diff options
Diffstat (limited to 'doc/user/application_security/dast')
| -rw-r--r-- | doc/user/application_security/dast/checks/16.3.md | 2 | ||||
| -rw-r--r-- | doc/user/application_security/dast/checks/16.5.md | 2 | ||||
| -rw-r--r-- | doc/user/application_security/dast/checks/16.6.md | 2 | ||||
| -rw-r--r-- | doc/user/application_security/dast/checks/359.1.md | 34 | ||||
| -rw-r--r-- | doc/user/application_security/dast/checks/359.2.md | 34 | ||||
| -rw-r--r-- | doc/user/application_security/dast/checks/index.md | 2 | ||||
| -rw-r--r-- | doc/user/application_security/dast/index.md | 94 |
7 files changed, 124 insertions, 46 deletions
diff --git a/doc/user/application_security/dast/checks/16.3.md b/doc/user/application_security/dast/checks/16.3.md index e4fc2468dae..6f80a2a32c6 100644 --- a/doc/user/application_security/dast/checks/16.3.md +++ b/doc/user/application_security/dast/checks/16.3.md @@ -32,4 +32,4 @@ information from the `X-Powered-By` header. ## Links - [CWE](https://cwe.mitre.org/data/definitions/16.html) -- [PHP expose_php](https://www.php.net/manual/en/ini.core.php#ini.expose-php) +- [PHP `expose_php`](https://www.php.net/manual/en/ini.core.php#ini.expose-php) diff --git a/doc/user/application_security/dast/checks/16.5.md b/doc/user/application_security/dast/checks/16.5.md index 28bb9f7ee4b..e03da3043ef 100644 --- a/doc/user/application_security/dast/checks/16.5.md +++ b/doc/user/application_security/dast/checks/16.5.md @@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ## Description -The target website returns AspNet header(s) and version information of this website. By +The target website returns AspNet headers and version information of this website. By exposing these values attackers may attempt to identify if the target software is vulnerable to known vulnerabilities, or catalog known sites running particular versions to exploit in the future when a vulnerability is identified in the particular version. diff --git a/doc/user/application_security/dast/checks/16.6.md b/doc/user/application_security/dast/checks/16.6.md index ddd3a10c5f8..9cbcde669a0 100644 --- a/doc/user/application_security/dast/checks/16.6.md +++ b/doc/user/application_security/dast/checks/16.6.md @@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ## Description -The target website returns AspNet header(s) along with version information of this website. By +The target website returns AspNet headers along with version information of this website. By exposing these values attackers may attempt to identify if the target software is vulnerable to known vulnerabilities. Or catalog known sites running particular versions to exploit in the future when a vulnerability is identified in the particular version. diff --git a/doc/user/application_security/dast/checks/359.1.md b/doc/user/application_security/dast/checks/359.1.md new file mode 100644 index 00000000000..af1fdf8a596 --- /dev/null +++ b/doc/user/application_security/dast/checks/359.1.md @@ -0,0 +1,34 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Exposure of Private Personal Information (PII) to an unauthorized actor (credit card) + +## Description + +The target application was found to return credit card information in the response. Organizations +found returning such information may be in violation of industry regulations and could face fines. + +## Remediation + +PII such as credit cards should never be directly returned to the user. The majority of the information should masked except +the last few digits or characters of the identifier. For example, credit card numbers should +only return the last four digits: `****-****-****-1234`. Ensure this masking is done on the server +and only then send the masked data back to the client. Do not rely on client side JavaScript or other methods +to mask these values as the data could still be intercepted or unmasked. + +Additionally, credit card information should never be stored un-encrypted in files or databases. