Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/application_security/dast
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/application_security/dast')
-rw-r--r--doc/user/application_security/dast/browser_based.md2
-rw-r--r--doc/user/application_security/dast/checks/1004.1.md41
-rw-r--r--doc/user/application_security/dast/checks/16.1.md33
-rw-r--r--doc/user/application_security/dast/checks/16.2.md44
-rw-r--r--doc/user/application_security/dast/checks/16.3.md35
-rw-r--r--doc/user/application_security/dast/checks/16.4.md28
-rw-r--r--doc/user/application_security/dast/checks/16.5.md30
-rw-r--r--doc/user/application_security/dast/checks/614.1.md40
-rw-r--r--doc/user/application_security/dast/checks/693.1.md36
-rw-r--r--doc/user/application_security/dast/checks/index.md20
-rw-r--r--doc/user/application_security/dast/index.md22
-rw-r--r--doc/user/application_security/dast/run_dast_offline.md2
12 files changed, 321 insertions, 12 deletions
diff --git a/doc/user/application_security/dast/browser_based.md b/doc/user/application_security/dast/browser_based.md
index 9c5b84f4f36..10ca3430b48 100644
--- a/doc/user/application_security/dast/browser_based.md
+++ b/doc/user/application_security/dast/browser_based.md
@@ -54,6 +54,7 @@ The browser-based crawler can be configured using CI/CD variables.
| `DAST_BROWSER_SCAN` | boolean | `true` | Configures DAST to use the browser-based crawler engine. |
| `DAST_BROWSER_ALLOWED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are considered in scope when crawled. By default the `DAST_WEBSITE` hostname is included in the allowed hosts list. |
| `DAST_BROWSER_EXCLUDED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are considered excluded and connections are forcibly dropped. |
+| `DAST_BROWSER_EXCLUDED_ELEMENTS` | selector | `a[href='2.html'],css:.no-follow` | Comma-separated list of selectors that are ignored when scanning. |
| `DAST_BROWSER_IGNORED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are accessed but not reported against. |
| `DAST_BROWSER_MAX_ACTIONS` | number | `10000` | The maximum number of actions that the crawler performs. For example, clicking a link, or filling a form. |
| `DAST_BROWSER_MAX_DEPTH` | number | `10` | The maximum number of chained actions that the crawler takes. For example, `Click -> Form Fill -> Click` is a depth of three. |
@@ -127,7 +128,6 @@ dast:
DAST_BROWSER_ACTION_TIMEOUT: "10s"
DAST_BROWSER_STABILITY_TIMEOUT: "15s"
DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT: "15s"
- DAST_BROWSER_ACTION_TIMEOUT: "10s"
DAST_BROWSER_ACTION_STABILITY_TIMEOUT: "3s"
```
diff --git a/doc/user/application_security/dast/checks/1004.1.md b/doc/user/application_security/dast/checks/1004.1.md
new file mode 100644
index 00000000000..cbbcea1d34d
--- /dev/null
+++ b/doc/user/application_security/dast/checks/1004.1.md
@@ -0,0 +1,41 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Sensitive cookie without `HttpOnly` attribute
+
+## Description
+
+The {cookie_name} cookie was transmitted in a `Set-Cookie` header without the `HttpOnly` attribute set.
+To prevent JavaScript being able to access the cookie value - usually via `document.cookies` - all
+cookies that are used for authorization or contain sensitive information should have the `HttpOnly` attribute
+set.
+
+## Remediation
+
+Most web application frameworks allow configuring how cookies are sent to user-agents. Consult your framework's
+documentation for more information on how to enable various security directives when assigning cookies to clients.
+
+If the application is assigning cookies via writing to the response headers directly, ensure all responses include
+the `HttpOnly` attribute. By enabling this protection, the application is able to mitigate the impact of
+certain Cross-Site Scripting (XSS) attacks.
