Skip to content

Turn on browser-based active checks

Problem

Browser-based active checks are not turned on by default. When these have been tested and marked as ready, they should be enabled by default for all users.

Proposal

Turn the feature flag DAST_FF_ENABLE_BROWSER_BASED_ATTACKS to true by default. Setting the value to false should disable browser-based attacks.

  • Enable the Browser-based 22.1 check and disable the ZAP 6 path traversal attack.
  • Verify the 22.1 check works by testing DVWA and the OWASP Benchmark path traversal vulnerable pages.

Implementation plan

  • Release Browserker 1.0.11, which contains https://gitlab.com/gitlab-org/security-products/analyzers/browserker/-/merge_requests/1194.
  • Set DAST_FF_ENABLE_BROWSER_BASED_ATTACKS to true by default.
  • Write a test to make sure that if DAST_FF_ENABLE_BROWSER_BASED_ATTACKS is false, browser-based checks do not run.
  • Remove --env DAST_FF_ENABLE_BROWSER_BASED_ATTACKS="true" from test_browserker_active_check_22_1, it should be enabled by default.
  • Review the documentation to see what support we could provide our clients related to this update.
  • Write a blog post.

Testing

OWASP Benchmark DAST configuration to test 22.1 
stages:
  - dast

include:
  - template: DAST.gitlab-ci.yml

dast:
  variables:
    DAST_WEBSITE: "https://host/benchmark"
    DAST_BROWSER_SCAN: "true"
    DAST_FULL_SCAN_ENABLED: "true"
    DAST_BROWSER_NUMBER_OF_BROWSERS: 3
    DAST_BROWSER_CRAWL_GRAPH: "true"
    DAST_BROWSER_LOG: "loglevel:info"
    DAST_BROWSER_FILE_LOG: "loglevel:debug,activ:trace,webgw:trace"
    DAST_BROWSER_FILE_LOG_PATH: "$CI_PROJECT_DIR/dast-scan.log"
    DAST_EXCLUDE_URLS: "https://host/benchmark/cmdi-Index.html,https://host/benchmark/securecookie-Index.html,https://host/benchmark/ldapi-Index.html,https://host/benchmark/sqli-Index.html,https://host/benchmark/trustbound-Index.html,https://host/benchmark/crypto-Index.html,https://host/benchmark/hash-Index.html,https://host/benchmark/weakrand-Index.html,https://host/benchmark/xpathi-Index.html,https://host/benchmark/xss-Index.html"
  artifacts:
    paths: [dast-scan.log]
    when: always
Example browserker debug TOML configuration for OWASP path traversal example 
PluginResourcePath = "$PWD/browserker/test/integration/checks"
SecureReport = "$PWD/browserker/output/gl-dast-report.json"
FileLogPath = "$PWD/browserker/output/debug.log"
AllowedHosts = []
ExcludedElements = []
ExcludedHosts = []
ExcludedURIs = []
IgnoredHosts = []
MaxActions = 10000
MaxDepth = 10
NumBrowsers = 1
ScanMode = "active"
ShowBrowser = true
BrowserWidth = 1300
BrowserHeight = 700
CustomHashAttributes = []
DataPath = "$PWD/browserker/output/data"
URL = "https://localhost:8443/benchmark/pathtraver-00/BenchmarkTest00001"
NavigationTimeout = "15s"
ActionTimeout = "7s"
StabilityTimeout = "7s"
WaitAfterNavigation = "6s"
WaitAfterAction = "800ms"
SearchElementTimeout = "3s"
ExtractElementTimeout = "5s"
ElementTimeout = "300ms"
ActiveScanTimeout = "3h"
DOMReadyAfterTimeout = "500ms"
OnlyIncludeChecks = ["22.1"]
DisableCache = false
LogChromiumProcessOutput = false
[FileLogLevels]
LogLevel = "debug"
[ConsoleLogLevels]
LogLevel = "info"
ACTIV = "trace"
WEBGW = "trace"
Example bash test for OWASP path traversal example 
#!/bin/bash
# Testing framework: https://github.com/pgrange/bash_unit

