Release active check CWE-943 NoSQL injection
Problem
The browser-based active check https://gitlab.com/gitlab-org/gitlab/-/issues/330698+ has a vulnerability definition file and has been implemented and tested by the DAST team. The check has not been released for use by customers.
Proposal
The check should be removed from the alpha
checks and released.
Attacks: 1 timing.
Reference
Implementation plan
-
Active check documentation should describe the vulnerability. If it does not, run the [regenerate-docs].(https://gitlab.com/gitlab-org/security-products/dast-cwe-checks/-/blob/main/scripts/regenerate_docs.sh) script and update the docs.
-
In the DAST Python code, ensure the check is listed as a non-alpha browserker check.
- Do not specify any callback attacks (BAS can do this if they please).
- Ensure all replaced zap checks are listed in
replaced_zap_check
.
-
Verify that an end-to-end test exists for the check in the browserker code repository. You may want to write an end-to-end test in the DAST code, this may not be necessary for all active checks.
-
Verify the check detects a finding in a real intentionally-vulnerable web app.
-
OWASP benchmark or DVWA are good candidates for this. You can see how we run them in the browserker tests
test_owasp_benchmark()
andtest_dvwa()
. - When you run your test, make sure you look at the log file to ensure that a finding is created. Make sure what was injected is what you expected and that it was injected into the correct part of the HTTP request.
- Also check the generated
gl-dast-report.json
(attest/end-to-end/output/<test-name>
) for the expectedscanned_resources
and vulnerabilityidentifiers
. - For example, this test case was run against locally running OWASP benchmark to verify correct working behaviour of check
22.1
.
Example bash_unit test case (don't check this in, just for manually running)
#!/bin/bash # Testing framework: https://github.com/pgrange/bash_unit BUILT_IMAGE=${BUILT_IMAGE:-dast} # shellcheck disable=SC1091 source "./end-to-end-test-helpers.sh" setup_suite() { setup_test_dependencies docker network create test >/dev/null true } teardown_suite() { docker network rm test >/dev/null 2>&1 true } test_owasp_benchmark() { docker run --rm \ -v "${PWD}":/output \ --network test \ --env DAST_BROWSER_INCLUDE_ONLY_RULES="22.1" \ --env DAST_BROWSER_SCAN="true" \ --env DAST_FULL_SCAN_ENABLED="true" \ --env DAST_BROWSER_NUMBER_OF_BROWSERS=1 \ --env DAST_BROWSER_CRAWL_GRAPH="true" \ --env DAST_BROWSER_LOG="loglevel:info,activ:trace,webgw:trace" \ "${BUILT_IMAGE}" /analyze -t https://$IP_ADDRESS:8443/benchmark/pathtraver-00/BenchmarkTest00001 >output/test_owasp_benchmark.log 2>&1 assert_equals "0" "$?" "Expected to exit without errors" jq . < gl-dast-report.json > output/test_owasp_benchmark.json }
-
OWASP benchmark or DVWA are good candidates for this. You can see how we run them in the browserker tests