Run a Web Application Scanner (DAST)

Description

Web application scanners, also known as DAST (Dynamic Application Security Testing) tools are security tools that scan web applications to detect security vulnerabilities such as SQL injection, cross-site scripting, clickjacking, path traversal, and others. These kinds of vulnerabilities may not be visible from the source code, hence the importance of running these tools on your deployed web application.

For web application scanning, Jit uses OWASP Zed Attack Proxy, the world's most popular open-source web security tool. Jit runs ZAP on a daily basis and depending on the user's preferences, Jit can run it with no authentication at all (what's often referred to as black box testing) or using various authentication methods (a.k.a grey box testing).

ZAP detects an extensive list of weaknesses, misconfigurations, and security vulnerabilities in web applications. For the full list of ZAP alerts, refer to this page.

📘

Scan types

Jit implements both passive and active scans for web application scanning:

  • Passive scans scan all HTTP messages (requests and responses) sent to the web application being tested, but do not make any changes to these messages.
  • In contrast, active scans attempt to find potential vulnerabilities by using known attacks against the selected targets.

Configuration

To run ZAP against your web application, begin by navigating to the My Plan page.

Select the Run a web application scanner security requirement from the list, and then select Configure in the bottom right corner of the Item Details panel to open the configuration dialog.

📘

Authentication

We highly recommend that you configure ZAP to authenticate to your application because it will enable deeper security scanning— potentially uncovering more security risks.

Configuring web application scanning without authentication

To configure a target without authentication—

  1. From the configuration dialog, enter a Target URL to direct the web application scanner to the application you wish to scan.
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Select Apply.

Configuring web application scanning with authentication

The following authentication methods require information from either HTTP request headers or form selectors. If you do not know how to obtain this information, see Retrieving Authentication Information With Browser Developer Tools for instructions.

Configuring web application scanning with form-based authentication

Form-based authentication enables the scanner to log in to your application via a username and password.

To configure a target with form-based authentication—

  1. From the configuration dialog, enter a Target URL to direct the web application scanner to the application you wish to scan.
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Select the Enable Authentication checkbox.
  4. Select Form-based authentication from the Authentication method dropdown.
  5. Enter an API Domain. This is the domain component of the API URL.
  6. Enter a Login URL. This is the URL of the sign-in page.
  7. Enter the Username and Password used for authentication.
  8. Enter the CSS selectors that identify the username and password fields in the Username Field Selector and Password Field Selector.
  9. Select Apply.

Configuring web application scanning with authentication via a bearer token

To configure a target with authentication via a bearer token—

  1. From the configuration dialog, enter a Target URL to direct the web application scanner to the application you wish to scan.
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Select the Enable Authentication checkbox.
  4. Select Bearer token header from the Authentication method dropdown.
  5. Enter an API Domain. This is the domain component of the API URL.
  6. Enter your JWT (generated from your application) in the Value field. Tokens must be valid and not expired. Note that the information entered into this field is encrypted once you apply your configuration. Jit provides a preview of the header after you have entered this information.
  7. Select Apply.

Configuring web application scanning with authentication via a cookie

To configure a target with authentication via a cookie—

  1. From the configuration dialog, enter a Target URL to direct the web application scanner to the application you wish to scan.
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Select the Enable Authentication checkbox.
  4. Select Cookie header from the Authentication method dropdown.
  5. Enter an API Domain. This is the domain component of the API URL.
  6. Enter your cookie token in the Value field. Tokens must be valid and not expired. Note that the information entered into this field is encrypted once you apply your configuration. Jit provides a preview of the header after you have entered this information.
  7. Select Apply.

Configuring web application scanning with authentication via a custom header

The custom header you configure is added to every request made by the web application scanner.

To configure a target with authentication via a custom header—

  1. From the configuration dialog, enter a Target URL.
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Select the Enable Authentication checkbox.
  4. Select Custom header from the Authentication method dropdown.
  5. Enter an API Domain. This is the domain component of the API URL.
  6. Enter a Key to use in the header. This field accepts free text.
  7. Enter your token in the Value field. Tokens must be valid and not expired. Note that the information entered into this field is encrypted once you apply your configuration. Jit provides a preview of the header after you have entered this information.
  8. Select Apply.

Jit Workflow Details

See below for descriptions of the processes Jit executes to implement this security requirement.

Non-authenticated

  1. When you activate the security requirement, ZAP runs scans on the target URL.
  2. Jit generates security findings.

Form-based authentication

  1. When you activate the security requirement, Jit creates a Selenium script that runs on the target login page.
  2. After successful login, the login page returns the token or cookie in its response header.
  3. Jit provides this authentication information to ZAP, which uses it to authenticate into each page included in the scan.
  4. Jit generates security findings.

📘

Selenium

Selenium is an open source tool used to automate web browsers. For further information, see selenium.dev.

Token/cookie/custom header-based authentication

  1. When you activate the security requirement, Jit creates a header based on the user configuration.
  2. Jit provides this authentication information to ZAP, which uses it to authenticate into each page included in the scan.
  3. Jit generates security findings.