Use DAST 2.0 when running an on demand scans
Problem to solve
DAST 2.0 replaced the old Selenium Webdriver authentication with Browserker authentication #331751 (closed). One breaking change related to this is that if any of DAST_USERNAME_FIELD, DAST_PASSWORD_FIELD or DAST_SUBMIT_FIELD are set, then all are required. Previously, DAST would search for each in isolation of the others.
This breaking change doesn't work for on-demand scans as the user cannot set the DAST_SUBMIT_FIELD.
Proposal
-
Browserker should attempt to figure out what theDAST_SUBMIT_FIELDis even if it is not set.- The logic to find the field should be compatible with the DAST
1.x.ximplementation. - This is a faster solution that attempting to retrofit the on-demand scan UI.
- The logic to find the field should be compatible with the DAST
- DAST should configure Browserker to use the xpath selector
xpath://*[@type='submit' or @type='button'] - The on-demand scan CI job configuration should be updated to use DAST
2.0.
Intended users
User experience goal
When users run an on-demand scan it should run using DAST 2.0.
What is the type of buyer?
Edited by Cameron Swords