Skip to content
Snippets Groups Projects
Verified Commit 8826cf08 authored by Erran Carey's avatar Erran Carey :red_circle:
Browse files

Document Breach and Attack Simulation features

* Create a documentation home for the BAS feature set.
* Document DAST's new `DAST_FF_ENABLE_BAS` CI variable which enables
OAST through callback attacks.

See also #402784.
parent 17b1975b
No related branches found
No related tags found
No related merge requests found
---
stage: Secure
group: Incubation
info: Breach and Attack Simulation is a GitLab Incubation Engineering program. No technical writer assigned to this group.
type: reference, howto
---
# Breach and Attack Simulation (BAS) **(ULTIMATE)**
DISCLAIMER:
Breach and Attack Simulation is a set of experimental features being developed by the Incubation Engineering Department and will receive significant changes over time.
WARNING:
Do not run BAS scans against a production server. Attacker behavior tested may lead to modification or loss of data. Only run BAS scans against a test server.
Breach and Attack Simulation uses additional security testing techniques to help verify risk of detected vulnerabilities and prioritize remediation of exploitable vulnerabilities.
## Dynamic Application Security Testing (DAST)
Some active checks already perform match response or timing attacks during certain DAST scans.
Consider [enabling the BAS feature flag](../dast/browser_based.md#enable-breach-and-attack-simulation) inside of your DAST job to extend the existing browser-based DAST scanner to perform Out-of-Band Application Security Testing (OAST).
......@@ -200,6 +200,7 @@ For authentication CI/CD variables, see [Authentication](authentication.md).
| `DAST_BROWSER_STABILITY_TIMEOUT` | [Duration string](https://pkg.go.dev/time#ParseDuration) | `7s` | The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis. |
| `DAST_EXCLUDE_RULES` | string | `10020,10026` | Set to a comma-separated list of ZAP Vulnerability Rule IDs to exclude them from running during the scan. Rule IDs are numbers and can be found from the DAST log or on the [ZAP project](https://www.zaproxy.org/docs/alerts/). |
| `DAST_EXCLUDE_URLS` | URLs | `https://example.com/.*/sign-out` | The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, `.*` matches an arbitrary character sequence. |
| `DAST_FF_ENABLE_BAS` | boolean | `true` | Set to `true` to [enable Breach and Attack Simulation](#enable-breach-and-attack-simulation) during this DAST scan, e.g. enable callback attacks during active checks. |
| `DAST_FULL_SCAN_ENABLED` | boolean | `true` | Set to `true` to run both passive and active checks. Default: `false` |
| `DAST_PATHS` | string | `/page1.html,/category1/page3.html` | Set to a comma-separated list of URL paths relative to `DAST_WEBSITE` for DAST to scan. |
| `DAST_PATHS_FILE` | string | `/builds/project/urls.txt` | Set to a file path containing a list of URL paths relative to `DAST_WEBSITE` for DAST to scan. The file must be plain text with one path per line. |
......@@ -286,3 +287,28 @@ Adjusting these values may impact scan time because they adjust how long each br
## Troubleshooting
See [troubleshooting](browser_based_troubleshooting.md) for more information.
## Enable Breach and Attack Simulation
DISCLAIMER:
Breach and Attack Simulation is a set of experimental features being developed by the Incubation Engineering Department and will receive significant changes over time.
Enabling the Breach and Attack Simulation (BAS) feature flag will enable:
1. Active checks including match response and timing attacks.
1. Out-of-Band Application Security Testing (OAST) through callback attacks in active checks.
Configure your dast job to use the browser-based scanner then enable the Breach and Attack Simulation feature flag:
```yaml
include:
- template: DAST.gitlab-ci.yml
dast:
variables:
DAST_BROWSER_SCAN: "true"
DAST_FF_ENABLE_BAS: "true"
DAST_WEBSITE: "https://my.site.com"
```
Learn more about [available Breach and Attack Simulation features](../breach_and_attack_simulation/index.md).
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment