DeepFactor has closely integrated OWASP ZAP to enable you to run DAST scans on your application's components. Moreover, DeepFactor has enhanced the standard ZAP scan to provide complete observability of your application as follows:
- DeepFactor enhances the insights obtained from the standard OWASP ZAP scans by gathering additional application behavior telemetry from "inside the app" while the scanner is exercising the URIs used by the app "from the outside."
- You can initiate a scan on any of your web services, even if they are running in a private network if there is connectivity from your application to the DeepFactor portal. This gives you the powerful capability to scan all your web services without having to expose them to the public Internet. Also, you can scan any of your web service components individually (Load Balancer, API Web Service, etc.) thus providing you insights into each layer’s security profile rather than just that of the exposed host.
- DeepFactor also provides APIs to start scans and get results so you can easily run scans as part of your CI/CD pipeline. Please follow the API link at the top of your DeepFactor portal for details and OpenAPI documentation.
DeepFactor observes incoming HTTP traffic on all ports of your component and detects any web services present in your component. Please note, your web service will show up in the DeepFactor portal only after the first HTTP incoming connection hits your component. These web services are listed on the portal under the "Web Services" tab. Click on "Start Web Scan" to visit the start scan page.
DAST Scan Form Fields are as follows:
DeepFactor sets the Host header to the value for all the URIs requested by the scanner. The default value is set to the value of the Host Header in the first incoming HTTP request observed by DeepFactor. If your HTTP web service only responds to requests sent with Host: localhost, 127.0.0.1, or some other specific host:port, please enter that value in this field.
If your web service issues 3XX redirects, e.g. 302, then the DeepFactor scan will only work if those redirect Location values match the exact same Host: hostname[:port] specified when starting the scan. This includes scenarios such as a server responding with 302 + "Location: http://localhost/login" and would work for a scan started with "Host: localhost" but not "Host: localhost:80" or "Host: myserver:port".
DeepFactor supports two types of scans:
- Web Scans
With a Web Scan, the ZAP crawler will crawl all the URIs and run the scan on the discovered URIs. This type of scan is more suited for frontend/UI web services.
- API Scan
This type of scan is more suited for REST API services. You can provide your OpenAPI / Swagger API specification document URL and the all the URIs in the document will be scanned. A relative path URI may be specified if the document is hosted on your web service.
You can use this setting to fine tune the time taken by the scan and the thoroughness of the scan. The following three levels are available:
This scan will complete in moderate time and most vulnerabilities will be discovered using this mode.
Fewer attacks are performed to optimize scan time. Although the scan will complete in less time, a few potential issues might be missed.
A very large number of attacks will be performed. This scan may take a long time to complete. Standard mode should suffice for most applications.
With this field you can specify the relative URIs you would like the scanner to skip. Please enter URLs such as /logout which may unauthenticate the session.
Include DeepFactor Observed URIs
DeepFactor actively observes all HTTP requests received by your component and takes note of them. If you pick yes for this field, then all the URIs observed by DeepFactor up until that time will be added to the scan. This helps ZAP scan URIs that may not be found by ZAP spidering, or may not be present in your Swagger doc.
If some of the URIs of your web service require that the client (the scanner, in this case) be authenticated, then you can use this field to specify the authentication method as follows:
- DeepFactor Intercepted Token DeepFactor not only observes HTTP URIs but also observes Authorization headers and keeps track of tokens. You can use one of these authentication tokens, or values, for the scan.
You can use this option if you would like to specify your own custom value, or token, which will be sent in the Authorization header by the scanner. This mode is useful if you have an external authentication service.
If you select this mode, then no token will be sent in the requests made by the scanner.
You can view all the scans and their status under "Web Scans" tab. Once the scan is complete, you can view the results by clicking on the "Report" link. In case the scan fails for some reason, you can download the error log by clicking on "Download Logs" link.