Browserker should advertise itself when scanning an application
Problem to solve
Authors of web applications sometimes need to understand what program is generating traffic to a website. This could help them enable/disable features or enable/disable program access.
For example, recently in GitLab, a security incident was raised by a user sending many requests to GitLab. This was resolved once it was understood the traffic was generated from a DAST tool.
Intended users
Proposal
A header should be added to all requests advertising that the scan is a Browserker scan. For example,
crawler: gitlab.com/dast:browserker
One option is to use the User agent
header. I recommend against this as some old sites try to detect the version of the browser using the user agent.
What is the type of buyer?
Implementation plan
-
Add the header GitLab DAST/Crawler [version]
whereversion
is the version of Browserker -
The version of Browserker should be read from the first entry in the CHANGELOG and baked into the Browserker image -
The header should be sent with every request using Network.SetExtraHTTPHeaders
-
One test should verify that the header is present in a vulnerability evidenceThis will have to be tested in DAST for now as the Browserker output does not contain header values -
DAST/ZAP should be updated to send a Via header, GitLab DAST/ZAP [version]
whereversion
is the version of DAST. Limitations of the ZAP replacer means that this will overwrite theGitLab DAST/Crawler [version]
Via
header sent by Browserker. -
Add a Via-Scanner
header with valueBrowserker
to DAST to indicate that the request was initiated by Browserker. This will help to determine if Browserker or ZAP created a vulnerability.
Setting weight of 2
.
Edited by Cameron Swords