An error occurred while fetching the assigned iteration of the selected issue.
Use Browserker authentication for normal DAST/ZAP scans
Proposal
DAST/ZAP and DAST/Browserker have similar implementations for authentication. This issue proposes to replace the DAST/ZAP Selenium authentication with the DAST/Browserker authentication to minimize the confusion experienced by customers using DAST.
Implementation details
- Orchestrate Browserker authentication from DAST when authentication settings are provided
- Ensure Browserker supports all the options for DAST/ZAP authentication
- Ensure users can always download the authentication report
-
There is a possibility that authentication would happen in Chrome and an Ajax Scan would happen in FirefoxFirefox will be removed in DAST 2.0. - [-] Throw an error if authentication runs on a ZAP scan and no cookie value is added to the ZAP server (nice to have)
-
Promote Browserker authentication documentation to the normal DAST authentication documentation
- Document limitations with DAST/Browserker can accept session storage, while DAST/ZAP does not.
- [-] Ensure an on-demand scan works with Browserker authentication (covered by #333646 (closed))
- DAST/Browserker can accept session storage, while DAST/ZAP does not.
- [-] Remove the DAST Python authentication code (will be covered elsewhere)
References
This slack thread shows some of the challenges related to supporting multiple authentication mechanisms.
Summary:
If you’re not doing a browser-based scan:
[instructions]
If you are doing a browser-based scan:
[instructions]