DAST sets ZAP user and login form

Problem to solve

DAST has custom built login functionality that allows a user to login to their website prior to a security scan. ZAP also has login functionality, which DAST does not use.

A disadvantage to using custom login functionality is that certain vulnerability rules are disabled when the user is not set. For example:

  • The SessionFixation rule only tests login pages, when the login page is not set, it will not run
  • The UsernameEnumeration rule only tests login pages, when the login page is not set, it will not run

With the right ZAP configuration, DAST will be able to enable all rules by setting the ZAP username/password/login fields.

Intended users

Proposal

This issue will require some investigation to determine what the best approach for setting the ZAP context parameters. In all likelihood, DAST will have to create a ZAP user, and use one of the authentication methods, likely manual.

Screenshot_2020-05-25_17.11.36

Screenshot_2020-05-25_17.15.55

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references