Abort running authenticated DAST scan on authentication error (follow-up)
Problem to solve
Currently, an authenticated DAST scan will try scanning the target website even if the authentication attempt has failed (the error is just logged and passed by). This leads to DAST scanning only the public part of the target website. Protected pages will turn into 401, 403, or 404 HTTP errors. Which is far from the user's intentions.
Intended users
Further details
Our wrapper around the DAST tool already raises errors on fatal errors when it makes no sense to proceed further. We may utilize this type of handling for consistency.
Proposal
- Execute several attempts to authenticate on the target website in case of an auth failure; they may be powered by an exponential back-off strategy
- When all authentication attempts have failed, raise an error with a descriptive error message
Permissions and Security
N/A
Documentation
The Authenticated Scan section in DAST documentation should be updated to reflect this behavior change.
What does success look like, and how can we measure that?
DAST authenticated scans stop if all authentication attempts have failed.
What is the type of buyer?
Links / references
This is a follow-up from the review process of https://gitlab.com/gitlab-org/gitlab-ee/issues/9873