Commit cbfcc4a3 authored by Niklas's avatar Niklas Committed by Russell Dickenson

Doc Consistency: user/application_security - dynamic analysis

parent b5ba302e
...@@ -111,12 +111,9 @@ To generate an API Fuzzing configuration snippet: ...@@ -111,12 +111,9 @@ To generate an API Fuzzing configuration snippet:
### OpenAPI Specification ### OpenAPI Specification
> Support for OpenAPI Specification v3.1 was > - Support for OpenAPI Specification v3.0 was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/228652) in GitLab 13.9.
> [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327268) in GitLab 14.2. > - Support for OpenAPI Specification using YAML format was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330583) in GitLab 14.0.
> Support for OpenAPI Specification using YAML format was > - Support for OpenAPI Specification v3.1 was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327268) in GitLab 14.2.
> [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330583) in GitLab 14.0.
> Support for OpenAPI Specification v3.0 was
> [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/228652) in GitLab 13.9.
The [OpenAPI Specification](https://www.openapis.org/) (formerly the Swagger Specification) is an API description format for REST APIs. The [OpenAPI Specification](https://www.openapis.org/) (formerly the Swagger Specification) is an API description format for REST APIs.
This section shows you how to configure API fuzzing using an OpenAPI Specification to provide information about the target API to test. This section shows you how to configure API fuzzing using an OpenAPI Specification to provide information about the target API to test.
...@@ -214,7 +211,7 @@ To configure API fuzzing to use a HAR file: ...@@ -214,7 +211,7 @@ To configure API fuzzing to use a HAR file:
``` ```
1. Provide the location of the HAR specification. You can provide the specification as a file 1. Provide the location of the HAR specification. You can provide the specification as a file
or URL. [URL support was introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285020) or URL. URL support was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285020)
in GitLab 13.10 and later. Specify the location by adding the `FUZZAPI_HAR` variable. in GitLab 13.10 and later. Specify the location by adding the `FUZZAPI_HAR` variable.
1. The target API instance's base URL is also required. Provide it by using the `FUZZAPI_TARGET_URL` 1. The target API instance's base URL is also required. Provide it by using the `FUZZAPI_TARGET_URL`
...@@ -285,7 +282,7 @@ To configure API fuzzing to use a Postman Collection file: ...@@ -285,7 +282,7 @@ To configure API fuzzing to use a Postman Collection file:
``` ```
1. Provide the location of the Postman Collection specification. You can provide the specification 1. Provide the location of the Postman Collection specification. You can provide the specification
as a file or URL. [URL support was introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285020) as a file or URL. URL support was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285020)
in GitLab 13.10 and later. Specify the location by adding the `FUZZAPI_POSTMAN_COLLECTION` in GitLab 13.10 and later. Specify the location by adding the `FUZZAPI_POSTMAN_COLLECTION`
variable. variable.
...@@ -613,15 +610,15 @@ Overrides use a JSON document, where each type of override is represented by a J ...@@ -613,15 +610,15 @@ Overrides use a JSON document, where each type of override is represented by a J
}, },
"body-form": { "body-form": {
"form-param1": "value", "form-param1": "value",
"form-param1": "value", "form-param2": "value"
}, },
"body-json": { "body-json": {
"json-path1": "value", "json-path1": "value",
"json-path2": "value", "json-path2": "value"
}, },
"body-xml" : { "body-xml" : {
"xpath1": "value", "xpath1": "value",
"xpath2": "value", "xpath2": "value"
} }
} }
``` ```
...@@ -975,7 +972,7 @@ reported. ...@@ -975,7 +972,7 @@ reported.
### View details of an API Fuzzing vulnerability ### View details of an API Fuzzing vulnerability
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.7. > Introduced in GitLab 13.7.
Faults detected by API Fuzzing occur in the live web application, and require manual investigation Faults detected by API Fuzzing occur in the live web application, and require manual investigation
to determine if they are vulnerabilities. Fuzzing faults are included as vulnerabilities with a to determine if they are vulnerabilities. Fuzzing faults are included as vulnerabilities with a
......
...@@ -146,7 +146,7 @@ corpus. ...@@ -146,7 +146,7 @@ corpus.
### Reports JSON format ### Reports JSON format
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/220062) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.3 as an [Alpha feature](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha). > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/220062) in GitLab 13.3 as an [Alpha feature](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha).
The `gitlab-cov-fuzz` tool emits a JSON report file. For more information, see the The `gitlab-cov-fuzz` tool emits a JSON report file. For more information, see the
[schema for this report](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/coverage-fuzzing-report-format.json). [schema for this report](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/coverage-fuzzing-report-format.json).
......
...@@ -127,7 +127,6 @@ dast: ...@@ -127,7 +127,6 @@ dast:
DAST_BROWSER_ACTION_TIMEOUT: "10s" DAST_BROWSER_ACTION_TIMEOUT: "10s"
DAST_BROWSER_STABILITY_TIMEOUT: "15s" DAST_BROWSER_STABILITY_TIMEOUT: "15s"
DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT: "15s" DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT: "15s"
DAST_BROWSER_ACTION_TIMEOUT: "10s"
DAST_BROWSER_ACTION_STABILITY_TIMEOUT: "3s" DAST_BROWSER_ACTION_STABILITY_TIMEOUT: "3s"
``` ```
......
