Detect application vulnerabilities with GitLab’s browser-based DAST
- Introduction
- GitLab has replaced proxy-based dynamic application security testing (DAST) with a browser-based tool to detect vulnerabilities in web applications.
- DAST runs automated penetration tests to find vulnerabilities in web applications and is language-agnostic.
- DAST scans can be automated in CI/CD pipelines, scheduled, or run on-demand.
- Migration from Proxy-Based DAST
- GitLab removed support for proxy-based DAST in version 17.0, encouraging users to migrate to the new DAST tool.
- Users can continue to use proxy-based DAST until GitLab 18.0, though no bug fixes will be provided.
- The Vulnerability Research team updates DAST detections and vulnerability definitions for migration support.
- Migrating to GitLab DAST
- Users not yet using DAST can initiate automatic scans via merge requests or run manual on-demand scans.
- DAST scans require configuration of the target URL and authentication settings for comprehensive coverage.
- Functionality of DAST
- DAST scan involves authentication, discovery of application surface area, and passive vulnerability checks.
- Benefits of DAST
- Simulates real-world hacking on running applications, offering high-confidence findings with low false positives.
- Identifies most of the OWASP Top 10 vulnerabilities, provides remediation guidance, and detects CWEs.
- Does not analyze source code, ensuring scans are not limited by programming language or framework.
- Supports complex sign-in workflows, utilizes a headless browser for crawling coverage, and handles modern web apps.
- Getting Started with GitLab DAST
- GitLab DAST is recommended for security testing programs, providing excellent coverage for modern web applications.
