Remove target reset to host
Context
Follow-up from gitlab-org/security-products/dast!312 (comment 419909567)
The ZAP scripts reset the provided target to its host. For example, if ZAP is given the target http://vulnerableapp.com/WebGoat/attack, it will reset it to http://vulnerableapp.com before spidering and scanning it
This functionality was migrated to DAST during the ZAP script migration, but it's not clear if it is necessary or desirable.
Proposal
Implement a new environment variable DAST_SPIDER_START_AT_HOST as a boolean configuration option, where true would reset the target to the host and false would start the spider at the specified path. The default option would be true for now, to keep current DAST scans testing with the same context that they currently have.
Implementation plan
-
Add DAST_SPIDER_START_AT_HOST: gitlab-org/security-products/dast!317 (merged) -
Add docs for DAST_SPIDER_START_AT_HOST!45567 (merged) -
Create follow-up issue to make DAST_SPIDER_START_AT_HOSTdefault tofalsein %14.0: #267403 (closed)