Add the ability to exclude paths from API Scans
Problem to solve
In baseline and full scans, users can exclude URLs to scan by using the DAST_AUTH_EXCLUDE_PATHS
configuration value. This is useful because often logout links will be scanned, which cause the rest of the scan to miss URLs that require authentication.
While logout is not a typical feature on an API, there may be other reasons why a user may want to exclude URLs.
Intended users
Proposal
The implementation of _EXCLUDE_PATHS
can be done by updating the configuration file route
entries using information from this variable. This will only require changes to worker-entry
and/or ci
script.
The format of _EXLUDE_PATHS
will be:
- Use
;
to separate entries - Provide only the path element, no query string scheme, or host.
- Use
?
for single character wildcard - Use
*
for multiple character wildcard
Examples:
/storage/*
/v?/*
Tasks:
-
Add a new variable DAST_API_EXCLUDE_PATHS
andFUZZAPI_EXCLUDE_PATHS
that uses the same rules as theroute
include/exclude logic already available via API Security configuration files. This will make the implementation easier. -
Add tests to worker-entry
-
Add e2e test for exclude urls -
Release new container image -
Update DAST API documentation -
Update API Fuzzing documentation to reflect new variable
What is the type of buyer?
Edited by Michael Eddington