Apply Domain validation to Full API scans
Problem to solve
In full scans on a non-API website, users can elect to use domain validation to create a level of safety that the correct website is being scanned. This is achieved through the use of the DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED
environment variable.
This is valuable for the same reasons for a full scan of an API.
Intended users
Proposal
DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED
should apply to API scans as well, and behave exactly the same way as it does for full scans of a normal website.
Implementation plan
Context
Right now, target processing looks like this:
- Check target is valid (including domain validation). Will continue with both valid and invalid targets unless domain validation fails
- Start ZAP
- Load API specification
- Check ZAP can access target. Exits for invalid targets
In order to implement domain validation for API scans, we'll need to move step 1 into step 4 so we can have access to the API target.
Details
- Remove check that target is configured from
ScanScriptWrapper
. This is already checked inConfigurationParser
- Move check that target is a valid URL from
ScanScriptWrapper
toTargetSelector
- Move DAST target probe with domain validation from
ScanScriptWrapper
andTargetWebsite
toTargetSelector
- Note: the ZAP probe is a duplicate of the DAST probe, and will be removed in #257963 (closed)
- Enable domain validation for API full scans
Documentation
Documentation should be updated to communicate that this feature is now supported.
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Edited by Avielle Wolfe