DAST crawl report
Problem to solve
Debugging DAST issues on customer websites can be challenging. Often the website under test is not accessible outside the customer's local network, making it difficult to see what problems might be encountered during the scan.
Proposal
Browser-based DAST scanner currently offers engineers two aids to assist in debugging. Logging and the authentication report.
To assist engineers in debugging add DAST_CRAWL_REPORT
. Setting DAST_CRAWL_REPORT
to true
would take a snapshot of each screen and the complete DOM after each navigation is complete so that engineers will have more information when debugging customer issues.
Example usage
dast:
variables:
DAST_WEBSITE: "https://example.com"
...
DAST_CRAWL_REPORT: "true"
DAST_BROWSER_SCAN: "true"
artifacts:
paths: [gl-dast-debug-crawl-report.html]
when: always
The report would only be available for customers using the browser-based DAST scanner.
This report has the potential to be huge, so the number of pages to report on should be restricted. A possible iteration could be to only report on certain sections of the site by URL.
Implementation Plan
-
Add report functionality to browser-based DAST scanner
- Screen shot
- DOM
- Path
- Headers
- session info
-
Enable the configuration in DAST and pass to browser-based DAST scanner, (throw error when
DAST_CRAWL_REPORT
istrue
butDAST_BROWSER_SCAN
isfalse
-
Document the functionalityThis is an undocumented feature at this stage.