Provide a way for users to fail the DAST job if authentication fails
Problem to solve
When a customer runs a DAST scan, often they want to login to their application so that DAST can scan everything that is behind a login gateway. Many login screens require JavaScript, so DAST provides a way to do it using Selenium driving a Browser. The customer specifies the required environment variables, and before accessing the target website DAST will drive the browser to fill out the login form. After the login has been submitted, DAST queries Selenium for Cookies, and sets them all as authentication cookies in ZAProxy.
Unfortunately an issue occurs when for some reason the login fails. Examples of failures include:
- Incorrect username
- Incorrect password
- Incorrect user name field
- Incorrect password field
- The form may have changed to introduce another required field (e.g. terms and conditions must be accepted)
- The URL of the login form may have changed
Many sites will send a 200 response code, with a message that "Login failed". In these cases, the login attempt is considered as successful from a DAST perspective as it is not looking intelligently at the response.
DAST will then continue (potentially for hours!) to execute the scan, missing much of the content that would normally be scanned, and therefore appearing as if many vulnerabilities have been fixed.
Intended users
Implementation plan
-
The customer can supply another environment variable, DAST_AUTH_URL_VERIFICATION
. -
The variable is optional, even if other authentication parameters are provided. -
The variable should map to a CLI argument --auth-url-verification
. -
This variable should contain a URL that is only accessible when the user provided in DAST_USERNAME
is logged in. -
After DAST attempts to log the user in, DAST will contact the DAST_AUTH_URL_VERIFICATION
using the authentication cookies. -
If DAST does not get a response in the 200-299
range then the login will be considered to be unsuccessful.
Documentation
The new environment variable should be added to the documentation at https://docs.gitlab.com/ee/user/application_security/dast/#available-variables.