Update DAST in ci jobs to version 2 (!69054) · Merge requests · GitLab.org / GitLab

Nikhil George requested to merge dastv2-update into master Aug 26, 2021

What does this MR do?

Update the existing DAST scan CI jobs in gitlab-org/gitlab to use the latest DAST version.
Enable all relevant ZAP scan rules in the DAST CI jobs.
Remove the sed command hacks from DAST CI job #240907 (closed)

Click to expand the list of scan rules enabled

Rule ID	Rule Name	Enabled
10029	Cookie Poisoning	YES
20012	Anti-CSRF Tokens Check	YES
20014	HTTP Parameter Pollution	YES
40013	Session Fixation	YES
40026	Cross Site Scripting (DOM Based)	NO (Not running even if enabled)
90019	Server Side Code Injection	YES
90023	XML External Entity Attack	YES
90034	Cloud Metadata Potentially Exposed	YES
0	Directory Browsing	YES
2	Private IP Disclosure	YES
3	Session ID in URL Rewrite	YES
7	Remote File Inclusion	YES
10010	Cookie No HttpOnly Flag	YES
10011	Cookie Without Secure Flag	YES
10017	Cross-Domain JavaScript Source File Inclusion	YES
10019	Content-Type Header Missing	YES
10021	X-Content-Type-Options Header Missing	YES
10023	Information Disclosure - Debug Error Messages	YES
10024	Information Disclosure - Sensitive Information in URL	YES
10025	Information Disclosure - Sensitive Information in HTTP Referrer Header	YES
10037	Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s)	YES
10040	Secure Pages Include Mixed Content	YES
10054	Cookie Without SameSite Attribute	YES
10055	CSP	YES
10056	X-Debug-Token Information Leak	YES
10098	Cross-Domain Misconfiguration	YES
10105	Weak Authentication Method	YES
10202	Absence of Anti-CSRF Tokens	YES
20019	External Redirect	YES
40003	CRLF Injection	YES
40008	Parameter Tampering	YES
40012	Cross Site Scripting (Reflected)	YES
40014	Cross Site Scripting (Persistent)	YES
40022	SQL Injection - PostgreSQL	YES
40018	SQL Injection	NO
90020	Remote OS Command Injection	YES
90022	Application Error Disclosure	YES
90033	Loosely Scoped Cookie	YES
90018	Advanced SQL Injection	NO(time-out)
6	Path Traversal	NO(time-out)
40016	Cross Site Scripting (Persistent) - Prime	NO(Informational)
40017	Cross Site Scripting (Persistent) - Spider	NO(Informational)
41	Source Code Disclosure - Git	NO
42	Source Code Disclosure - SVN	NO
43	Source Code Disclosure - File Inclusion	NO
10003	Vulnerable JS Library	NO
10015	Incomplete or No Cache-control and Pragma HTTP Header Set	NO
10020	X-Frame-Options Header	NO
10020-1	X-Frame-Options Header Not Set	NO
10020-2	Multiple X-Frame-Options Header Entries	NO
10020-3	X-Frame-Options Defined via META (Non-compliant with Spec)	NO
10020-4	X-Frame-Options Setting Malformed	NO
10026	HTTP Parameter Override	NO
10027	Information Disclosure - Suspicious Comments	NO
10028	Open Redirect	NO
10030	User Controllable Charset	NO
10031	User Controllable HTML Element Attribute (Potential XSS)	NO
10032	Viewstate	NO
10032-1	Potential IP Addresses Found in the Viewstate	NO
10032-2	Emails Found in the Viewstate	NO
10032-3	Old Asp.Net Version in Use	NO
10032-4	Viewstate without MAC Signature (Unsure)	NO
10032-5	Viewstate without MAC Signature (Sure)	NO
10032-6	Split Viewstate in Use	NO
10033	Directory Browsing	NO
10034	Heartbleed OpenSSL Vulnerability (Indicative)	NO
10035	Strict-Transport-Security Header	NO
10036	HTTP Server Response Header	NO
10038	Content Security Policy (CSP) Header Not Set	NO
10039	X-Backend-Server Header Information Leak	NO
10041	HTTP to HTTPS Insecure Transition in Form Post	NO
10042	HTTPS to HTTP Insecure Transition in Form Post	NO
10043	User Controllable JavaScript Event (XSS)	NO
10044	Big Redirect Detected (Potential Sensitive Information Leak)	NO
10045	Source Code Disclosure - /WEB-INF folder	NO
10047	HTTPS Content Available via HTTP	NO
10048	Remote Code Execution - Shell Shock	NO
10050	Retrieved from Cache	NO
10051	Relative Path Confusion	NO
10052	X-ChromeLogger-Data (XCOLD) Header Information Leak	NO
10053	Apache Range Header DoS (CVE-2011-3192)	NO
10057	Username Hash Found	NO
10058	GET for POST	NO
10061	X-AspNet-Version Response Header	NO
10062	PII Disclosure	NO
10095	Backup File Disclosure	NO
10096	Timestamp Disclosure	NO
10097	Hash Disclosure	NO
10103	Image Location and Privacy Scanner	NO
10104	User Agent Fuzzer	NO
10106	HTTP Only Site	NO
10107	Httpoxy - Proxy Header Misuse	NO
10108	Reverse Tabnabbing	NO
10109	Modern Web Application	NO
20015	Heartbleed OpenSSL Vulnerability	NO
20016	Cross-Domain Misconfiguration	NO
20017	Source Code Disclosure - CVE-2012-1823	NO
20018	Remote Code Execution - CVE-2012-1823	NO
30001	Buffer Overflow	NO
30002	Format String Error	NO
30003	Integer Overflow Error	NO
40009	Server Side Include	NO
40019	SQL Injection - MySQL	NO
40020	SQL Injection - Hypersonic SQL	NO
40021	SQL Injection - Oracle	NO
40023	Possible Username Enumeration	NO
40024	SQL Injection - SQLite	NO
40025	Proxy Disclosure	NO
40027	SQL Injection - MsSQL	NO
40028	ELMAH Information Leak	NO
40029	Trace.axd Information Leak	NO
40032	.htaccess Information Leak	NO
40034	.env Information Leak	NO
40035	Hidden File Finder	NO
90001	Insecure JSF ViewState	NO
90011	Charset Mismatch	NO
90017	XSLT Injection	NO
90021	XPath Injection	NO
90024	Generic Padding Oracle	NO
90025	Expression Language Injection	NO
90027	Cookie Slack Detector	NO
90028	Insecure HTTP Method	NO

Screenshots or Screencasts (strongly suggested)

How to setup and validate locally (strongly suggested)

As DAST CI jobs are scheduled jobs, it won't be triggered in this MR pipeline. Please refer https://gitlab.com/gitlab-org/gitlab/-/pipelines/367700301 to check the dast scan jobs in action (DAST jobs are triggered here by modifying the rules).

Does this MR meet the acceptance criteria?

Conformity

I have included changelog trailers, or none are needed. (Does this MR need a changelog?)
I have added/updated documentation, or it's not needed. (Is documentation required?)
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?)
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?)
I have self-reviewed this MR per code review guidelines.
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines)
I have followed the style guides.
This change is backwards compatible across updates, or this does not apply.

Availability and Testing

I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.)
I have tested this MR in all supported browsers, or it's not needed.
I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Sep 17, 2021 by Nikhil George

Update DAST in ci jobs to version 2