DAST Browser-based checks should have separate aggregated findings for different hosts
Problem
Aggregation is used in DAST browser-based scans to group findings that are related. This typically means that the fix would be in a single or few spots in the application, but may affect many pages of content served by the server.
When a scan detects many findings, these are aggregated based on the request path. Findings are sorted by request path, and the first on the list is added as the host
and request/response evidence
in the vulnerability finding to show the user.
If a finding contains aggregated findings from multiple hosts, then it is reasonable to assume that the fix will not take place in the same place, or even by the same team or project.
Proposal
DAST browser-based scans should create separate aggregated findings when there are multiple hosts.
Example
The following snippet of a single aggregated finding created by DAST browser-based scans show the problem. details
show the multiple places that the finding was found. These are different hosts. The location chosen by the aggregated vulnerability is the first host, code.jquery.com
. This hides the finding in the scan target dast-cwe-checks
.
Ideally, these should be represented as two separate checks on the vulnerability dashboard.
{
"id": "f9853b61-b41c-11ec-8f32-0242c0a81003",
"category": "dast",
"confidence": "Medium",
"cve": "16.7",
"description": "The `Strict-Transport-Security` header...",
"discovered_at": "2022-04-04T13:41:47.998",
"evidence": {
"request": {
"headers": [(omitted)],
"method": "GET",
"url": "https://code.jquery.com/jquery-3.6.0.min.js"
},
"response": {
"headers": [(omitted)],
"reason_phrase": "OK",
"status_code": 200
},
"summary": "https://code.jquery.com/jquery-3.6.0.min.js"
},
"scanner": {
"id": "browserker",
"name": "Browserker"
},
"identifiers": [
{
"name": "Strict-Transport-Security header missing or invalid",
"type": "browserker",
"url": "https://docs.gitlab.com/ee/user/application_security/dast/checks/16.7.html",
"value": "16.7"
},
{
"name": "CWE-16",
"type": "CWE",
"url": "https://cwe.mitre.org/data/definitions/16.html",
"value": "16"
}
],
"location": {
"hostname": "https://code.jquery.com",
"method": "",
"param": "",
"path": ""
},
"details": {
"urls": {
"name": "URLs",
"type": "list",
"items": [
{
"type": "url",
"href": "https://code.jquery.com/jquery-3.6.0.min.js"
},
{
"type": "url",
"href": "https://dast-cwe-checks:8090/"
}
]
}
}
}