Testfire (AltoroJ) Quick Start section

Signed-off-by: kingthorin <[email protected]>

Author: kingthorin

site/content/docs/testapps/altoroj.md

@@ -15,6 +15,40 @@ It is a traditional app created in 2008 and is not updated very often.
 * Online: http://testfire.net/
 * Repo: https://github.com/HCL-TECH-SOFTWARE/AltoroJ
 
+### Quick Start
+
+New to ZAP and just want to quickly run ZAP against Testfire (AltoroJ)?
+
+Just run these commands:
+
+```bash
+# Download the recommended plan using curl, or use any other suitable tool
+curl -O https://raw.githubusercontent.com/zaproxy/community-scripts/refs/heads/main/other/af-plans/FullScanTestfireAuth.yaml
+
+# Run ZAP using the stable Docker image, mapping the CWD so that Docker can access the file system and export the report
+docker run -v $(pwd):/zap/wrk/:rw -t zaproxy/zap-stable zap.sh -cmd -autorun wrk/FullScanTestfireAuth.yaml
+```
+
+To run this command on Windows see the [relevant documentation](/docs/docker/about/#mounting-the-current-directory).
+
+You will need to have Docker installed. If you do not want to use Docker then you can of course install ZAP locally.
+
+The scan should find the following High and Medium risk alerts:
+
+* 🔴 [Cross Site Scripting (Reflected](/docs/alerts/40012/)
+* 🔴 [SQL Injection](/docs/alerts/40018/)
+* 🔴 [External Redirect](/docs/alerts/20019/)
+* 🔴 [PII Disclosure](/docs/alerts/10062/)
+* 🟠 [Absence of Anti-CSRF Tokens](/docs/alerts/10202/)
+* 🟠 [Anti-CSRF Tokens Check](/docs/alerts/20012/)
+* 🟠 [Buffer Overflow](/docs/alerts/30001/) / I[nteger Overflow Error](/docs/alerts/30003/)
+* 🟠 [Missing Anti-clickjacking Header](/docs/alerts/10020/)
+* 🟠 [Relative Path Confusion](/docs/alerts/10051/)
+* 🟠 [Sub Resource Integrity Attribute Missing](/docs/alerts/90003/)
+* 🟠 [Content Security Policy (CSP) Header Not Set](/docs/alerts/10038/)
+
+It will create an HTML report in your CWD containing full details of all of the issues found.
+
 ### Potential Pitfalls
 
 This is an online app which may be unavailable or broken at any point.
@@ -52,9 +86,6 @@ env:
     - http://testfire.net
     includePaths:
     - http://testfire.net.*
-    excludePaths:
-    - http://testfire.net/logout.jsp
-    - http://testfire.net/doLogin
     authentication:
       method: browser
       parameters:
@@ -66,7 +97,7 @@ env:
         loggedInRegex: \Q 200 OK\E
         loggedOutRegex: \Q 302 Found\E
         pollFrequency: 60
-        pollUnits: requests
+        pollUnits: seconds
         pollUrl: http://testfire.net/bank/main.jsp
         pollPostData: ""
     sessionManagement:
@@ -78,12 +109,24 @@ env:
         username: admin
 ```
 
+> [!NOTE]
+> There are no exclude paths added in the environment definition. Logout avoidance is used in the Traditional Spider job example below.
+> doLogin is left included as it is impacted by a SQLi vulnerability.
 
 ### Crawling
 
-Any of the ZAP Spiders can be used to crawl AltoroJ.
+Any of the ZAP Spiders can be used to crawl Testfire (AltoroJ).
+
+For the [Traditional Spider](/docs/desktop/addons/spider/) we recommend enabling 
 
-For the [Traditional Spider](/docs/desktop/addons/spider/) to be able to crawl the app you need to exclude the login and logout URLs from the context as above.
+```yaml
+- type: spider
+  parameters:
+    context: testfire
+    user: jsmith
+    url: http://testfire.net
+    logoutAvoidance: true
+```
 
 For the [AJAX Spider](/docs/desktop/addons/ajax-spider/) you need to exclude the logout link:
 
@@ -101,6 +144,6 @@ For the [AJAX Spider](/docs/desktop/addons/ajax-spider/) you need to exclude the
 
 ### Scanning
 
-We are not aware of a definitive list of the vulnerabilities in AltoroJ. 
+We believe this is a definitive list of the vulnerabilities in Testfire (AltoroJ): https://help.hcl-software.com/appscan/ASoC/ja/PDF/Sample_DAST_Report.pdf
 
 Not too surprisingly you will need to configure the [activeScan](/docs/desktop/addons/automation-framework/job-ascan/) job, and you will probably want to generate a [report](/docs/desktop/addons/report-generation/automation/).