+
+Example:
+
+```http
+Set-Cookie: {cookie_name}=<random secure value>; HttpOnly
+```
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 1004.1 | false | 1004 | Passive | Low |
+
+## Links
+
+- [owasp](https://owasp.org/www-community/HttpOnly)
+- [cwe](https://cwe.mitre.org/data/definitions/1004.html)
+- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
diff --git a/doc/user/application_security/dast/checks/16.1.md b/doc/user/application_security/dast/checks/16.1.md
new file mode 100644
index 00000000000..bb030d2f9c4
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.1.md
@@ -0,0 +1,33 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Missing Content-Type header
+
+## Description
+
+The `Content-Type` header ensures that user agents correctly interpret the data being received. Without this header
+being sent, the browser may misinterpret the data, leading to MIME confusion attacks. If an attacker were able
+to upload files that are accessible by using a browser, they could upload files that may be interpreted as
+HTML and so execute Cross-Site Scripting (XSS) attacks.
+
+## Remediation
+
+Ensure all resources return a proper `Content-Type` header that matches their format. As an example,
+when returning JavaScript files, the response header should be: `Content-Type: application/javascript`
+
+For added protection, we recommend that all resources return the `X-Content-Type-Options: nosniff`
+header to disable user agents from mis-interpreting resources.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.1 | true | 16 | Passive | Low |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
+- [Mozilla Blog on MIME Confusion attacks](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
diff --git a/doc/user/application_security/dast/checks/16.2.md b/doc/user/application_security/dast/checks/16.2.md
new file mode 100644
index 00000000000..95461e8677d
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.2.md
@@ -0,0 +1,44 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Server header exposes version information
+
+## Description
+
+The target website returns the `Server` header and version information of this website. By
+exposing these values, attackers may attempt to identify if the target software is vulnerable to known
+vulnerabilities, or catalog known sites running particular versions to exploit in the future when a
+vulnerability is identified in the particular version.
+
+## Remediation
+
+We recommend that the version information be removed from the `Server` header.
+
+Apache:
+For Apache based web sites, set the `ServerTokens` to `Prod` in the `httpd.conf` configuration file.
+
+NGINX:
+For NGINX based websites, set the `server_tokens` configuration value to `off` in the `nginx.conf` file.
+
+IIS:
+For IIS based websites version 10 and above you can use the `removeServerHeader` element to the `requestFiltering`
+section of the `Web.config` file.
+
+For all other server types, please consult your product's documentation on how to redact the version information from
+the `Server` header.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.2 | true | 16 | Passive | Low |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
+- [Apache ServerTokens](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
+- [NGINX server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens)
+- [IIS 10 Remove Server Header](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes)
diff --git a/doc/user/application_security/dast/checks/16.3.md b/doc/user/application_security/dast/checks/16.3.md
new file mode 100644
index 00000000000..e4dcf3ece4b
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.3.md
@@ -0,0 +1,35 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# X-Powered-By header exposes version information
+
+## Description
+
+The target website returns the `X-Powered-By` header and version information of this website. By
+exposing these values, attackers may attempt to identify if the target software is vulnerable to known
+vulnerabilities, or catalog known sites running particular versions to exploit in the future when a
+vulnerability is identified in the particular version.
+
+## Remediation
+
+We recommend that the version information be removed from the `X-Powered-By` header.
+
+PHP:
+For PHP based web sites, set the `expose_php` option to `off` in the `php.ini` configuration file.
+
+For all other server types, please consult your product's documentation on how to redact the version
+information from the `X-Powered-By` header.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.3 | true | 16 | Passive | Low |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
+- [PHP expose_php](https://www.php.net/manual/en/ini.core.php#ini.expose-php)
diff --git a/doc/user/application_security/dast/checks/16.4.md b/doc/user/application_security/dast/checks/16.4.md
new file mode 100644
index 00000000000..c0161c910b0
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.4.md
@@ -0,0 +1,28 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# X-Backend-Server header exposes server information
+
+## Description
+
+The target website returns the `X-Backend-Server` header which includes potentially internal/hidden IP addresses
+or hostnames. By exposing these values, attackers may attempt to circumvent security proxies and access these
+hosts directly.
