username: jsmith
 ```
 
+> [!NOTE]
+> There are no exclude paths added in the environment definition. Logout avoidance is used in the Traditional Spider job example below.
+> doLogin is left included as it is impacted by a SQLi vulnerability.
 
 ### Crawling
 
-Any of the ZAP Spiders can be used to crawl AltoroJ.
+Any of the ZAP Spiders can be used to crawl Testfire (AltoroJ).
+
+For the [Traditional Spider](/docs/desktop/addons/spider/) we recommend the following configuration:
 
-For the [Traditional Spider](/docs/desktop/addons/spider/) to be able to crawl the app you need to exclude the login and logout URLs from the context as above.
+```yaml
+- type: spider
+  parameters:
+    context: testfire
+    user: jsmith
+    url: https://demo.testfire.net
+    logoutAvoidance: true
+```
 
 For the [AJAX Spider](/docs/desktop/addons/ajax-spider/) you need to exclude the logout link:
 
 ``` yaml
 - type: spiderAjax
   parameters:
     context: testfire
-    user: admin
+    user: jsmith
     browserId: firefox-headless
     excludedElements:
     - description: Logout
@@ -101,6 +139,6 @@ For the [AJAX Spider](/docs/desktop/addons/ajax-spider/) you need to exclude the
 
 ### Scanning
 
-We are not aware of a definitive list of the vulnerabilities in AltoroJ. 
+We believe this is a definitive list of the vulnerabilities in Testfire (AltoroJ): https://help.hcl-software.com/appscan/ASoC/ja/PDF/Sample_DAST_Report.pdf
 
 Not too surprisingly you will need to configure the [activeScan](/docs/desktop/addons/automation-framework/job-ascan/) job, and you will probably want to generate a [report](/docs/desktop/addons/report-generation/automation/).