2019-09-30 21:07:59 +05:30
# Dynamic Application Security Testing (DAST) **(ULTIMATE)**
2019-07-31 22:56:46 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/4348)
in [GitLab Ultimate ](https://about.gitlab.com/pricing/ ) 10.4.
Running [static checks ](../sast/index.md ) on your code is the first step to detect
vulnerabilities that can put the security of your code at risk. Yet, once
deployed, your application is exposed to a new category of possible attacks,
such as cross-site scripting or broken authentication flaws. This is where
Dynamic Application Security Testing (DAST) comes into place.
## Overview
If you are using [GitLab CI/CD ](../../../ci/README.md ), you can analyze your running web application(s)
for known vulnerabilities using Dynamic Application Security Testing (DAST).
2019-09-30 21:07:59 +05:30
You can take advantage of DAST by either [including the CI job ](#configuration ) in
2019-07-31 22:56:46 +05:30
your existing `.gitlab-ci.yml` file or by implicitly using
[Auto DAST ](../../../topics/autodevops/index.md#auto-dast-ultimate )
that is provided by [Auto DevOps ](../../../topics/autodevops/index.md ).
GitLab checks the DAST report, compares the found vulnerabilities between the source and target
branches, and shows the information right on the merge request.
![DAST Widget ](img/dast_all.png )
By clicking on one of the detected linked vulnerabilities, you will be able to
see the details and the URL(s) affected.
![DAST Widget Clicked ](img/dast_single.png )
[Dynamic Application Security Testing (DAST) ](https://en.wikipedia.org/wiki/Dynamic_Application_Security_Testing )
is using the popular open source tool [OWASP ZAProxy ](https://github.com/zaproxy/zaproxy )
to perform an analysis on your running web application.
By default, DAST executes [ZAP Baseline Scan ](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan ) and will perform passive scanning only. It will not actively attack your application.
However, DAST can be [configured ](#full-scan )
to also perform a so-called "active scan". That is, attack your application and produce a more extensive security report.
It can be very useful combined with [Review Apps ](../../../ci/review_apps/index.md ).
2019-09-04 21:01:54 +05:30
The [`dast` ](https://gitlab.com/gitlab-org/security-products/dast/container_registry ) Docker image in GitLab container registry is updated on a weekly basis to have all [`owasp2docker-weekly` ](https://hub.docker.com/r/owasp/zap2docker-weekly/ ) updates in it.
2019-07-31 22:56:46 +05:30
## Use cases
It helps you automatically find security vulnerabilities in your running web
applications while you are developing and testing your applications.
## Requirements
To run a DAST job, you need GitLab Runner with the
2019-09-04 21:01:54 +05:30
[`docker` executor ](https://docs.gitlab.com/runner/executors/docker.html ).
2019-07-31 22:56:46 +05:30
2019-09-30 21:07:59 +05:30
## Configuration
2019-07-31 22:56:46 +05:30
2019-09-30 21:07:59 +05:30
For GitLab 11.9 and later, to enable DAST, you must
[include ](../../../ci/yaml/README.md#includetemplate ) the
[`DAST.gitlab-ci.yml` template ](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml )
that's provided as a part of your GitLab installation.
For GitLab versions earlier than 11.9, you can copy and use the job as defined
in that template.
2019-07-31 22:56:46 +05:30
2019-09-30 21:07:59 +05:30
Add the following to your `.gitlab-ci.yml` file:
2019-07-31 22:56:46 +05:30
```yaml
include:
template: DAST.gitlab-ci.yml
variables:
DAST_WEBSITE: https://example.com
```
2019-09-30 21:07:59 +05:30
There are two ways to define the URL to be scanned by DAST:
- Set the `DAST_WEBSITE` [variable ](../../../ci/yaml/README.md#variables ).
- Add it in an `environment_url.txt` file at the root of your project.
2019-07-31 22:56:46 +05:30
The included template will create a `dast` job in your CI/CD pipeline and scan
your project's source code for possible vulnerabilities.
2019-09-30 21:07:59 +05:30
The results will be saved as a
2019-07-31 22:56:46 +05:30
[DAST report artifact ](../../../ci/yaml/README.md#artifactsreportsdast-ultimate )
that you can later download and analyze. Due to implementation limitations we
always take the latest DAST artifact available. Behind the scenes, the
[GitLab DAST Docker image ](https://gitlab.com/gitlab-org/security-products/dast )
is used to run the tests on the specified URL and scan it for possible vulnerabilities.
2019-09-30 21:07:59 +05:30
### Authenticated scan
2019-07-31 22:56:46 +05:30
It's also possible to authenticate the user before performing the DAST checks:
```yaml
include:
template: DAST.gitlab-ci.yml
variables:
DAST_WEBSITE: https://example.com
DAST_AUTH_URL: https://example.com/sign-in
DAST_USERNAME: john.doe@example.com
DAST_PASSWORD: john-doe-password
DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form
DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form
DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between
```
2019-09-30 21:07:59 +05:30
The results will be saved as a
2019-07-31 22:56:46 +05:30
[DAST report artifact ](../../../ci/yaml/README.md#artifactsreportsdast-ultimate )
that you can later download and analyze.
Due to implementation limitations, we always take the latest DAST artifact available.
2019-09-30 21:07:59 +05:30
### Full scan
2019-07-31 22:56:46 +05:30
DAST can be configured to perform [ZAP Full Scan ](https://github.com/zaproxy/zaproxy/wiki/ZAP-Full-Scan ), which
includes both passive and active scanning against the same target website:
```yaml
include:
template: DAST.gitlab-ci.yml
variables:
DAST_FULL_SCAN_ENABLED: "true"
```
2019-09-30 21:07:59 +05:30
### Customizing the DAST settings
2019-07-31 22:56:46 +05:30
2019-09-04 21:01:54 +05:30
The DAST settings can be changed through environment variables by using the
2019-07-31 22:56:46 +05:30
[`variables` ](../../../ci/yaml/README.md#variables ) parameter in `.gitlab-ci.yml` .
These variables are documented in the [DAST README ](https://gitlab.com/gitlab-org/security-products/dast#settings ).
For example:
```yaml
include:
template: DAST.gitlab-ci.yml
variables:
DAST_WEBSITE: https://example.com
DAST_TARGET_AVAILABILITY_TIMEOUT: 120
```
Because the template is [evaluated before ](../../../ci/yaml/README.md#include ) the pipeline
configuration, the last mention of the variable will take precedence.
2019-09-30 21:07:59 +05:30
### Overriding the DAST template
2019-07-31 22:56:46 +05:30
If you want to override the job definition (for example, change properties like
`variables` or `dependencies` ), you need to declare a `dast` job after the
template inclusion and specify any additional keys under it. For example:
```yaml
include:
template: DAST.gitlab-ci.yml
dast:
stage: dast # IMPORTANT: don't forget to add this
variables:
DAST_WEBSITE: https://example.com
CI_DEBUG_TRACE: "true"
```
As the DAST job belongs to a separate `dast` stage that runs after all
[default stages ](../../../ci/yaml/README.md#stages ),
don't forget to add `stage: dast` when you override the template job definition.
## Security Dashboard
The Security Dashboard is a good place to get an overview of all the security
vulnerabilities in your groups and projects. Read more about the
[Security Dashboard ](../security_dashboard/index.md ).
## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to
[interact with the vulnerabilities ](../index.md#interacting-with-the-vulnerabilities ).
2019-09-30 21:07:59 +05:30
## Vulnerabilities database update
For more information about the vulnerabilities database update, check the
[maintenance table ](../index.md#maintenance-and-update-of-the-vulnerabilities-database ).