Add supporting HTTP messages to DAST schema
Problem to solve
A user of API Fuzzer should be able to quickly understand a vulnerability that has been reported through the vulnerability report.
Intended users
Users who review, triage, and resolve, DAST vulnerability reports.
User experience goal
Keep the user in the GitLab UX whenever possible to provide a fast workflow. Supporting available for viewing in vulnerability report UI and security dashboard.
Proposal
Add supporting HTTP messages providing context to the user. This added context is useful because:
- It shows if the scanner was able to successfully call an API. If we cannot successfully call an API normally, trust in the vulnerability report should be low.
- It shows normal operation of an API to the user. We should not assume the user is familiar enough with an API's expected response to fully understand the implications of the vulnerability HTTP response.
Add an array of supporting HTTP messages to the vulnerability.evidence field in the DAST report schema. This field will be optional and consist of a display name and request/response pair.
This new field will capture the following from API Fuzzer scans:
- The original request prior to modifications being made.
- A request/response pair calling the API without any modifications.
Further details
- Example: normal call of operation results in 500 instead of 201; vulnerability evidence is 500.
- Outcome: Vulnerability is likely a false positive.
- Outcome: Adjust scanner/target to correctly scan operation.
Links / references
Edited by Michael Eddington