Docs feedback: DAST API Scanning should warn about host overrides
https://docs.gitlab.com/ee/user/application_security/dast/#import-api-specification-from-a-file does not make any mention that passing in /analyze -t $DAST_WEBSITE
does not actually override the Host/Server section of the OpenAPI document. This could lead to users accidentally scanning sites they do not own.
Suggested fix:
If your API specification is in your repository, you can provide the specification’s filename directly as the target. The specification file is expected to be in the /zap/wrk directory. Passing in the -t $DAST_WEBSITE
will not override the server variable that is defined in the api-specification.yml
. Ensure the api-specification.yml
contains the valid hostname which you expect to scan.
dast:
script:
- mkdir -p /zap/wrk
- cp api-specification.yml /zap/wrk/api-specification.yml
- /analyze -t $DAST_WEBSITE
variables:
GIT_STRATEGY: fetch
DAST_API_SPECIFICATION: api-specification.yml
Additionally it should be mentioned that https://docs.gitlab.com/ee/user/application_security/dast/#host-override Host override, while mentions it is not supported when importing API from file, it should be in a warn/alert style box to draw more attention to it.
Proposal
-
Update the import specification from file documentation - Remove the
/analyze -t [target]
. Specifying a target and an API specification is not supported. - This the script to copy the file to
/zap/wrk
can likely be converted to abefore_script
. This should be verified before the documentation is updated.
- Remove the
-
Update DAST to throw an error when a target and an API specification is provided -
Update DAST to throw an error when the API specification is a file and a host override is supplied