Auto disable obvious non-applicable scan rules from DAST scan
Problem to solve
ZAP have some scan rules that are targeted to specific framework or technology that is used to build the application. e.g:
| 10053 | Apache Range Header DoS (CVE-2011-3192)
| 10061 | X-AspNet-Version Response Header
| 40019 | SQL Injection - MySQL
| 40020 | SQL Injection - Hypersonic SQL
| 40021 | SQL Injection - Oracle
| 40022 | SQL Injection - PostgreSQL
| 40033 | NoSQL Injection - MongoDB
| 90001 | Insecure JSF ViewState
These rules are something that are straight away not applicable if the target application does not have the specified framework or technology. Users who configures the DAST scan won't be aware of these rules unless they goes through the ZAP documentation. If DAST by itself could intelligently disable these rules based on user provided information regarding the target it would help the DAST scan to run faster and save time and resources.
Intended users
User experience goal
User provides techstack details of the target application and DAST automatically disables obvious non-applicable scan rules from DAST scan.
Proposal
- User is given a way (job variables, scan profiles ?) to provide description about the target e.g tech stack e.g front-end(Vue.js), back-end(Java), DB(MySQL), app server(Apache tomcat).
- DAST without user intervention disables obvious non-applicable scan rules (e.g: SQL Injection - Oracle, SQL Injection - PostgreSQL, NoSQL Injection - MongoDB) from DAST scan based on the details of the target application.
Further details
Users won't be aware of the platform specific ZAP scan rules and by default all these rules are run during a DAST scan. Given that the DAST have tech stack details about the target application if DAST could auto disable non-applicable scan rules it could help the DAST scan to run more faster and thereby reducing the need of user configuration.