+
+## Remediation
+
+Consult your proxy/load balancer documentation or provider on how to disable revealing the
+`X-Backend-Server` header value.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.4 | true | 16 | Passive | Info |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
diff --git a/doc/user/application_security/dast/checks/16.5.md b/doc/user/application_security/dast/checks/16.5.md
new file mode 100644
index 00000000000..8a6f3cd8b6a
--- /dev/null
+++ b/doc/user/application_security/dast/checks/16.5.md
@@ -0,0 +1,30 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# AspNet Header(s) exposes version information
+
+## Description
+
+The target website returns AspNet header(s) and version information of this website. By
+exposing these values attackers may attempt to identify if the target software is vulnerable to known
+vulnerabilities, or catalog known sites running particular versions to exploit in the future when a
+vulnerability is identified in the particular version.
+
+## Remediation
+
+To remove the `X-AspNet-Version` header set `<httpRuntime enableVersionHeader="false" />` in the `<system.Web>`
+section of the `Web.config` file.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.5 | true | 16 | Passive | Low |
+
+## Links
+
+- [cwe](https://cwe.mitre.org/data/definitions/16.html)
+- [IIS Remove Unwanted Headers](https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710)
diff --git a/doc/user/application_security/dast/checks/614.1.md b/doc/user/application_security/dast/checks/614.1.md
new file mode 100644
index 00000000000..74ac73935f1
--- /dev/null
+++ b/doc/user/application_security/dast/checks/614.1.md
@@ -0,0 +1,40 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Sensitive cookie without `Secure` attribute
+
+## Description
+
+The {cookie_name} cookie was transmitted in a `Set-Cookie` response without the `Secure` attribute set.
+To prevent sensitive cookie values being accidentally transmitted over clear-text HTTP we
+recommended that cookies are declared with the `Secure` attribute.
+
+## Remediation
+
+Most web application frameworks allow configuring how cookies are sent to user agents. Consult your framework's
+documentation for more information on how to enable various security attributes when assigning cookies to clients.
+
+If the application is assigning cookies via writing to the response headers directly, ensure all responses include
+the `Secure` attribute. By enabling this protection, the application will no longer send sensitive cookies over
+HTTP.
+
+Example:
+
+```http
+Set-Cookie: {cookie_name}=<random secure value>; Secure
+```
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 614.1 | false | 614 | Passive | Low |
+
+## Links
+
+- [owasp](https://owasp.org/www-community/controls/SecureCookieAttribute)
+- [cwe](https://cwe.mitre.org/data/definitions/614.html)
+- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)
diff --git a/doc/user/application_security/dast/checks/693.1.md b/doc/user/application_security/dast/checks/693.1.md
new file mode 100644
index 00000000000..07cb368b39a
--- /dev/null
+++ b/doc/user/application_security/dast/checks/693.1.md
@@ -0,0 +1,36 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Missing X-Content-Type-Options: nosniff
+
+## Description
+
+The `X-Content-Type-Options` header with the value `nosniff` ensures that user agents do not attempt to
+guess the format of the data being received. User Agents such as browsers, commonly attempt to guess
+what the resource type being requested is, through a process called MIME type sniffing.
+
+Without this header being sent, the browser may misinterpret the data, leading to MIME confusion attacks.
+If an attacker were able to upload files that are accessible by using a browser, they could upload files
+that could be interpreted as HTML and execute Cross-Site Scripting (XSS) attacks.
+
+## Remediation
+
+We recommend that the header and value of `X-Content-Type-Options: nosniff` be set server wide.
+This ensures any resources that are mistakenly missing a `Content-Type` value are not
+misinterpreted.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 693.1 | true | 693 | Passive | Low |
+
+## Links
+
+- [owasp](https://owasp.org/www-project-secure-headers/#x-content-type-options)
+- [cwe](https://cwe.mitre.org/data/definitions/693.html)
+- [Mozilla Blog on MIME Confusion attacks](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
+- [Mozilla MDN on X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)
diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md
new file mode 100644
index 00000000000..f1a68387eb1
--- /dev/null
+++ b/doc/user/application_security/dast/checks/index.md
@@ -0,0 +1,20 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# DAST browser-based crawler vulnerability checks **(ULTIMATE)**
+
+The [DAST browser-based crawler](../browser_based.md) provides a number of vulnerability checks that are used to scan for vulnerabilities in the site under test.