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 359.1 | true | 359 | Passive | Medium | + +## Links + +- [OWASP Top 10 A3 2017 - Sensitive Data Exposure](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure) +- [CWE](https://cwe.mitre.org/data/definitions/359.html) +- [PCI-DSS](https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf) diff --git a/doc/user/application_security/dast/checks/359.2.md b/doc/user/application_security/dast/checks/359.2.md new file mode 100644 index 00000000000..beb99e26097 --- /dev/null +++ b/doc/user/application_security/dast/checks/359.2.md @@ -0,0 +1,34 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number) + +## Description + +The target application was found to return social security number (SSN) information in the response. Organizations +found returning such information may be in violation of (United States) state or federal laws and may face stiff penalties. + +## Remediation + +PII such as social security numbers should never be directly returned to the user. The majority of the information +should masked except the last few digits or characters of the identifier. For example, social security numbers +only be displayed with the last four digits: `***-**-1234`. Ensure this masking is done on the server +and only then send the masked data back to the client. Do not rely on client side JavaScript or other methods +to mask these values as the data could still be intercepted or unmasked. + +Additionally, social security numbers should never be stored un-encrypted in files or databases. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 359.2 | true | 359 | Passive | Medium | + +## Links + +- [OWASP Top 10 A3 2017 - Sensitive Data Exposure](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure) +- [CWE](https://cwe.mitre.org/data/definitions/359.html) +- [Privacy Act (CMPPA)](https://www.ssa.gov/dataexchange/privacyinfo.html) diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md index 764e3c4a839..629ff1c3a8d 100644 --- a/doc/user/application_security/dast/checks/index.md +++ b/doc/user/application_security/dast/checks/index.md @@ -18,6 +18,8 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne | [16.5](16.5.md) | AspNet header exposes version information | Low | Passive | | [16.6](16.6.md) | AspNetMvc header exposes version information | Low | Passive | | [200.1](200.1.md) | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive | +| [359.1](359.1.md) | Exposure of Private Personal Information (PII) to an unauthorized actor (credit card) | Medium | Passive | +| [359.2](359.2.md) | Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number) | Medium | Passive | | [548.1](548.1.md) | Exposure of information through directory listing | Low | Passive | | [598.1](598.1.md) | Use of GET request method with sensitive query strings (session ID) | Medium | Passive | | [598.2](598.2.md) | Use of GET request method with sensitive query strings (password) | Medium | Passive | diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md index ee57803dfc7..1389db65713 100644 --- a/doc/user/application_security/dast/index.md +++ b/doc/user/application_security/dast/index.md @@ -627,7 +627,7 @@ These CI/CD variables are specific to DAST. They can be used to customize the be | `DAST_AGGREGATE_VULNERABILITIES` | boolean | Vulnerability aggregation is set to `true` by default. To disable this feature and see each vulnerability individually set to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/254043) in GitLab 14.0. | | `DAST_API_HOST_OVERRIDE` <sup>1</sup> | string | Used to override domains defined in API specification files. Only supported when importing the API specification from a URL. Example: `example.com:8080`. | | `DAST_API_OPENAPI` | URL or string | The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. The variable `DAST_WEBSITE` must be specified if this is omitted. | -| `DAST_API_SPECIFICATION` <sup>1</sup> | URL or string | [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/290241) in GitLab 13.12 and replaced by `DAST_API_OPENAPI`. To be removed in GitLab 15.0. The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. The variable `DAST_WEBSITE` must be specified if this is omitted. | +| `DAST_API_SPECIFICATION` <sup>1</sup> | URL or string | **{warning}** **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/290241)** in GitLab 15.0. Replaced by `DAST_API_OPENAPI`. The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. The variable `DAST_WEBSITE` must be specified if this is omitted. | | `DAST_AUTH_REPORT` <sup>2</sup> | boolean | Used in combination with exporting the `gl-dast-debug-auth-report.html` artifact to aid in debugging authentication issues. | | `DAST_AUTH_EXCLUDE_URLS` <sup>2</sup> | URLs | **{warning}** **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/289959)** in GitLab 14.0. Replaced by `DAST_EXCLUDE_URLS`. The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, `.*` matches an arbitrary character sequence. Not supported for API scans. | | `DAST_AUTH_URL` <sup>1,2</sup> | URL | The URL of the page containing the sign-in HTML form on the target website. `DAST_USERNAME` and `DAST_PASSWORD` are submitted with the login form to create an authenticated scan. Not supported for API scans. Example: `https://login.example.com`. | @@ -1156,6 +1156,7 @@ A site profile contains the following: - **Password**: The password used to authenticate to the website. - **Username form field**: The name of username field at the sign-in HTML form. - **Password form field**: The name of password field at the sign-in HTML form. + - **Submit form field**: The `id` or `name` of the element that when clicked submits the sign-in HTML form. When an API site type is selected, a [host override](#host-override) is used to ensure the API being scanned is on the same host as the target. This is done to reduce the risk of running an active scan against the wrong API. @@ -1199,7 +1200,14 @@ The site profile is created. #### Edit a site profile -To edit an existing site profile: +If a site profile is linked to a security policy, a user cannot edit the profile from this page. See +[Scan execution policies](../policies/scan-execution-policies.md) +for more information. + +When a validated site profile's file, header, or meta tag is edited, the site's +[validation status](#site-profile-validation) is revoked. + +To edit a site profile: 1. From your project's home page, go to **Security & Compliance > Configuration**. 1. In the **DAST Profiles** row select **Manage**. @@ -1207,42 +1215,37 @@ To edit an existing site profile: 1. In the profile's row select the **More actions** (**{ellipsis_v}**) menu, then select **Edit**. 1. Edit the fields then select **Save profile**. -If a site profile is linked to a security policy, a user cannot edit the profile from this page. See -[Scan execution policies](../policies/scan-execution-policies.md) -for more information. - #### Delete a site profile -To delete an existing site profile: +If a site profile is linked to a security policy, a user cannot delete the profile from this page. +See [Scan execution policies](../policies/scan-execution-policies.md) +for more information. + +To delete a site profile: 1. From your project's home page, go to **Security & Compliance > Configuration**. 1. In the **DAST Profiles** row select **Manage**. 1. Select the **Site Profiles** tab. -1. In the profile's row select the **More actions** (**{ellipsis_v}**) menu, then select **Delete**. +1. In the profile's row, select the **More actions** (**{ellipsis_v}**) menu, then select **Delete**. 1. Select **Delete** to confirm the deletion. -If a site profile is linked to a security policy, a user cannot delete the profile from this page. -See [Scan execution policies](../policies/scan-execution-policies.md) -for more information. - #### Validate a site profile -Prerequisites: - -- A site profile. +Validating a site is required to run an active scan. To validate a site profile: 1. On the top bar, select **Menu > Projects** and find your project. 1. On the left sidebar, select **Security & Compliance > Configuration**. -1. In the **Dynamic Application Security Testing (DAST)** section, select **Manage scans**. +1. In the **Dynamic Application Security Testing (DAST)** section, select **Manage profiles**. 1. Select the **Site Profiles** tab. -1. In the profile's row select **Validate** or **Retry validation**. +1. In the profile's row, select **Validate**. 1. Select the validation method. 1. For **Text file validation**: 1. Download the validation file listed in **Step 2**. - 1. Upload the validation file to the host. Upload the file to the location in - **Step 3** or any location you prefer. + 1. Upload the validation file to the host, to the location in **Step 3** or any location you + prefer. + 1. If required, edit the file location in **Step 3**. 1. Select **Validate**. 1. For **Header validation**: 1. Select the clipboard icon in **Step 2**. @@ -1255,9 +1258,8 @@ To validate a site profile: 1. Select the input field in **Step 3** and enter the location of the meta tag. 1. Select **Validate**. -The site is validated and an active scan can run against it. - -If a validated site profile's target URL is edited, the site's validation status is revoked. +The site is validated and an active scan can run against it. A site profile's validation status is +revoked only when it's revoked manually, or its file, header, or meta tag is edited. #### Retry a failed validation @@ -1265,22 +1267,28 @@ If a validated site profile's target URL is edited, the site's validation status > - [Deployed behind the `dast_failed_site_validations` flag](../../../administration/feature_flags.md), enabled by default. > - [Feature flag `dast_failed_site_validations` removed](https://gitlab.com/gitlab-org/gitlab/-/issues/323961) in GitLab 14.4. -If a site profile's validation fails, you can retry it by selecting the **Retry validation** button -in the profiles list. +Failed site validation attempts are listed on the **Site profiles** tab of the **Manage profiles** +page. + +To retry a site profile's failed validation: -When loading the DAST profiles library, past failed validations are listed above the profiles -list. You can also retry the validation from there by selecting the **Retry validation** link in -the alert. You can also dismiss the alert to revoke failed validations. +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Security & Compliance > Configuration**. +1. In the **Dynamic Application Security Testing (DAST)** section, select **Manage profiles**. +1. Select the **Site Profiles** tab. +1. In the profile's row, select **Retry validation**. #### Revoke a site profile's validation status -Note that all site profiles with the same URL have their validation status revoked. +WARNING: +When a site profile's validation status is revoked, all site profiles that share the same URL also +have their validation status revoked. To revoke a site profile's validation status: 1. From your project's home page, go to **Security & Compliance > Configuration**. 1. In the **DAST Profiles** row select **Manage**. -1. Select **Revoke validation** beside the validated profile. +1. Beside the validated profile, select **Revoke validation**. The site profile's validation status is revoked. @@ -1348,40 +1356,40 @@ A scanner profile defines the scanner settings used to run an on-demand scan: To create a scanner profile: 1. From your project's home page, go to **Security & Compliance > Configuration**. -1. In the **DAST Profiles** row select **Manage**. +1. In the **DAST Profiles** row, select **Manage**. 1. Select **New > Scanner Profile**. 1. Complete the form. For details of each field, see [Scanner profile](#scanner-profile). -1. Click **Save profile**. +1. Select **Save profile**. #### Edit a scanner profile +If a scanner profile is linked to a security policy, a user cannot edit the profile from this page. +See [Scan execution policies](../policies/scan-execution-policies.md) +for more information. + To edit a scanner profile: 1. From your project's home page, go to **Security & Compliance > Configuration**. -1. Click **Manage** in the **DAST Profiles** row. +1. In the **DAST Profiles** row, select **Manage**. 1. Select the **Scanner Profiles** tab. -1. In the scanner's row select the **More actions** (**{ellipsis_v}**) menu, then select **Edit**. +1. In the scanner's row, select the **More actions** (**{ellipsis_v}**) menu, then select **Edit**. 1. Edit the form. 1. Select **Save profile**. -If a scanner profile is linked to a security policy, a user cannot edit the profile from this page. -See [Scan execution policies](../policies/scan-execution-policies.md) -for more information. - #### Delete a scanner profile +If a scanner profile is linked to a security policy, a user cannot delete the profile from this +page. See [Scan execution policies](../policies/scan-execution-policies.md) +for more information. + To delete a scanner profile: 1. From your project's home page, go to **Security & Compliance > Configuration**. -1. Click **Manage** in the **DAST Profiles** row. +1. In the **DAST Profiles** row, select **Manage**. 1. Select the **Scanner Profiles** tab. -1. In the scanner's row select the **More actions** (**{ellipsis_v}**) menu, then select **Delete**. +1. In the scanner's row, select the **More actions** (**{ellipsis_v}**) menu, then select **Delete**. 1. Select **Delete**. -If a scanner profile is linked to a security policy, a user cannot delete the profile from this -page. See [Scan execution policies](../policies/scan-execution-policies.md) -for more information. - ## Auditing > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/217872) in GitLab 14.1. |