DAST should automatically allow network requests essential for the page to load completely
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
DAST uses an internal scope service to allow/block certain network requests based on user configuration.
This scope service is disabled during the authorisation phase of the scan, intentionally, to allow for third-party authorisation related requests to go through successfully. The target domain is automatically considered part of the scope.
However, over multiple previous RFHs I have observed, pages don't necessarily make all requests to the target domain. Instead requests are made to a variety of domains e.g. API calls, authorisation verification requests etc.
Since the scope service is enabled during the crawl phase, often customers do not add all necessary domains to the allowlist. As a result, the target site would load successfully during the authorisation phase, but fails to do so during the crawl phase.
Proposal
Modify the scope service so that any request necessary to load the page is automatically allowed.