1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
---
stage: Secure
group: Incubation
info: Breach and Attack Simulation is a GitLab Incubation Engineering program. No technical writer assigned to this group.
type: reference, howto
---
# Breach and Attack Simulation **(ULTIMATE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/402784) in GitLab 15.11 as an Incubating feature.
> - [Included](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119981) in the `Security/BAS.latest.gitlab-ci.yml` in GitLab 16.0.
DISCLAIMER:
Breach and Attack Simulation is a set of incubating features being developed by the Incubation Engineering Department and is subject to significant changes over time.
Breach and Attack Simulation (BAS) uses additional security testing techniques to assess the risk of detected vulnerabilities and prioritize the remediation of exploitable vulnerabilities.
For feedback, bug reports, and feature requests, see the [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/404809).
WARNING:
Only run BAS scans against test servers. Testing attacker behavior can lead to modification or loss of data.
## Extend Dynamic Application Security Testing (DAST)
You can simulate attacks with [DAST](../dast/index.md) to detect vulnerabilities.
By default, DAST active checks match an expected response, or determine by response
time whether a vulnerability was exploited.
To enable BAS extended DAST scanning for your application, use the `dast_with_bas` job defined
in the GitLab BAS CI/CD template file. Updates to the template are provided with GitLab
upgrades, allowing you to benefit from any improvements and additions.
1. Include the appropriate CI/CD template:
- [`BAS.latest.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/BAS.latest.gitlab-ci.yml):
Latest version of the BAS template. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119981)
in GitLab 16.0).
WARNING:
The latest version of the template may include breaking changes. Use the
stable template unless you need a feature provided only in the latest template.
For more information about template versioning, see the [CI/CD documentation](../../../development/cicd/templates.md#latest-version).
1. Choose one of the following options for running BAS extended DAST scans:
- [Enable a separate BAS extended DAST job](#enable-a-separate-bas-extended-dast-job)
- You're not using the latest DAST template yet.
- Continue using a stable version of the DAST security analyzer image for DAST scans.
- Create a duplicate `dast_with_bas` job which extends your existing DAST job configuration.
- [Extend an existing DAST job](#extend-an-existing-dast-job)
- You're already using the latest DAST template rather than the stable template.
- Extend your existing DAST job to include the latest DAST security analyzer image tag from the Breach and Attack Simulation SEG.
1. Setup a callback server to [enable callback attacks](#enable-callback-attacks).
### Enable a separate BAS extended DAST job
To maintain a separate DAST job while testing the BAS extended DAST image:
1. Add a `dast` stage to your GitLab CI/CD stages configuration.
```yaml
stages:
- build
- test
- deploy
- dast
```
1. Set the `DAST_WEBSITE` [CI/CD variable](../../../ci/yaml/index.md#variables).
```yaml
dast_with_bas:
variables:
DAST_WEBSITE: http://yourapp
```
### Extend an existing DAST job
To enable Breach and Attack Simulation features inside of an existing DAST job:
1. Follow the steps in [Create a DAST CI/CD job](../dast/browser_based.md#create-a-dast-cicd-job).
1. Extend DAST to using the [extends](../../../ci/yaml/yaml_optimization.md#use-extends-to-reuse-configuration-sections) keyword to your DAST job's configuration:
```yaml
dast:
extends: .dast_with_bas
```
1. Disable the `dast+job` job included in the BAS template by setting `DAST_BAS_DISABLED`:
```yaml
variables:
DAST_BAS_DISABLED: "true"
```
### Enable callback attacks
DISCLAIMER:
This page contains information related to upcoming products, features, and functionality.
It is important to note that the information presented is for informational purposes only.
Please do not rely on this information for purchasing or planning purposes.
As with all projects, the items mentioned on this page are subject to change or delay.
The development, release, and timing of any products, features, or functionality remain at the
sole discretion of GitLab Inc.
Perform Out-of-Band Application Security Testing (OAST) for certain [active checks](../dast/checks/index.md#active-checks).
1. Extend the `.dast_with_bas_using_services` job configuration using the [extends](../../../ci/yaml/yaml_optimization.md#use-extends-to-reuse-configuration-sections) keyword:
```yaml
dast:
extends: .dast_with_bas_using_services
dast_with_bas:
extends:
# NOTE: extends overwrites rather than merges so dast must be included in this list.
- dast
- .dast_with_bas_using_services
```
1. Use a [!reference tag](../../../ci/yaml/yaml_optimization.md#reference-tags) to pull in the default `callback` service container in your `services`.
```yaml
services:
# NOTE: services overwrites rather than merges so it must be referenced to merge.
- !reference [.dast_with_bas_using_services, services]
- name: $CI_REGISTRY_IMAGE
alias: yourapp
```
You can also manually enable callback attacks by making sure to:
1. Set the `DAST_FF_ENABLE_BAS` [CI/CD variable](../dast/browser_based.md#available-cicd-variables) to `true`.
1. Enable both the application being tested and callback service container using [services](../../../ci/services/index.md).
1. Enable container-to-container networking [making the callback service accessible](../../../ci/services/index.md#connecting-services) in the job.
1. Set `DAST_BROWSER_CALLBACK` to include `Address:$YOUR_CALLBACK_URL` key/value pair where the callback service is accessible to the Runner/DAST container.
|
