Skip to content

Remove support for DAST_ variables in worker-entry

Problem

The DAST analyzer has been handling both website/webapp and webapi testing. Existing users configure API scans using a sub-set of the DAST configuration variables. During our development of DAST API, backwards support for the API related DAST_ variables was wanted, and support was added from some of them. This was to enable a transparent migration of users and also on-demand scans. However, as development proceeded it became clear that we should have separation between the two variable sets, ci templates, etc. DAST API configuration now occurs through DAST_API_ prefixed variables, different CI templates, etc.

With the work done on the on-demand scans to allow using DAST API instead of DAST for API related scans, the code doesn't cleanly set only DAST_ or DAST_API_ variables. It is expected that the resulting configuration will contain both DAST_ and DAST_API_ prefixed variables. This wouldn't be a problem, except, the API Security code still contains support for some of the DAST_ variables. This could pose a problem at some point.

The more pressing concern as we head towards a general release is users who use both analyzers. Consider this case: A user who has DAST configured with active scans with variables set globally (very common), adds in DAST API in passive mode to give it a shot. By supporting DAST_FULL_SCAN_ENABLED we might run an active scan instead of passive.

Proposal

Remove the three DAST_ variables from worker-entry. The variables have never been documented and pose a risk for users who use both DAST and DAST API, or on-demand scans. While on-demand scans will work in their current form, future changes could cause problems.

The most dangerous variable to keep is DAST_FULL_SCAN_ENABLED. A user who has both DAST and DAST API configured could set this variable globally, inadvertently affecting DAST API scans.

Variables to be removed:

  • DAST_HOST_OVERRIDE (will continue to be available as DAST_API_HOST_OVERRIDE)
  • DAST_REQUEST_HEADERS (will continue to be available as DAST_API_REQUEST_HEADERS)
  • DAST_FULL_SCAN_ENABLED
Edited by Michael Eddington