Run API fuzz testing after DAST with no OpenAPI/HAR files required
Problem to solve
Today users must indicate the endpoints of their app to run API fuzz testing again. This can be time consuming or difficult for users to set up. Because of the friction of getting started, users give up on fuzz testing and move on to other things.
Assume that these users are using other GitLab security scanners, such as DAST, and GitLab Review Apps. Tools such as DAST contain a "spidering" step which is what discovers the various API endpoints of a given site or application.
Proposal
When running DAST as part of a pipeline, output an artifact, such as a HAR file, that can be fed directly to API fuzz testing.
An example of what this may look like in a user's CI file:
include:
- template: DAST.gitlab-ci.yml
- template: API-Fuzzing.gitlab-ci.yml
variables:
DAST_WEBSITE: https://example.com
FUZZAPI_TARGET_URL: https://example.com
FUZZ_USE_DAST_ARTIFACTS: true
Each template would be updated to look for that variable. DAST would then output some artifact from the job. Fuzz testing would indicate that it depends on the DAST job for that artifact and references it instead of looking at a FUZZAPI_POSTMAN_COLLECTION
type of variable.
Intended users
User experience goal
The goal of this effort is to make it easy to set up fuzz testing for those users who have already set up DAST, without requiring them to create a new artifact.
Further details
This will also encourage users to set up DAST if they have not already which will be a large benefit for adoption of both categories.
Leverage this to add fuzz testing to AutoDevOps.
Availability & Testing
fill this out
What does success look like, and how can we measure that?
We can measure the success of this feature by seeing the GMAU for both groups increasing, as fuzz users add DAST and as DAST users add fuzz testing.
What is the type of buyer?
Is this a cross-stage feature?
No