DAST: Update docs for DAST_AUTH_EXCLUDE_URLS describing how to use wildcards for matching URLs
Summary
When using wildcard urls are added to DAST_AUTH_EXCLUDE_URLS
for excluding urls from scan, wildcards are not matched to complete path. For example excluding url http://webgoat:8080/*/lessons.css
does not exclude http://webgoat:8080/WebGoat/css/lessons.css
from the scan but excluding http://webgoat:8080/WebGoat/cs*/lessons.css
does exclude http://webgoat:8080/WebGoat/css/lessons.css
from the scans.
This is an inconvenience in situations where certain portions of the URL are not known before the scan but need to be excluded.
Steps to reproduce
Set the DAST scan against webgoat with below exclude urls.
- 'export DAST_AUTH_EXCLUDE_URLS="http://webgoat:8080/*/lessons.css,http://webgoat:8080/*/bootstrap.min.css"'
Check the scan results to find the below URLs in the list of scanned URLs
GET http://webgoat:8080/WebGoat/css/lessons.css
GET http://webgoat:8080/WebGoat/plugins/bootstrap/css/bootstrap.min.css
What is the current bug behavior?
Wildcards in DAST_AUTH_EXCLUDE_URLS does not match complete path
What is the expected correct behavior?
An exclusion of http://webgoat:8080/*/lessons.css
should exclude urls like http://webgoat:8080/a/lessons.css
, http://webgoat:8080/a/b/lessons.css
etc.