Skip to content

Apply Domain validation to Full API scans

Problem to solve

In full scans on a non-API website, users can elect to use domain validation to create a level of safety that the correct website is being scanned. This is achieved through the use of the DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED environment variable.

This is valuable for the same reasons for a full scan of an API.

Intended users

Proposal

DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED should apply to API scans as well, and behave exactly the same way as it does for full scans of a normal website.

Implementation plan

Context

Right now, target processing looks like this:

  1. Check target is valid (including domain validation). Will continue with both valid and invalid targets unless domain validation fails
  2. Start ZAP
  3. Load API specification
  4. Check ZAP can access target. Exits for invalid targets

In order to implement domain validation for API scans, we'll need to move step 1 into step 4 so we can have access to the API target.

Details
  1. Remove check that target is configured from ScanScriptWrapper. This is already checked in ConfigurationParser
  2. Move check that target is a valid URL from ScanScriptWrapper to TargetSelector
  3. Move DAST target probe with domain validation from ScanScriptWrapper and TargetWebsite to TargetSelector
    1. Note: the ZAP probe is a duplicate of the DAST probe, and will be removed in #257963 (closed)
  4. Enable domain validation for API full scans

Documentation

Documentation should be updated to communicate that this feature is now supported.

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Gold/Ultimate

/cc @sethgitlab @derekferguson

Edited by Avielle Wolfe