Add the ability to exclude paths from API Scans

Problem to solve

In baseline and full scans, users can exclude URLs to scan by using the DAST_AUTH_EXCLUDE_PATHS configuration value. This is useful because often logout links will be scanned, which cause the rest of the scan to miss URLs that require authentication.

While logout is not a typical feature on an API, there may be other reasons why a user may want to exclude URLs.

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)

Proposal

The implementation of _EXCLUDE_PATHS can be done by updating the configuration file route entries using information from this variable. This will only require changes to worker-entry and/or ci script.

The format of _EXLUDE_PATHS will be:

• Use ; to separate entries
• Provide only the path element, no query string scheme, or host.
• Use ? for single character wildcard
• Use * for multiple character wildcard

Examples:

• /storage/*
• /v?/*

Tasks:

1. Add a new variable DAST_API_EXCLUDE_PATHS and FUZZAPI_EXCLUDE_PATHS that uses the same rules as the route include/exclude logic already available via API Security configuration files. This will make the implementation easier.
2. Add tests to worker-entry
3. Add e2e test for exclude urls
4. Release new container image
5. Update DAST API documentation
6. Update API Fuzzing documentation to reflect new variable

What is the type of buyer?

Gold/Ultimate