Allow DAST to send certificates for mutual TLS

Problem to solve

Allow DAST to be configured to send certificates with requests for mutual TLS.

Due to technical issues, the scope of this issue has been adjusted so the feature only works for legacy/ZAP-based scans. The feature will not work on browser-based scans. This work will be captured in #325224 (closed).

Intended users

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

• Cameron (Compliance Manager)

• Sidney (Systems Administrator)

• Sam (Security Analyst)

• Alex (Security Operations Engineer)

Proposal

Allow DAST to be configured to send certificates with requests for mutual TLS.

Further details

Customer reports HTTP:Error 400 with DAST in an environment that requires Mutual TLS.

Available Tier

• Ultimate/Gold

What does success look like, and how can we measure that?

DAST is able to be configured to send certificates with requests for mutual TLS.

Links / references

Customer ticket: https://gitlab-federal-support.zendesk.com/agent/tickets/513 (internal use)

From the customer:

The problem we have is that we use mutual TLS in all of our systems, this also includes all of our user base as well, so when testing with DAST we need to have it send certs with every call made to port 443.

Implementation plan

We'll instruct users to create a protected, File type CI variable named DAST_PKCS12_CERTIFICATE in the UI. If provided, DAST will use it when making requests by itself, through ZAP, and through Browserker.

Links:

• https://www.zaproxy.org/docs/desktop/ui/dialogs/options/certificate/ (implement in ZAP)

• https://chromium.googlesource.com/chromium/src/+/refs/heads/lkgr/docs/linux/cert_management.md

• Read DAST_PKCS12_CERTIFICATE into DAST

• Use the certificate when authenticating with the target

• Use the certificate for requests made by ZAP

• Use the certificate for requests made by Browserker

• Update docs with information on using a client-side certificate

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.