Fine-tune a DAST profile

The default DAST profile is suitable for most use cases. If necessary, you can fine-tune your DAST profile in a scan-settings.json file and upload it to the Polaris web UI. Configuration options are available for the scan engine (for example, excluded URLs, attack depth, and crawl settings) and the supported authentication methods (Forms, SAML, and Selenium).

After you Create a DAST project, follow these steps to customize the project's DAST profile:

  1. After you open the DAST project, go to DAST Profiles and select the project's profile.
  2. Select Import scan-settings.json file.
  3. Select DOWNLOAD TEMPLATE to download a template scan-settings.json file.
  4. Open the scan-settings.json file in a text editor and modify it, as required.
    The template file contains all the available configuration options and their default values.
    Note: See Advanced DAST settings for descriptions of the most common settings. We recommend that you remove the configuration options that you don't want to modify.
  5. Save the modified scan-settings.json file, then upload it to the Polaris web UI. You can drag and drop the file to the Upload .json file box or browse for it on your computer.
  6. Click Save.

Advanced DAST settings

Table 1. Advanced DAST configuration reference
Setting Description
useSmartSetting When Smart Settings is enabled, fAST Dynamic crawls a limited section of the target web application to automatically detect several characteristics important to dynamic application security testing. These include (but are not limited to):
  • The framework used in the web application, such as Angular, React, or Ember.js
  • Whether the site is a Single Page Application (SPA) or a traditional, non-JavaScript website
  • Whether pages must be fully loaded in the browser in order to navigate the site
  • Whether the page structure is duplicated across the site, to determine the extent of page de-duplication the scan engine can perform

Based on this data, the scan engine defines a set of optimal scan settings and applies them to the scan-settings.json file.

Default: true

Note: Be aware that enabling Smart Settings will override some pre-existing scan settings, if you have modified these in the scan-settings.json file.
pageReadyConfig Configuration for "page readiness" heuristics; that is, how the scan engine determines if a page has finished loading in a browser and is ready for interaction.

pageReadyConfig supports a single mode of SPA (Single Page Application). This mode is designed to help the scanner recognize when pages have loaded in JavaScript intensive web apps.

Default: "mode": "SPA"

The pages and regexes options are not supported in the initial release of fAST Dynamic.

authSettings Configuration for authentication.

Default: "loginType": "none"

Note: See Authentication settings (authSettings) for more information.
scanTimeout Maximum length of time before an incomplete scan times out. At the end of this period, the scanner will publish the partial results of the scan.

Default: 72h

includedPaths Configuration for URL paths to include in scans of the target web application.

If set, only URL paths matching the specified values are included in scans. Enter an array of regular expressions, for example:

"includedUrls": ["app", "about", "contact", "reports"],

Default: N/A

excludedUrls Configuration for URL paths to exclude from scans of the target web application.

If found on a URL path, the given URLs will be excluded from scans, including active attacks. Enter an array of regular expressions, for example:

"excludedUrls": ["logout", "signout"],

Default: "logout", "signout", "log-out", "sign-out"

excludedAttackUrls Configuration for URL paths to exclude from active attacks of the target web application.

Only applies if Perform Active Attacks is selected on the DAST project page.

Default: null

excludedParameters An array of values where any matching parameter names (for example, query parameters, form fields, or headers) will not be attacked.

Only applies if Perform Active Attacks is selected on the DAST project page.

Default: "jsessionid", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION", "__VIEWSTATE", "X-WHS"

excludedStatusCodes A response with a matching status code will not be attacked.

Only applies if Perform Active Attacks is selected on the DAST project page.

Default: 401, 404

excludedHosts List of hosts to exclude from crawling and attacking. The scan engine will never send a request to any URL on these hosts, even through the browser.

A list of regular expressions.

Note: You might want to add internal services to the default list of excluded hosts, for example, application performance monitoring (APM) tools, ad servers, etc.

Default: See scan-settings.json

customHeaders Extra headers to add to all requests from the scan engine.

Default: Cache-Control, Accept-Language

customCookies Extra cookies to add to all requests from the scan engine.

Default: null

activeCheckers List of active checkers to enable in scans of the target web application. Active checkers change the values of parameters in requests to detect vulnerabilities.

Reducing the amount of active checkers will speed up scans but reduce the depth and breadth of intrusive testing.

