Dynamic Application Security Testing

Dynamic Application Security Testing (DAST) runs PEN tests like scans of your application.

The test uses OWASP ZAProxy (https://github.com/zaproxy/zaproxy) to scan a running instance in your web application. It runs a passive scan, which means it only tries to discover your application by exploring links, will not find links created dynamically, and will not attack your application actively.

Before GitLab 12.0, this scan also used the Docker-in-Docker mechanism, but now it just retrieves and runs a container and the test. This means the image is cached on GitLab runners, and after retrieving the image for the first time, the security test will run faster.

As with SAST, you control how scanning happens through the .gitlab-ci.yml file, as follows:

 dast:
 image: registry.gitlab.com/gitlab-org/security-products/zaproxy
 variables:
 website: "https://blog.joustie.nl"
 allow_failure: true
 script:
 - mkdir /zap/wrk/
 - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
 - cp /zap/wrk/gl-dast-report.json .
 artifacts:
 reports:
 dast: gl-dast-report.json

When you push code to the repository, the DAST scan will start preparing, as shown in the following snippet. First, it will try to find the ZAProxy Docker container and pull it.

 Running with gitlab-runner 11.7.0 (8bb608ff)
 on host gGEycKK-
 Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/zaproxy ...
 Pulling docker image registry.gitlab.com/gitlab-org/security-products/zaproxy ...
 Using docker image sha256:cd12d3ce5fc66ef0c6b2cf0e6b745876b666aed7f9e859451eaef884b92cefa7 for registry.gitlab.com/gitlab-org/security-products/zaproxy ...

The scan will start as follows:

 Running on runner-gGEycKK--project-2-concurrent-0 via Joosts-MBP.fritz.box...
 Fetching changes...
 Removing zap.out
 HEAD is now at 6024894 Update .gitlab-ci.yml
 From http://192.168.178.82/root/unsecure
 6024894..e6b26fe master -> origin/master
 Checking out e6b26fe5 as master...
 Skipping Git submodules setup
 $ mkdir /zap/wrk/
 $ /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
 2019-02-22 15:50:26,650 Params: ['zap-x.sh', '-daemon', '-port', '40096', '-host', '0.0.0.0', '-config', 'api.disablekey=true', '-config', 'api.addrs.addr.name=.*', '-config', 'api.addrs.addr.regex=true', '-config', 'spider.maxDuration=1', '-addonupdate', '-addoninstall', 'pscanrulesBeta']
 Feb 22, 2019 3:50:34 PM java.util.prefs.FileSystemPreferences$1 run
 INFO: Created user preferences directory.

It will try to scan the whole website, as shown in the following example:

 Total of 251 URLs
 PASS: Cookie No HttpOnly Flag [10010]
 PASS: Cookie Without Secure Flag [10011]
 PASS: Incomplete or No Cache-control and Pragma HTTP Header Set [10015]
 PASS: Content-Type Header Missing [10019]
 PASS: Information Disclosure - Debug Error Messages [10023]
 PASS: Information Disclosure - Sensitive Information in URL [10024]
 PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
 PASS: HTTP Parameter Override [10026]
 PASS: Information Disclosure - Suspicious Comments [10027]
 PASS: Viewstate Scanner [10032]
 PASS: Secure Pages Include Mixed Content [10040]
 PASS: CSP Scanner [10055]
 PASS: Weak Authentication Method [10105]
 PASS: Session ID in URL Rewrite [3]
 PASS: Script Passive Scan Rules [50001]
 PASS: Insecure JSF ViewState [90001]
 PASS: Charset Mismatch [90011]
 PASS: WSDL File Passive Scanner [90030]
 PASS: Loosely Scoped Cookie [90033]

It will then report vulnerabilities immediately, as shown in the following snippet:

WARN-NEW: Web Browser XSS Protection Not Enabled [10016] x 112
 http://blog.joustie.nl/
 http://blog.joustie.nl/robots.txt
 http://blog.joustie.nl/sitemap.xml
 http://blog.joustie.nl
 http://blog.joustie.nl/atom.xml
 WARN-NEW: Cross-Domain JavaScript Source File Inclusion [10017] x 108
 http://blog.joustie.nl/
 http://blog.joustie.nl
 http://blog.joustie.nl/tags/personal/
 http://blog.joustie.nl/2019/01/12/2018-05-29-personalblog/
 http://blog.joustie.nl/2018/05/29/2018-05-20-met-zn-allen-1-wereld/
 .....
 FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 7 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 19

After scanning, the report is created and uploaded as an artifact, as follows:


 $ cp /zap/wrk/gl-dast-report.json .
 Uploading artifacts...
 gl-dast-report.json: found 1 matching files
 Uploading artifacts to coordinator... ok id=6 responseStatus=201 Created token=LbTRyRU-
 Job succeeded

As you can see from the preceding examples, by utilizing GitLab Runners with Docker, it is very easy to start a dynamic security scan.

Table of Contents for Dynamic Application Security Testing

Create new playlist

Sign In

Sign Up

Table of Contents for
Dynamic Application Security Testing