E2E testing https checks

Problem to solve

Some browser based scanner vulnerability checks only trigger when the URL under test is https. One example of a check like this is 614.1

Currently, our e2e fixtures all run over http and so checks like 614.1 are never triggered and never fully tested.

Proposal

We have two options:

Our e2e test manually inserts the cert into the cert database
Browserker has a feature allowing you to import a cert into the cert database used by Chromium.

e2e manually insert cert

When running /analyzer run ... in an e2e test, that command could look something like:

docker run --rm \
  [normal container setup in test/volumes/envs/etc...] \
  -v "${PWD}/[cert-file]":/browserker/server-cert.pfx \
  "${BUILT_IMAGE}" timeout -s ABRT 10m bash -c "apt-get update &&
apt-get install --assume-yes --no-install-recommends libnss3-tools &&
mkdir -p /home/gitlab/.pki/nssdb &&
certutil -d /home/gitlab/.pki/nssdb -N --empty-password &&
/usr/bin/pk12util -d sql:/home/gitlab/.pki/nssdb -i /browserker/server-cert.pfx -W ''
./analyzer run ..."

[cert-file] in this case would need to be a p12 certificate. This can be generated from the command openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt (use no password). The server.pfx file would need to be added to the nssdb database. Note the suggested openssl command works for the server.[key,crt] files in the dast/test/end-to-end/fixtures/mutual-tls/certs directory.

Browseker import cert feature

Adding a feature to allow users to add an authorised certificate would be an extension of #352709. The Dockerfile would install libnss3-tools and if the Config has a certificate then we would need to run the certutil commands to add it to the nssdb prior to starting the scan.

Edited Feb 14, 2022 by Craig Smith