### Problem to solve Browser-based DAST should have feature parity in terms of active attacks with ZAP as its implemented today by GitLab, to where we can solely utilize Browser-based DAST for passive and active scans. ### Implementation In order to make Active Checks work we have to develop support for several keywords that are used to describe the checks. Those keywords are | Type | Issues Needing Functionality | Implementation | |------|------------------------------|----------------| | `match_response` | [required by 8 issues](https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=weight&state=opened&label_name%5B%5D=check%3A%3Aactive&label_name%5B%5D=dast-cwe-check-match-response) | https://gitlab.com/gitlab-org/gitlab/-/issues/333748+ | | `timing` | [required by 5 issues](https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=weight&state=opened&label_name%5B%5D=check%3A%3Aactive&label_name%5B%5D=dast-cwe-check-timing) | https://gitlab.com/gitlab-org/gitlab/-/issues/333750+ | | `callback` | [required by 5 issues](https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=weight&state=opened&label_name%5B%5D=check%3A%3Aactive&label_name%5B%5D=dast-cwe-check-callback) | https://gitlab.com/gitlab-org/gitlab/-/issues/333751+ | There are a total of [11 active checks](https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=weight&state=opened&label_name%5B%5D=check%3A%3Aactive) that are part of this epic. ### Status To see the research status of each rule, view this board: https://gitlab.com/groups/gitlab-org/-/boards/2838631?scope=all&label_name\\\[\\\]=check%3A%3Apassive #### Prioritization `match_response` and `timing` checks should be developed prior to `callback` checks #### Callback Server A number of active checks require the use of a callback server. The server needs to be accessible from both the DAST engine and the application under test. The callback server has to be developed and a method of deploying that callback server needs to be created. https://gitlab.com/gitlab-org/gitlab/-/issues/333630 The deployment of the callback server may vary based on customer requirements. ### Links and References [List of Rules and Status](https://docs.google.com/spreadsheets/d/1cQd0gtBltSpK7gyubLgBSQnGRQZ6YbjH6yiGVhgGEmc/edit#gid=1550798966) [Internal Planning Document](https://docs.google.com/document/d/1bzGXFsFXcK8kV2aBMJDv1SgyDzhd_1tff8OOPpgjNSg/edit#heading=h.316ctyeg44fh) ### Links / references See the [passive attack parity](https://gitlab.com/groups/gitlab-org/-/epics/5779 "Browser-based DAST - Passive Attack Parity")