Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/application_security/dast/browser_based.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/application_security/dast/browser_based.md')
-rw-r--r--doc/user/application_security/dast/browser_based.md11
1 files changed, 9 insertions, 2 deletions
diff --git a/doc/user/application_security/dast/browser_based.md b/doc/user/application_security/dast/browser_based.md
index c0d71a95f91..70c331f8840 100644
--- a/doc/user/application_security/dast/browser_based.md
+++ b/doc/user/application_security/dast/browser_based.md
@@ -302,8 +302,14 @@ The browser-based analyzer does not have an equivalent for proxy-based checks th
## Managing scan time
-It is expected that running the browser-based crawler results in better coverage for many web applications, when compared to the standard GitLab DAST solution.
-This can come at a cost of increased scan time.
+Running the browser-based crawler results in better coverage for many web applications when compared to the proxy-based scanner, and this increased coverage can come at a cost of increased scan time.
+
+Scan time is affected by:
+
+- The response time of the target site
+- The number of browsers concurrently running scans
+- The number and complexity of pages that are crawled
+- The number and complexity of security checks that are run
You can manage the trade-off between coverage and scan time with the following measures:
@@ -315,6 +321,7 @@ You can manage the trade-off between coverage and scan time with the following m
- Prevent pages from being crawled using the [variable](#available-cicd-variables) `DAST_EXCLUDE_URLS`.
- Prevent elements being selected using the [variable](#available-cicd-variables) `DAST_BROWSER_EXCLUDED_ELEMENTS`. Use with caution, as defining this variable causes an extra lookup for each page crawled.
- If the target application has minimal or fast rendering, consider reducing the [variable](#available-cicd-variables) `DAST_BROWSER_DOM_READY_AFTER_TIMEOUT` to a smaller value. The default is `500ms`.
+- Selectively include only specific security checks. Use this, for example, to target a vulnerability type, such as cross-site scripting. Consider using the [variable](#available-cicd-variables) `DAST_EXCLUDE_RULES` to exclude security checks your team is not concerned about or `DAST_BROWSER_INCLUDE_ONLY_RULES` to run only security checks your team is concerned about.
## Timeouts
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-23 18:48:13 +0300