Release active check CWE-74 XSLT Injection
Problem
The browser-based active check https://gitlab.com/gitlab-org/gitlab/-/issues/365426+ has a vulnerability definition file and has been implemented and tested by the DAST team. The check has not been released for use by customers.
Proposal
The check should be added as a non-alpha check and released.
Attacks: 3 match response.
Reference
Implementation plan
-
Active check documentation should describe the vulnerability. If it does not, run the regenerate-docs script and update the docs.
-
In the DAST Python code, ensure the check is listed as a non-alpha browserker check.
- Do not specify any callback attacks (BAS can do this if they please).
- Ensure all replaced zap checks are listed in
replaced_zap_check
.
-
Verify that an end-to-end test exists for the check in the browserker code repository. You may want to write an end-to-end test in the DAST code, this may not be necessary for all active checks.
-
Verify the check detects a finding in a real intentionally-vulnerable web app.
-
OWASP benchmark or DVWA are good candidates for this. You can see how we run them in the browserker tests
test_owasp_benchmark()
andtest_dvwa()
. - When you run your test, make sure you look at the log file to ensure that a finding is created. Make sure what was injected is what you expected and that it was injected into the correct part of the HTTP request.
- Also check the generated
gl-dast-report.json
(attest/end-to-end/output/<test-name>
) for the expectedscanned_resources
and vulnerabilityidentifiers
. - For example, this test case was run against locally running OWASP benchmark to verify correct working behaviour of check
22.1
.
Example bash_unit test case (don't check this in, just for manually running)
#!/bin/bash # Testing framework: https://github.com/pgrange/bash_unit BUILT_IMAGE=${BUILT_IMAGE:-dast} # shellcheck disable=SC1091 source "./end-to-end-test-helpers.sh" setup_suite() { setup_test_dependencies docker network create test >/dev/null true } teardown_suite() { docker network rm test >/dev/null 2>&1 true } test_owasp_benchmark() { docker run --rm \ -v "${PWD}":/output \ --network test \ --env DAST_BROWSER_INCLUDE_ONLY_RULES="22.1" \ --env DAST_BROWSER_SCAN="true" \ --env DAST_FULL_SCAN_ENABLED="true" \ --env DAST_BROWSER_NUMBER_OF_BROWSERS=1 \ --env DAST_BROWSER_CRAWL_GRAPH="true" \ --env DAST_BROWSER_LOG="loglevel:info,activ:trace,webgw:trace" \ "${BUILT_IMAGE}" /analyze -t https://$IP_ADDRESS:8443/benchmark/pathtraver-00/BenchmarkTest00001 >output/test_owasp_benchmark.log 2>&1 assert_equals "0" "$?" "Expected to exit without errors" jq . < gl-dast-report.json > output/test_owasp_benchmark.json }
-
OWASP benchmark or DVWA are good candidates for this. You can see how we run them in the browserker tests
-
https://github.com/stamparm/DSVW might be a good application to verify the vulnerability works as intended.