Advertise browser-based scans using a request header
Problem
DAST exposes a CI/CD variable to the user, DAST_ADVERTISE_SCAN
, which when set to true
sends a series of Via
and Via Scanner
headers on requests made by DAST.
This is important for customers who configure firewalls to allow incoming traffic as they will need to create a rule to allow DAST traffic using the Via header.
Proposal
The advertise scanner feature should be added to browser-based DAST.
Implementation plan
- If
DAST_ADVERTISE_SCAN
orDAST_REQUEST_ADVERTISE_SCAN
is true, save in the configuration that DAST should advertise the scan. - Version information can be obtained using
browserk.Version()
- When advertising the scan:
- Browserker already adds a
Via: GitLab DAST/Crawler x.x.x
header on requests intercepted from Chromium, wherex.x.x
is the version of browserker (seegcdtab.go#buildCustomHeaders
). This should be changed toVia: GitLab DAST x.x.x
. - If a
Via
header already exists when intercepting a HTTP request from Chromium, the header should be changed toVia: [original value],GitLab DAST x.x.x
. - The target probe should send the
Via: GitLab DAST x.x.x
header when making HTTP requests, seeTargetAvailabilityService
. - Attacks should send the
Via: GitLab DAST x.x.x
header when making HTTP requests, seeHTTPClientWebServerGateway
. - There is no need to add a
Via-scanner
header like DAST does as this is not documented.
- Browserker already adds a
- When not advertising the scan:
- DAST should not send any
Via
orVia-scanner
headers.
- DAST should not send any
Edited by Arpit Gogia