This topic explains the various options that DeepFactor portal provides for DAST Scan.
DeepFactor sets the Host header to the value for all the URIs requested by the scanner. The default value is set to the value of the Host Header in the first incoming HTTP request observed by DeepFactor. If your HTTP web service only responds to requests sent with Host: localhost, 127.0.0.1, or some other specific host:port, please enter that value in this field.
If your web service issues 3XX redirects, e.g. 302, then the DeepFactor scan will only work if those redirect Location values match the exact same Host: hostname[:port] specified when starting the scan. This includes scenarios such as a server responding with 302 + "Location: http://localhost/login" and would work for a scan started with "Host: localhost" but not "Host: localhost:80" or "Host: myserver:port".
DeepFactor supports two types of scans:
- Web Scans
With a Web Scan, the ZAP crawler will crawl all the URIs and run the scan on the discovered URIs. This type of scan is more suited for frontend/UI web services.
- API Scan
This type of scan is more suited for REST API services. You can provide your OpenAPI / Swagger API specification document URL and the all the URIs in the document will be scanned. A relative path URI may be specified if the document is hosted on your web service.
You can use this setting to fine tune the time taken by the scan and the thoroughness of the scan. The following three levels are available:
This scan will complete in moderate time and most vulnerabilities will be discovered using this mode.
Fewer attacks are performed to optimize scan time. Although the scan will complete in less time, a few potential issues might be missed.
A very large number of attacks will be performed. This scan may take a long time to complete. Standard mode should suffice for most applications.
With this field you can specify the relative URIs you would like the scanner to skip. Please enter URLs such as /logout which may unauthenticate the session.
Include DeepFactor Observed URIs
DeepFactor actively observes all HTTP requests received by your component and takes note of them. If you pick yes for this field, then all the URIs observed by DeepFactor up until that time will be added to the scan. This helps ZAP scan URIs that may not be found by ZAP spidering, or may not be present in your Swagger doc.
If some of the URIs of your web service require that the client (the scanner, in this case) be authenticated, then you can use this field to specify the authentication method as follows:
- DeepFactor Intercepted Token DeepFactor not only observes HTTP URIs but also observes Authorization headers and keeps track of tokens. You can use one of these authentication tokens, or values, for the scan.
You can use this option if you would like to specify your own custom value, or token, which will be sent in the Authorization header by the scanner. This mode is useful if you have an external authentication service.
If you select this mode, then no token will be sent in the requests made by the scanner.
You can view all the scans and their status under the Web Scans tab. Once the scan is complete, you can view the results by clicking the Report link. In case the scan fails for some reason, you can download the error log by clicking the Download Logs link.