Enable Breach Attack Simulation attacks in Browser-based DAST

Problem

Breach Attack Simulation would like to enable DAST callback attacks, even though DAST attacks aren't in general availability.

Proposal

A feature flag, DAST_FF_ENABLE_BAS should be implemented. When set to "true", callback attacks that have been implemented/tested in DAST should be run in a browser-based scan. It is expected that users set DAST_BROWSER_SCAN: "true".

Browser-based attacks typically replace a ZAP check. When the BAS feature flag is true, replaced ZAP checks will still run in the scan, as will all of the passive checks. Attacks part of the same check as the enabled callback attack will not run.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.