Provide a way for users to fail the DAST job if authentication fails
Problem to solve
Unfortunately an issue occurs when for some reason the login fails. Examples of failures include:
- Incorrect username
- Incorrect password
- Incorrect user name field
- Incorrect password field
- The form may have changed to introduce another required field (e.g. terms and conditions must be accepted)
- The URL of the login form may have changed
Many sites will send a 200 response code, with a message that "Login failed". In these cases, the login attempt is considered as successful from a DAST perspective as it is not looking intelligently at the response.
DAST will then continue (potentially for hours!) to execute the scan, missing much of the content that would normally be scanned, and therefore appearing as if many vulnerabilities have been fixed.
The customer can supply another environment variable,
- The variable is optional, even if other authentication parameters are provided.
The variable should map to a CLI argument
This variable should contain a URL that is only accessible when the user provided in
DAST_USERNAMEis logged in.
After DAST attempts to log the user in, DAST will contact the
DAST_AUTH_URL_VERIFICATIONusing the authentication cookies.
If DAST does not get a response in the
200-299range then the login will be considered to be unsuccessful.
The new environment variable should be added to the documentation at https://docs.gitlab.com/ee/user/application_security/dast/#available-variables.