BUILT_IMAGE=${BUILT_IMAGE:-dast}

# shellcheck disable=SC1091
source "./end-to-end-test-helpers.sh"

setup_suite() {
  setup_test_dependencies
  docker network create test >/dev/null

  true
}

teardown_suite() {
  docker network rm test >/dev/null 2>&1
  true
}

test_owasp_benchmark() {
  docker run --rm \
    -v "${PWD}":/output \
    --network test \
    --env DAST_BROWSER_INCLUDE_ONLY_RULES="22.1" \
    --env DAST_BROWSER_SCAN="true" \
    --env DAST_FULL_SCAN_ENABLED="true" \
    --env DAST_BROWSER_NUMBER_OF_BROWSERS=1 \
    --env DAST_BROWSER_CRAWL_GRAPH="true" \
    --env DAST_BROWSER_LOG="loglevel:info,activ:trace,webgw:trace" \
    "${BUILT_IMAGE}" /analyze -t https://$IP_ADDRESS:8443/benchmark/pathtraver-00/BenchmarkTest00001 >output/test_owasp_benchmark.log 2>&1
  assert_equals "0" "$?" "Expected to exit without errors"

  jq . < gl-dast-report.json > output/test_owasp_benchmark.json
}
Example browserker debug configuration to test DVWA path traversal 
PluginResourcePath = "$PWD/browserker/test/integration/checks"
SecureReport = "$PWD/browserker/output/gl-dast-report.json"
FileLogPath = "$PWD/browserker/output/debug.log"
AllowedHosts = []
ExcludedElements = []
ExcludedHosts = []
ExcludedURIs = []
IgnoredHosts = []
MaxActions = 1
MaxDepth = 1
NumBrowsers = 1
ScanMode = "active"
ShowBrowser = true
BrowserWidth = 1300
BrowserHeight = 700
CustomHashAttributes = []
DataPath = "$PWD/browserker/output/data"
URL = "http://localhost:8080/vulnerabilities/fi/?page=include.php"
NavigationTimeout = "15s"
ActionTimeout = "7s"
StabilityTimeout = "7s"
WaitAfterNavigation = "6s"
WaitAfterAction = "800ms"
SearchElementTimeout = "3s"
ExtractElementTimeout = "5s"
ElementTimeout = "300ms"
ActiveScanTimeout = "3h"
DOMReadyAfterTimeout = "500ms"
OnlyIncludeChecks = ["22.1"]
DisableCache = false
LogChromiumProcessOutput = false
[FileLogLevels]
LogLevel = "debug"
[ConsoleLogLevels]
LogLevel = "info"
ACTIV = "info"
WEBGW = "info"
[AuthDetails]
LoginURL = "http://localhost:8080/login.php"
UserName = "admin"
Password = "password"
UserNameField = "name:username"
PasswordField = "name:password"
SubmitButtonField = "name:Login"
Example bash test for DVWA path traversal example 
#!/bin/bash
# Testing framework: https://github.com/pgrange/bash_unit

BUILT_IMAGE=${BUILT_IMAGE:-dast}

# shellcheck disable=SC1091
source "./end-to-end-test-helpers.sh"

setup_suite() {
  setup_test_dependencies
  docker network create test >/dev/null

  true
}

teardown_suite() {
  docker network rm test >/dev/null 2>&1
  true
}

test_dvwa() {
  docker run --rm \
    -v "${PWD}":/output \
    --network test \
    --env DAST_BROWSER_SCAN="true" \
    --env DAST_FULL_SCAN_ENABLED="true" \
    --env DAST_BROWSER_NUMBER_OF_BROWSERS=1 \
    --env DAST_BROWSER_LOG="loglevel:info,activ:trace,webgw:trace" \
    --env DAST_WEBSITE="http://$IP_ADDRESS:8080/vulnerabilities/fi/?page=include.php" \
    --env DAST_AUTH_URL="http://$IP_ADDRESS:8080/login.php" \
    --env DAST_USERNAME="admin" \
    --env DAST_PASSWORD="password" \
    --env DAST_USERNAME_FIELD="name:username" \
    --env DAST_PASSWORD_FIELD="name:password" \
    --env DAST_SUBMIT_FIELD="name:Login" \
    --env DAST_BROWSER_MAX_ACTIONS=1 \
    "${BUILT_IMAGE}" /analyze >output/test_dvwa.log 2>&1
  assert_equals "0" "$?" "Expected to exit without errors"

  jq . <gl-dast-report.json >output/test_dvwa.json
}
Edited by Cameron Swords