Send custom request headers on the target availability check
Problem
Request headers defined by the user with DAST_REQUEST_HEADERS
are not sent in the target availability check.
Proposal
Add the request headers to the availability check. This is only safe to do so when the host of the request is in scope, however, the target check only runs against the target host, so this is known to be safe without an explicit scope check.
It was originally thought that attacks would also need to add the custom headers. However, as attacks are generated off crawled requests, it follows that attack requests will already have the custom headers added.
Implementation plan
-
TargetAvailabilityService.pingTarget
should add the custom headers usingrequest.Header.Set
. Custom headers can be found incfg.CustomHeaders
. - Update unit tests.
- Add a changelog entry.
Edited by Cameron Swords