Use DAST 2.0 when running an on demand scans
Problem to solve
DAST 2.0 replaced the old Selenium Webdriver authentication with Browserker authentication #331751 (closed). One breaking change related to this is that if any of DAST_USERNAME_FIELD
, DAST_PASSWORD_FIELD
or DAST_SUBMIT_FIELD
are set, then all are required. Previously, DAST would search for each in isolation of the others.
This breaking change doesn't work for on-demand scans as the user cannot set the DAST_SUBMIT_FIELD
.
Proposal
-
Browserker should attempt to figure out what theDAST_SUBMIT_FIELD
is even if it is not set.- The logic to find the field should be compatible with the DAST
1.x.x
implementation. - This is a faster solution that attempting to retrofit the on-demand scan UI.
- The logic to find the field should be compatible with the DAST
- DAST should configure Browserker to use the xpath selector
xpath://*[@type='submit' or @type='button']
- The on-demand scan CI job configuration should be updated to use DAST
2.0
.
Intended users
User experience goal
When users run an on-demand scan it should run using DAST 2.0.
What is the type of buyer?
Edited by Cameron Swords