Coding Practices in Engineering

eBay Releases Dynamic Application Security Testing Proxy as Open Source

By: Srinivasa Rao Chirathanagandla

In an effort to contribute to the open-source community for security, Global Information Security (GIS) at eBay released its DAST Proxy as open-source software. DAST Proxy is a life-cycle management tool for dynamic application security scans that has a unique feature set. It is available for download and contribution under the MIT License at https://github.com/eBay/DASTProxy.

What is DAST Proxy?

DAST Proxy has work flows that help users record browser actions and submit them to a backend scan engine, such as AppScan. It updates the user with the scan status and publishes the scan results. It supports automation integration and has a set of RESTful web services that can be seamlessly integrated into any existing Selenium (or any other automation framework) functional test cases for security testing. DAST Proxy also works with all the browser-based test cases for both web and mobile applications.

DAST Architecture

dast-architecture

How Does DAST Proxy work?

This section explains how to conduct a manual dynamic security scan using DAST Proxy.

To start, the user is required to have two browsers installed. On Browser 1, the user obtains a proxy host and port generated by the DAST server on DAST Proxy’s home page. The user then inserts this host and port into Browser 2’s proxy settings. Once the proxy is set up, DAST Proxy records all the web traffic between Browser 2 and the QA server and stores it in a HAR file. The same file is then submitted to the back-end scan engine for thorough dynamic security testing. DAST Proxy polls the back-end engine for the status and resultant vulnerabilities and stores them in the database, which is accessible to the user via the DAST Proxy dashboard.

dast-manual-flow-latest

DAST Proxy features

  • Recording the scan and submitting it to a back-end scan engine, such as AppScan
  • Dashboard with list of scans, vulnerabilities, and payloads
  • Integration with JIRA system
  • Ability to rerun the scans from the dashboard
  • Support for manual API-end point testing with browser plug-ins, such as Postman

Features in the pipeline

  • ZAP (OWASP Zed Attack Proxy project) integration
  • Selenium integration
  • NT OBJECTives integration

Tags: Coding Practices, OSS, Testing