Turn on browser-based active checks (#392718) · Issues · GitLab.org / GitLab

Turn on browser-based active checks

## Problem Browser-based active checks are not turned on by default. When these have been tested and marked as ready, they should be enabled by default for all users. ## Proposal Turn the feature flag `DAST_FF_ENABLE_BROWSER_BASED_ATTACKS` to true by default. Setting the value to false should disable browser-based attacks. - Enable the Browser-based 22.1 check and disable the ZAP 6 path traversal attack. - Verify the 22.1 check works by testing DVWA and the OWASP Benchmark path traversal vulnerable pages. ## Implementation plan - Release Browserker `1.0.11`, which contains https://gitlab.com/gitlab-org/security-products/analyzers/browserker/-/merge_requests/1194. - Set `DAST_FF_ENABLE_BROWSER_BASED_ATTACKS` to `true` by default. - Write a test to make sure that if `DAST_FF_ENABLE_BROWSER_BASED_ATTACKS` is false, browser-based checks do not run. - Remove `--env DAST_FF_ENABLE_BROWSER_BASED_ATTACKS="true"` from `test_browserker_active_check_22_1`, it should be enabled by default. - Review the documentation to see what support we could provide our clients related to this update. - Write a blog post. ## Testing <details> <summary>OWASP Benchmark DAST configuration to test 22.1</summary> ```yaml stages: - dast include: - template: DAST.gitlab-ci.yml dast: variables: DAST_WEBSITE: "https://host/benchmark" DAST_BROWSER_SCAN: "true" DAST_FULL_SCAN_ENABLED: "true" DAST_BROWSER_NUMBER_OF_BROWSERS: 3 DAST_BROWSER_CRAWL_GRAPH: "true" DAST_BROWSER_LOG: "loglevel:info" DAST_BROWSER_FILE_LOG: "loglevel:debug,activ:trace,webgw:trace" DAST_BROWSER_FILE_LOG_PATH: "$CI_PROJECT_DIR/dast-scan.log" DAST_EXCLUDE_URLS: "https://host/benchmark/cmdi-Index.html,https://host/benchmark/securecookie-Index.html,https://host/benchmark/ldapi-Index.html,https://host/benchmark/sqli-Index.html,https://host/benchmark/trustbound-Index.html,https://host/benchmark/crypto-Index.html,https://host/benchmark/hash-Index.html,https://host/benchmark/weakrand-Index.html,https://host/benchmark/xpathi-Index.html,https://host/benchmark/xss-Index.html" artifacts: paths: [dast-scan.log] when: always ``` </details> <details> <summary>Example browserker debug TOML configuration for OWASP path traversal example</summary> ```toml PluginResourcePath = "$PWD/browserker/test/integration/checks" SecureReport = "$PWD/browserker/output/gl-dast-report.json" FileLogPath = "$PWD/browserker/output/debug.log" AllowedHosts = [] ExcludedElements = [] ExcludedHosts = [] ExcludedURIs = [] IgnoredHosts = [] MaxActions = 10000 MaxDepth = 10 NumBrowsers = 1 ScanMode = "active" ShowBrowser = true BrowserWidth = 1300 BrowserHeight = 700 CustomHashAttributes = [] DataPath = "$PWD/browserker/output/data" URL = "https://localhost:8443/benchmark/pathtraver-00/BenchmarkTest00001" NavigationTimeout = "15s" ActionTimeout = "7s" StabilityTimeout = "7s" WaitAfterNavigation = "6s" WaitAfterAction = "800ms" SearchElementTimeout = "3s" ExtractElementTimeout = "5s" ElementTimeout = "300ms" ActiveScanTimeout = "3h" DOMReadyAfterTimeout = "500ms" OnlyIncludeChecks = ["22.1"] DisableCache = false LogChromiumProcessOutput = false [FileLogLevels] LogLevel = "debug" [ConsoleLogLevels] LogLevel = "info" ACTIV = "trace" WEBGW = "trace" ``` </details> <details> <summary>Example bash test for OWASP path traversal example</summary> ```sh #!