Scan Your Web Application for Vulnerabilities (DAST)
Description
Web application scanners, also known as DAST (Dynamic Application Security Testing) tools are security tools that scan web applications to detect security vulnerabilities such as SQL injection, cross-site scripting, clickjacking, path traversal, and others. These kinds of vulnerabilities may not be visible from the source code, hence the importance of running these tools on your deployed web application.
For web application scanning, Jit uses OWASP Zed Attack Proxy, the world's most popular open-source web security tool. Jit runs ZAP on a daily basis, and depending on the user's preferences, Jit can run it with no authentication at all (what's often referred to as black box testing) or using various authentication methods (a.k.a grey box testing).
ZAP detects an extensive list of weaknesses, misconfigurations, and security vulnerabilities in web applications. For the full list of ZAP alerts, refer to this page.
Scan types
Jit implements both passive and active scans for web application scanning:
- Passive scans scan all HTTP messages (requests and responses) sent to the web application being tested, but do not make any changes to these messages.
- In contrast, active scans attempt to find potential vulnerabilities by using known attacks against the selected targets.
Configuration
To run ZAP against your web application, begin by navigating to the My Plan page.
Authentication
We highly recommend that you configure ZAP to authenticate to your application because it will enable deeper security scanning— potentially uncovering more security risks.
Additional prerequisites
The features below require additional configuration steps to be used with this security control—
Configuring web application scanning without authentication
To configure a target without authentication—
- From the My Plan page, select the Scan your web application for vulnerabilities security control and select Activate Security Control from the Item Details panel.
- Enter the following in the Target Application tab:
- The name of your application.
- If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
- The API Domain. This is the domain component of the API URL.
- Select the Triggers tab.
- For daily scans, select Scan Daily.
- For deployment-based scanning, select Scan on deployment. Add the name of your environment and the specific accounts you want to scan. Note that additional configuration steps are required to enable deployment-based scanning.
- Select the Notifications tab. If you want to receive Slack notifications each time this security control reveals a security finding, select that option here. Note that additional configuration steps are required to enable Slack integration.
- Select Finish.
Configuring web application scanning with authentication
Some authentication methods require information from either HTTP request headers or form selectors. If you do not know how to obtain this information, see Retrieving Authentication Information With Browser Developer Tools for instructions.
To configure scanning for a web app with authentication—
- From the My Plan page, select the Scan your web application for vulnerabilities security control and select Activate Security Control from the Item Details panel.
- Enter the following in the Target Application tab:
- The name of your application.
- If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
- The API Domain. This is the domain component of the API URL.
- Select the Enable Authentication checkbox and enter the details of your preferred authentication method. Custom headers are added to every request made by the web application scanner. Tokens must be valid and not expired. Token information is encrypted once you apply your configuration.
- Select the Triggers tab.
- For daily scans, select Scan Daily.
- For deployment-based scanning, select Scan on deployment. Add the name of your environment and the specific accounts you want to scan. Note that additional configuration steps are required to enable deployment-based scanning.
- Select the Notifications tab. If you want to receive Slack notifications each time this security control reveals a security finding, select that option here. Note that additional configuration steps are required to enable Slack integration.
- Select Finish.
Jit Workflow Details
See below for descriptions of the processes Jit executes to implement this security control.
Non-authenticated
- When you activate the security control, ZAP runs scans on the target URL.
- Jit generates security findings.
Form-based authentication
- When you activate the security control, Jit creates a Selenium script that runs on the target login page.
- After successful login, the login page returns the token or cookie in its response header.
- Jit provides this authentication information to ZAP, which uses it to authenticate into each page included in the scan.
- Jit generates security findings.
Selenium
Selenium is an open source tool used to automate web browsers. For further information, see selenium.dev.
Token/cookie/custom header-based authentication
- When you activate the security control, Jit creates a header based on the user configuration.
- Jit provides this authentication information to ZAP, which uses it to authenticate into each page included in the scan.
- Jit generates security findings.
Updated about 1 month ago