Skip to content

Show the list of resources scanned by DAST

Problem to solve

DAST runs against a target application, and it scans many resources. The list of those scanned resources is valuable for customers to figure out if the coverage is enough, or if some section of the app has been skipped.

We should provide this list in the DAST report.

Intended users

  • Sam, Security Analyst

Further details

This information depends on the underlying tool that we use (currently, ZAProxy). We need to abstract that and provide a report format that we can manage.

Proposal

List the resources scanned by DAST and report them along with the DAST vulnerability list. This information can be available for download in the UI.

MVC Design:

In the MR
Dast-MR-view-MVC
Shows scanned URL count in the UI with a link to the DAST job log
  • View more details will take the user to the DAST job log where URL scanning information is present.

Edge cases:

  • IF DAST doesn't run: Dast section will not appear
  • IF DAST runs and does not return any vulnerability findings: URL count and link to job log will still appear.

Permissions and Security

Users with permissions to see DAST results are also allowed to see the list of scanned resources.

Customers

Backend Implementation plan

  • Define a schema that DAST will use to define the request and responses that were scanned. The request method, url and response status code are the least that are required. Please document the schema in this issue description (example).
  • Update DAST to output requests and their responses in the JSON output. Requests/responses for a spider scan (passive scan), ajax scan and active scan should be returned (see https://github.com/zaproxy/zap-api-python).
  • Print the URLs scanned to the DAST Job log. Print the method and the URL.
  • Add a field called urls_scanned to dast_reports endpoint that is called by the MR widget. The field should contain the count of urls scanned by DAST.
  • Add a field called link_to_urls_scanned. The field should contain a URL that links to the line number in the Job log where the URLs are printed to the screen (this could be considered not part of the MVC).
  • Understand what happens when there is more than one DAST Job in a Pipeline.
  • This should not break other Secure product MR widgets.
Edited by Cameron Swords