Remove target reset to host
Context
Follow-up from gitlab-org/security-products/dast!312 (comment 419909567)
The ZAP scripts reset the provided target to its host. For example, if ZAP is given the target http://vulnerableapp.com/WebGoat/attack
, it will reset it to http://vulnerableapp.com
before spidering and scanning it
This functionality was migrated to DAST during the ZAP script migration, but it's not clear if it is necessary or desirable.
Proposal
Implement a new environment variable DAST_SPIDER_START_AT_HOST
as a boolean configuration option, where true
would reset the target to the host and false
would start the spider at the specified path. The default option would be true
for now, to keep current DAST scans testing with the same context that they currently have.
Implementation plan
-
Add DAST_SPIDER_START_AT_HOST
: gitlab-org/security-products/dast!317 (merged) -
Add docs for DAST_SPIDER_START_AT_HOST
!45567 (merged) -
Create follow-up issue to make DAST_SPIDER_START_AT_HOST
default tofalse
in %14.0: #267403 (closed)
Edited by Avielle Wolfe