+
+| ID | Check | Severity | Type |
+|:---|:------|:---------|:-----|
+| [1004.1](1004.1.md) | Sensitive cookie without `HttpOnly` attribute | Low | Passive |
+| [16.1](16.1.md) | Missing Content-Type header | Low | Passive |
+| [16.2](16.2.md) | Server header exposes version information | Low | Passive |
+| [16.3](16.3.md) | X-Powered-By header exposes version information | Low | Passive |
+| [16.4](16.4.md) | X-Backend-Server header exposes server information | Info | Passive |
+| [16.5](16.5.md) | AspNet Header(s) exposes version information | Low | Passive |
+| [614.1](614.1.md) | Sensitive cookie without `Secure` attribute | Low | Passive |
+| [693.1](693.1.md) | Missing X-Content-Type-Options: nosniff | Low | Passive |
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index 09b55e7b395..0d8b55a92a9 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -320,8 +320,8 @@ tips for optimizing DAST scans in a [blog post](https://about.gitlab.com/blog/20
### API scan
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10928) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.10.
-> - A new DAST API scanning engine was introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.10.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10928) in GitLab 12.10.
+> - A new DAST API scanning engine was introduced in GitLab 13.10.
Using an API specification as a scan's target is a useful way to seed URLs for scanning an API.
Vulnerability rules in an API scan are different than those in a normal website scan.
@@ -416,7 +416,7 @@ variables:
### URL scan
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214120) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.4.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214120) in GitLab 13.4.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/273141) in GitLab 13.11.
A URL scan allows you to specify which parts of a website are scanned by DAST.
@@ -492,7 +492,7 @@ Click **View details** to view the web console output which includes the list of
### View details of a vulnerability detected by DAST
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36332) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36332) in GitLab 13.1.
Vulnerabilities detected by DAST occur in the live web application. Addressing these types of
vulnerabilities requires specific information. DAST provides the information required to
@@ -954,6 +954,11 @@ An on-demand scan can be run in active or passive mode:
minimize the risk of accidental damage, running an active scan requires a [validated site
profile](#site-profile-validation).
+### View on-demand DAST scans
+
+To view running and completed on-demand DAST scans for a project, go to
+**Security & Compliance > On-demand Scans** in the left sidebar.
+
### Run an on-demand DAST scan
Prerequisites:
@@ -987,6 +992,7 @@ To run an on-demand scan either at a scheduled date or frequency, read
1. From your project's home page, go to **Security & Compliance > On-demand Scans** in the left
sidebar.
+1. Select **New DAST scan**.
1. Complete the **Scan name** and **Description** fields.
1. In GitLab 13.10 and later, select the desired branch from the **Branch** dropdown.
1. In **Scanner profile**, select a scanner profile from the dropdown.
@@ -1017,17 +1023,13 @@ The on-demand DAST scan runs, and the project's dashboard shows the results.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328749) in GitLab 14.3. [Deployed behind the `dast_on_demand_scans_scheduler` flag](../../../administration/feature_flags.md), disabled by default.
> - [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/328749) in GitLab 14.4.
> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/328749) in GitLab 14.4.
-
-FLAG:
-On self-managed GitLab, by default this feature is available. To hide the feature, ask an
-administrator to [disable the feature flag](../../../administration/feature_flags.md) named
-`dast_on_demand_scans_scheduler`.
-On GitLab.com, this feature is available.
+> - [Feature flag dast_on_demand_scans_scheduler removed](https://gitlab.com/gitlab-org/gitlab/-/issues/328749) in GitLab 14.5.
To schedule a scan:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > On-demand Scans**.
+1. Select **New DAST scan**.
1. Complete the **Scan name** and **Description** text boxes.
1. In GitLab 13.10 and later, from the **Branch** dropdown list, select the desired branch.
1. In the **Scanner profile** section, from the dropdown list, select a scanner profile.
diff --git a/doc/user/application_security/dast/run_dast_offline.md b/doc/user/application_security/dast/run_dast_offline.md
index 39747a5cbe5..86621d73524 100644
--- a/doc/user/application_security/dast/run_dast_offline.md
+++ b/doc/user/application_security/dast/run_dast_offline.md
@@ -5,7 +5,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
type: reference, howto
---
-# Run DAST in an offline environment
+# Run DAST in an offline environment **(ULTIMATE)**
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
to external resources through the internet, some adjustments are required for the DAST job to
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-11 03:05:06 +0300