Verify GitLab vulnerability tracking works when testing a Single Page Application
Problem to solve
Browserker is specifically designed to test modern web applications, such as Single Page Applications (SPAs). SPAs often have content on a page that updates without changing the URL in the browser.
GitLab vulnerability tracking uses the URL to define what a page is. Browserker will have to use an alternative solution to ensure that vulnerabilities are tracked across scans on the Security Dashboard.
Proposal
- Create a simple web application that updates vulnerable content on the page without changing the URL
- Run a Browserker scan integrated with GitLab many times to understand whether or not the vulnerability is tracked across scans
- (most likely) implement a new field in the DAST schema
vulnerabilities[].location, this will likely contain the path of navigation actions that it takes to access the vulnerable content - (most likely) update the GitLab location fingerprint to include the new field
- Ensure that normal DAST/ZAP vulnerabilities remain unaffected
Intended users
What does success look like, and how can we measure that?
Vulnerabilities can be tracked on the Security Dashboard across multiple scans.