...@@ -320,8 +320,8 @@ tips for optimizing DAST scans in a [blog post](https://about.gitlab.com/blog/20 ...@@ -320,8 +320,8 @@ tips for optimizing DAST scans in a [blog post](https://about.gitlab.com/blog/20
### API scan ### API scan
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10928) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.10. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10928) in GitLab 12.10.
> - A new DAST API scanning engine was introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.10. > - A new DAST API scanning engine was introduced in GitLab 13.10.
Using an API specification as a scan's target is a useful way to seed URLs for scanning an API. Using an API specification as a scan's target is a useful way to seed URLs for scanning an API.
Vulnerability rules in an API scan are different than those in a normal website scan. Vulnerability rules in an API scan are different than those in a normal website scan.
...@@ -416,7 +416,7 @@ variables: ...@@ -416,7 +416,7 @@ variables:
### URL scan ### URL scan
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214120) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.4. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214120) in GitLab 13.4.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/273141) in GitLab 13.11. > - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/273141) in GitLab 13.11.
A URL scan allows you to specify which parts of a website are scanned by DAST. A URL scan allows you to specify which parts of a website are scanned by DAST.
...@@ -492,7 +492,7 @@ Click **View details** to view the web console output which includes the list of ...@@ -492,7 +492,7 @@ Click **View details** to view the web console output which includes the list of
### View details of a vulnerability detected by DAST ### View details of a vulnerability detected by DAST
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36332) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36332) in GitLab 13.1.
Vulnerabilities detected by DAST occur in the live web application. Addressing these types of Vulnerabilities detected by DAST occur in the live web application. Addressing these types of
vulnerabilities requires specific information. DAST provides the information required to vulnerabilities requires specific information. DAST provides the information required to
......
...@@ -5,7 +5,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -5,7 +5,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
type: reference, howto type: reference, howto
--- ---
# Run DAST in an offline environment # Run DAST in an offline environment **(ULTIMATE)**
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
to external resources through the internet, some adjustments are required for the DAST job to to external resources through the internet, some adjustments are required for the DAST job to
......
...@@ -681,15 +681,15 @@ Overrides use a JSON document, where each type of override is represented by a J ...@@ -681,15 +681,15 @@ Overrides use a JSON document, where each type of override is represented by a J
}, },
"body-form": { "body-form": {
"form-param1": "value", "form-param1": "value",
"form-param1": "value", "form-param2": "value"
}, },
"body-json": { "body-json": {
"json-path1": "value", "json-path1": "value",
"json-path2": "value", "json-path2": "value"
}, },
"body-xml" : { "body-xml" : {
"xpath1": "value", "xpath1": "value",
"xpath2": "value", "xpath2": "value"
} }
} }
``` ```
...@@ -968,16 +968,16 @@ Follow these steps to view details of a vulnerability: ...@@ -968,16 +968,16 @@ Follow these steps to view details of a vulnerability:
| Field | Description | | Field | Description |
|:--------------------|:----------------------------------------------------------------------------------------| |:--------------------|:----------------------------------------------------------------------------------------|
| Description | Description of the vulnerability including what was modified. | | Description | Description of the vulnerability including what was modified. |
| Project | Namespace and project in which the vulnerability was detected. | | Project | Namespace and project in which the vulnerability was detected. |
| Method | HTTP method used to detect the vulnerability. | | Method | HTTP method used to detect the vulnerability. |
| URL | URL at which the vulnerability was detected. | | URL | URL at which the vulnerability was detected. |
| Request | The HTTP request that caused the vulnerability. | | Request | The HTTP request that caused the vulnerability. |
| Unmodified Response | Response from an unmodified request. This is what a normal working response looks like. | | Unmodified Response | Response from an unmodified request. This is what a normal working response looks like. |
| Actual Response | Response received from test request. | | Actual Response | Response received from test request. |
| Evidence | How we determined a vulnerability occurred. | | Evidence | How we determined a vulnerability occurred. |
| Identifiers | The DAST API check used to find this vulnerability. | | Identifiers | The DAST API check used to find this vulnerability. |
| Severity | Severity of the vulnerability. | | Severity | Severity of the vulnerability. |
| Scanner Type | Scanner used to perform testing. | | Scanner Type | Scanner used to perform testing. |
### Security Dashboard ### Security Dashboard
...@@ -1139,7 +1139,7 @@ The DAST API engine outputs an error message when it cannot establish a connecti ...@@ -1139,7 +1139,7 @@ The DAST API engine outputs an error message when it cannot establish a connecti
**Error message** **Error message**
- In [GitLab 13.11 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/323939), `Failed to start scanner session (version header not found).` - In [GitLab 13.11 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/323939), `Failed to start scanner session (version header not found).`
- In GitLab 13.10 and earlier, `API Security version header not found. Are you sure that you are connecting to the API Security server?`. - In GitLab 13.10 and earlier, `API Security version header not found. Are you sure that you are connecting to the API Security server?`.
**Solution** **Solution**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment