Skip to content

DAST scan `DAST_REQUEST_HEADERS` doesn't send always send headers

Summary

Inside the DAST docs for the variables there are a few variables that say they "are added to every request". This doesn't seem to be the case when it is running a target check.

Steps to reproduce

  • Create a website that blocks all requests without a specific header
  • Setup dast scanner with the custom header
  • notice the header isn't being sent in the initial target check.

What is the current bug behavior?

I was running into this issue when I was debuging why my WAF kept blocking my gitlab scanner because it detected it as a bot. I tried adding rules for a custom header I was sending in DAST_REQUEST_HEADERS and still got blocked. In addition, I attempted to see if the Via header (from DAST_ADVERTISE_SCAN) would work. After further digging into it, I noticed that there are requests coming from the DAST scanner's IP that aren't sending the DAST_REQUEST_HEADERS or the Via header when configured.

The documentation says (under DAST_BROWSER_ALLOWED_HOSTS description):

Headers set using DAST_REQUEST_HEADERS are added to every request made to these hostnames.

What is the expected correct behavior?

I would expect the headers to be sent during the target checks OR that the documentation called out that the target check doesn't send the custom headers (and if these headers are needed then to set DAST_SKIP_TARGET_CHECK as true)

Possible fixes

I recommend doing one of these things:

  • Update the DAST code so the target check also sends the custom headers.
  • update the documentation to call out that if DAST_SKIP_TARGET_CHECK is not true that DAST_REQUEST_HEADERS wont and/or advertise with the Via header wont be sent.