Aggregate noisy DAST vulnerabilities into a single vulnerability
Problem to solve
For a website that exposes Server Leaks Version Information in response headers, a vulnerability will be created for every single request made by DAST/ZAP. This results in many Duplicate True Positives. There are other vulnerabilities that produce multiple results for similar reasons.
This is the first attempt to create a curated set of GitLab DAST vulnerabilities that should be considered as a single vulnerability no matter how many are detected in a single scan.
Vulnerabilities that should be grouped into a single vulnerability:
- Server Leaks Version Information
- Cross-Domain Misconfiguration
- X-Frame-Options Header Not Set
- Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
- X-AspNet-Version Response Header
- Httpoxy - Proxy Header Misuse
- Feature Policy Header Not Set
- Apache Range Header DoS (CVE-2011-3192)
- X-ChromeLogger-Data (XCOLD) Header Information Leak
- Information Disclosure - Sensitive Information in HTTP Referrer Header
- Incomplete or No Cache-control and Pragma HTTP Header Set
Intended users
Proposal
If any Vulnerabilities that should be grouped
vulnerabilities are found:
- Group vulnerabilities using both the plugin ID and severity: #254043 (comment 417720701)
- Only one vulnerability should be reported in the scan
-
Thelocation
reported with the vulnerability should contain the URL that is first in the alphabetically sorted list of server-leaking URLS. This ensures that vulnerability tracking will work across scans.- Alternative: location should be empty so that URL isn't included in vulnerability tracking at all. Let's go with this: #254043 (comment 433072926)
- The
evidence
should contain the first request/response/summary that is first in the alphabetically sorted list - The
description
orsolution
should include text that indicates how many URLs were affected - Add vulnerable URLs to the nested details/extra details, else users run a new scan just to find the vulnerability is still there from another URL
Technical details
Backend
- Update the monolith to support parsing DAST reports with both
location
andlocations
fields - Update the
location
field on the DAST report schema tolocations
- Update DAST to produce reports with a
locations
field - Update
VulnerabilitiesHelper#vulnerability_details
method to include a booleanmultiple_locations
field - TBD: Add a path to generate and download a CSV of all locations and add
vulnerability_locations_csv_download_path
toVulnerabilitiesHelper#vulnerability_details
Frontend
-
Update the VulnerabilityDetails
component (ee/app/assets/javascripts/vulnerabilities/components/details.vue
).-
Extract the locations
field from thevulnerability
object. -
When locations
is not empty:-
Include the DastModal
component (ee/app/assets/javascripts/vue_shared/security_reports/components/dast_modal.vue
) and populate its props:-
locations
->scannerUrls
- [ ]
-
vulnerability_locations_csv_download_path
->downloadLink
-
-
The location
computed property returns the first item fromlocations
. -
Add the locations count to the title. -
Add a link, (and X more)
next to the request URL, clicking on the link opens theDastModal
.-
For accessibility reasons, the link should be role="button"
.
-
-
-
-
Specs -
ee/spec/frontend/vue_shared/security_reports/components/vulnerability_details_spec.js
-
Title contains locations
count. -
Description contains (and X more)
link. -
Clicking on the link opens the modal.
-
-
Design
Vulnerability detail page | Modal |
---|---|
Total vulnerability count added to title; and {#} link added to URL in Request section |
URL link opens modal with option to download all as CSV |
Figma: https://www.figma.com/file/Bo2hAZSaUROU2vmfSjaiwm/Grouped-vulnerabilities?node-id=35%3A679
Design issue: #283946 (closed)
What is the type of buyer?
Edited by Annabel Dunstone Gray