Browserker should advertise itself when scanning an application

Problem to solve

Authors of web applications sometimes need to understand what program is generating traffic to a website. This could help them enable/disable features or enable/disable program access.

For example, recently in GitLab, a security incident was raised by a user sending many requests to GitLab. This was resolved once it was understood the traffic was generated from a DAST tool.

Intended users

• Sasha (Software Developer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Proposal

A header should be added to all requests advertising that the scan is a Browserker scan. For example,

crawler: gitlab.com/dast:browserker

One option is to use the User agent header. I recommend against this as some old sites try to detect the version of the browser using the user agent.

What is the type of buyer?

Ultimate

Implementation plan

• Add the header GitLab DAST/Crawler [version] where version is the version of Browserker
• The version of Browserker should be read from the first entry in the CHANGELOG and baked into the Browserker image
• The header should be sent with every request using Network.SetExtraHTTPHeaders
• One test should verify that the header is present in a vulnerability evidence This will have to be tested in DAST for now as the Browserker output does not contain header values
• DAST/ZAP should be updated to send a Via header, GitLab DAST/ZAP [version] where version is the version of DAST. Limitations of the ZAP replacer means that this will overwrite the GitLab DAST/Crawler [version] Via header sent by Browserker.
• Add a Via-Scanner header with value Browserker to DAST to indicate that the request was initiated by Browserker. This will help to determine if Browserker or ZAP created a vulnerability.

Setting weight of 2.