Enable DAST AJAX Spidering using an environment variable

Problem to solve

DAST AJAX Spidering can be enabled by using the -j flag, when passed to /analyze in the script of the DAST CI job. For such a useful feature, it is a pity that users must copy and override the script to enable this option.

It is also not clearly documented why one would use Ajax spidering for DAST. It is not documented that external scripts are not loaded in the Ajax Spider.

Intended users

Sasha (Software Developer)
Sam (Security Analyst)

Proposal

The -j DAST command line option should be configurable using the DAST_USE_AJAX_SPIDER environment variable
The DAST documentation should be updated to explain the trade-offs of Ajax spidering

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Edited Apr 02, 2020 by Cameron Swords