An error occurred while fetching the assigned iteration of the selected issue.
Implement the X-Content-Type-Header Missing vulnerability check in DAST browser-based engine
Proposal
Implement the first DAST CWE check to be included in Browserker.
The CWE-693 Configuration (X-Content-Type-Header Missing) passive check has been identified as the first to be included as it is relatively simple to implement.
Implementation details
-
Cam Create
VulnerabilityCheck
type -
Cam Hard code new instance of
X-Content-Type-Header Missing
Vulnerability Check with details populated from the YAML definition- This allows the some of the following steps to be developed in parallel
- Remove this when parsing is complete
- Cam Copy the YAML definition of the vulnerability check and commit it into the Browserker code
-
Cam Parse YAML definitions from a known location to create instances of
VulnerabilityCheck
-
Craig Register new instances of
VulnerabilityCheck
as a plugin - https://gitlab.com/gitlab-org/security-products/analyzers/browserker/-/merge_requests/275 -
Cam/Craig Ensure that the content type is check in response headers (i.e the check should run!)
- For now, ignore
execution_mode
,in
(assume response headers),report_uniqueness
,aggregate
- This will likely be done in the
VulnerabilityCheck.test(request, response)
method (or something similar)
- For now, ignore
-
Craig Test to ensure that the vulnerability check creates new vulnerabilities in the Secure report
-
id
,title
,description
,remediation
(solution),links
,cwe
,severity
should all be present in the resulting vulnerability - Depends on #325237 (closed)
-
-
Craig Disable the ZAP check in DAST 10021 X-Content-Type-Options Header Missing
- Only do this once we're ready to release the feature in it's entirety!
-
Craig Configure Browserker to run in passive scan mode when DAST is setup with
DAST_BROWSER_SCAN: true
.- Ensure that the only vulnerability check run is
693.1
.
- Ensure that the only vulnerability check run is
-
Craig Test to ensure that the vulnerability is produced in the resulting DAST output
- Depends on #331186 (closed)