Browser-based scanner for DAST
## Problem
GitLab DAST currently uses OWASP ZAP as our DAST scanner. As ZAP is a proxy-based tool, it is impossible for it to fully scan modern, single-page web applications. Many applications (including GitLab) utilize DOM changes without a network request to enable forms and authentication. To fully scan modern web apps, we need to use a browser-based scanner that is able to read and make changes to the DOM directly, without needing a proxy.
## Proposal
Browserker is an MIT licensed browser-based scanner that shows a huge amount of promise in being able to scan SPAs. It is still very minimal and requires work to get it to a viable maturity, but, if that work can be done, it will significantly improve the results that our DAST offering will report. It will also allow for more options for authentication, allowing us to scan applications that use more complicated authentication methods.
The first step of Browserker development is getting it to run as a reliable spider. Crawl coverage is major part of any DAST solution. Being able to accurately find the pages within a site is just as important as having accurate vulnerability checks. If only 10% of a site is discovered, you don't have any more confidence in the test than if 100% of the site was discovered, but only 10% of the vulnerabilities were accurate. After the reliability and accuracy of the spider has been proven, we will move on to implementing vulnerability checks in Browserker. Regardless of whether we keep a proxy-based scanner and use the Browserker spider to feed it, the need for a true browser-based scanner is evident, since those proxy-based tools would not be able to test an app that is reliant on DOM events and changes without any change in the URL. Implementing vulnerability checks in Browserker allows for finding vulnerabilities that are only exposed after DOM changes.
## Project Priorities (Updated Dec 2022)
To complete the Browser-based scanner for DAST we have prioritized the work in https://gitlab.com/groups/gitlab-org/-/epics/8035+ as follows:
### Work Track 1 - Completing Browser-based DAST
| Priority | |
| ------ | ------ |
| :white_check_mark: | https://gitlab.com/groups/gitlab-org/-/epics/5779+ |
| :white_check_mark: | https://gitlab.com/groups/gitlab-org/-/epics/8034+|
| :white_check_mark: | https://gitlab.com/groups/gitlab-org/-/epics/9023+ |
| ~"priority::1" |https://gitlab.com/groups/gitlab-org/-/epics/5780+ |
| ~"priority::2" | https://gitlab.com/groups/gitlab-org/-/epics/8098+ |
| ~"priority::3" | https://gitlab.com/groups/gitlab-org/-/epics/5648+ |
| ~"priority::4" | https://gitlab.com/groups/gitlab-org/-/epics/9392+ |
### Work Track 2 - Support and Engine Improvements
While Browser-based DAST work is on-going we expect other work needing to be completed. In that case, we will have engineers work on a separate work track and prioritize their work accordingly:
| Priority | |
| ------ | ------ |
| ~"priority::1" | Customer Support |
| ~"priority::2" | https://gitlab.com/groups/gitlab-org/-/epics/9376+ |
| ~"priority::3" | Engineering Productivity |
| ~"priority::4" | Browser-based DAST Engine Improvements |
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic