DAST Proxy is a life cycle management tool for dynamic application security scans, with workflows that help users record browser actions and submit those to the backend scan engine like AppScan. It updates the user with the scan status and publishes the scan results. It supports automation integration and has a set of RESTful web services which can be seamlessly integrated into any existing Selenium (or any other automation framework) functional test cases for security testing. DAST Proxy also works with all the browser-based test cases for both web and mobile applications.
This section will explain how to conduct a manual dynamic security scan using the DAST Proxy. To start, the user will be required to have two browsers installed. On Browser 1, the user would obtain a proxy host and port generated by the DAST server on DAST Proxy’s homepage. The user would then insert this host and port into Browser 2’s proxy settings. Once the proxy is setup, DAST Proxy will record all the web traffic between Browser 2 and the QA server and will store them in a HAR file. The same file is then submitted to the backend scan engine for thorough dynamic security testing. DAST Proxy polls the backend engine for the status and resultant vulnerabilities and will store them in the DB which is accessible to the user via the DAST Proxy dashboard.
DAST Proxy works pretty much the same way as manual scan except that the automation framework uses the RESTFul APIs to start the proxy server, submit and cancels the scan. Here are some of the REST APIs which are used for automation framework.
/rest/v1/proxy - Start listening on proxy port and return the proxy details - POST method - This needs data to be sent. Please find the details in the document.
/rest/v1/selenium/datascan - Setup or submit scan - This is created for Breeze integration. We can modify or create a new one if needed.
/rest/v1/proxy/cancel – Cancel scan cancels the scan recording and frees the proxy port
/rest/v1/user - Gets the logged in user
Record the scan and submit to backend scan engine
Dashboard with list of scans, vulnerabilities with payload
Integration with JIRA system
Ability to re-run the scans from the dashboard.
Supports manual API end point testing using Postman
ZAP integration
Selenium Integration
NT Objectives integration
Admin features
DAST Dashboard lists all the scans, displays statuses, vulnerabilities with a means to publish the vulnerabilities to JIRA. It has feature to re-run the scans as a whole suite or a subset.
Java SDK 1.8.0 Update 31
Spring Framework 4.1.5
Spring Security 3.2.5
Spring LDAP 2.0.2
Jackson 2.5.0
Hibernate 4.3.8
Browsermob Proxy 2.0.0
Log4j 2.2
ESAPI 2.1.0
OWASP Dependency Check 1.2.9
Web Technologies
Tomcat 8.0.20
jQuery 1.11.2
Bootstrap 3.2.0
Maven 3.2.5
.NET 4.5.2
Python 2.7.8
MySQL 5.6.21
DASTProxy is licensed under the MIT License, a copy of which is included below. DAST Proxy contains subcompoents in the source code with separate notices and license terms.
Hibernate is licensed under the GNU Lesser General Public License, Version 2.1, a copy of which can be found at https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html.
Junit is licensed under the Eclipse Public License - v 1.0, a copy of which can be found at https://www.eclipse.org/legal/epl-v10.html
MIT License
Copyright (c) 2016 eBay Software Foundation
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.