/bin/bash # Testing framework: https://github.com/pgrange/bash_unit BUILT_IMAGE=${BUILT_IMAGE:-dast} # shellcheck disable=SC1091 source "./end-to-end-test-helpers.sh" setup_suite() { setup_test_dependencies docker network create test >/dev/null true } teardown_suite() { docker network rm test >/dev/null 2>&1 true } test_owasp_benchmark() { docker run --rm \ -v "${PWD}":/output \ --network test \ --env DAST_BROWSER_INCLUDE_ONLY_RULES="22.1" \ --env DAST_BROWSER_SCAN="true" \ --env DAST_FULL_SCAN_ENABLED="true" \ --env DAST_BROWSER_NUMBER_OF_BROWSERS=1 \ --env DAST_BROWSER_CRAWL_GRAPH="true" \ --env DAST_BROWSER_LOG="loglevel:info,activ:trace,webgw:trace" \ "${BUILT_IMAGE}" /analyze -t https://$IP_ADDRESS:8443/benchmark/pathtraver-00/BenchmarkTest00001 >output/test_owasp_benchmark.log 2>&1 assert_equals "0" "$?" "Expected to exit without errors" jq . < gl-dast-report.json > output/test_owasp_benchmark.json } ``` </details> <details> <summary>Example browserker debug configuration to test DVWA path traversal</summary> ```toml PluginResourcePath = "$PWD/browserker/test/integration/checks" SecureReport = "$PWD/browserker/output/gl-dast-report.json" FileLogPath = "$PWD/browserker/output/debug.log" AllowedHosts = [] ExcludedElements = [] ExcludedHosts = [] ExcludedURIs = [] IgnoredHosts = [] MaxActions = 1 MaxDepth = 1 NumBrowsers = 1 ScanMode = "active" ShowBrowser = true BrowserWidth = 1300 BrowserHeight = 700 CustomHashAttributes = [] DataPath = "$PWD/browserker/output/data" URL = "http://localhost:8080/vulnerabilities/fi/?page=include.php" NavigationTimeout = "15s" ActionTimeout = "7s" StabilityTimeout = "7s" WaitAfterNavigation = "6s" WaitAfterAction = "800ms" SearchElementTimeout = "3s" ExtractElementTimeout = "5s" ElementTimeout = "300ms" ActiveScanTimeout = "3h" DOMReadyAfterTimeout = "500ms" OnlyIncludeChecks = ["22.1"] DisableCache = false LogChromiumProcessOutput = false [FileLogLevels] LogLevel = "debug" [ConsoleLogLevels] LogLevel = "info" ACTIV = "info" WEBGW = "info" [AuthDetails] LoginURL = "http://localhost:8080/login.php" UserName = "admin" Password = "password" UserNameField = "name:username" PasswordField = "name:password" SubmitButtonField = "name:Login" ``` </details> <details> <summary>Example bash test for DVWA path traversal example</summary> ```shell #!/bin/bash # Testing framework: https://github.com/pgrange/bash_unit BUILT_IMAGE=${BUILT_IMAGE:-dast} # shellcheck disable=SC1091 source "./end-to-end-test-helpers.sh" setup_suite() { setup_test_dependencies docker network create test >/dev/null true } teardown_suite() { docker network rm test >/dev/null 2>&1 true } test_dvwa() { docker run --rm \ -v "${PWD}":/output \ --network test \ --env DAST_BROWSER_SCAN="true" \ --env DAST_FULL_SCAN_ENABLED="true" \ --env DAST_BROWSER_NUMBER_OF_BROWSERS=1 \ --env DAST_BROWSER_LOG="loglevel:info,activ:trace,webgw:trace" \ --env DAST_WEBSITE="http://$IP_ADDRESS:8080/vulnerabilities/fi/?page=include.php" \ --env DAST_AUTH_URL="http://$IP_ADDRESS:8080/login.php" \ --env DAST_USERNAME="admin" \ --env DAST_PASSWORD="password" \ --env DAST_USERNAME_FIELD="name:username" \ --env DAST_PASSWORD_FIELD="name:password" \ --env DAST_SUBMIT_FIELD="name:Login" \ --env DAST_BROWSER_MAX_ACTIONS=1 \ "${BUILT_IMAGE}" /analyze >output/test_dvwa.log 2>&1 assert_equals "0" "$?" "Expected to exit without errors" jq . <gl-dast-report.json >output/test_dvwa.json } ``` </details>

issue