Only applies if Perform Active Attacks is selected on the DAST project page.

Default: See scan-settings.json

passiveCheckers List of passive checkers to enable in scans of the target web application. Passive checkers are non-intrusive. They detect vulnerabilities by passively observing web traffic.

Default: See scan-settings.json

crawler.formValues Default values used by the scan engine when crawling pages that contain forms. You can customize these form values with specific names and types of form fields used in the target web application.

Default: See scan-settings.json

Authentication settings (authSettings)

When you create a DAST project, you select an authentication method — either None, Forms, SAML, or Selenium — and configure basic settings through the Polaris web UI. Alternatively, you can configure authentication in the authSettings section of the scan-settings.json file. Here, you can configure the same options as in the UI and some additional advanced settings for each authentication method.

By default, no authentication method is set:

"authSettings": {
    "loginType": "none",
    "settings": {}
  },

The loginType field supports the following values: none, simple, SAML, and selenium. The structure of the settings object depends on this value, as described below.

Simple

Simple authentication is most appropriate for simple username/password login forms where both username and password fields are on a single page.

Note: If your application uses multiple pages for authentication (like Polaris), use Selenium.
Table 2. scan-settings.json, simple authentication reference
Setting Optional/Required Description
loginURL Required URL of the target login page.
formCSSSelector Optional A CSS selector for the login form if there is more than one form on the login page. A CSS selector can be generated using your browser's developer tools by highlighting the <form> HTML element and choosing Copy Selector from the context menu. For example:
#my-page-form, body > div:nth-child(5) > form
formValues Optional Specifies the input field names and values for interacting with the target login form. You can specify one or more of the following:
  • nameValues: select for exact matches on the name attribute of an <input> HTML element.
    Note: The rendered label used to identify an <input> element may not match its name attribute.

    For example:

    <form>
      <input name="username">
      <input name="password" type="password">
    </form>
    "formValues": {
        "nameValues": {
            "username": "myuser",
            "password": "mypassword"
        }
    }
  • typeValues: select for an exact match on the type attribute of an <input> HTML element. For example:
    <form>
      <input name="email-1234" type="email">
      <input name="username-5678" type="text">
      <input name="password-9999" type="password">
    </form>
    "formValues": {
        "typeValues": {
            "text": "myuser",
            "password": "mypassword",
            "email": "myuser@example.com"
        }
    }
  • nameRegexValues: select for a regular expression match using the name attribute of an <input> HTML element. For example:
    <form>
      <input name="username">
      <input name="password" type="password">
    </form>
    "formValues": {
        "nameRegexValues": {
            "username-\d+": "myuser",
            "password-\d+": "mypassword"
        }
    }

In this example, all three formValues settings are used:

"formValues": {
    "nameValues": {
        "username": "myuser",
        "password": "mypassword"
    },
    "typeValues": {
        "text": "myuser",
        "password": "mypassword",
        "email": "myuser@example.com"
    },
    "nameRegexValues": {
        "username-\d+": "myuser",
        "password-\d+": "mypassword"
    }
}
headers Optional An array of Name,Value pairs (note the capitalization). For example:
"headers": [
    {"Name": "foo", "Value": "bar"}
]
cookies Optional An array of Cookie objects as Name,Value pairs. Other cookie properties, such as Path or Expires, are supported too. For example:
"cookies": [
    {"Name": "session", "Value": "123"}
]

For example:

"authSettings": {
  "loginType": "simple",
  "settings": {
    "loginURL": "https://example.com/login",
    "formValues": {
      "nameValues": {
          "username": "myuser",
          "password": "mypassword"
      }
    }
  }
}

SAML

Authenticate via a SAML Identity Provider (IdP) to perform SSO to a target.

Table 3. scan-settings.json, SAML authentication reference
Setting Optional/Required Description
ssoLoginURL Required The URL of SAML SSO login page.
formValues Optional Specifies the input field names and values for interacting with the target login form. You can specify one or more of the following:
  • nameValues: select for exact matches on the name attribute of an <input> HTML element.
    Note: The rendered label used to identify an <input> element may not match its name attribute.

    For example:

    <form>
      <input name="username">
      <input name="password" type="password">
    </form>
    "formValues": {
        "nameValues": {
            "username": "myuser",
            "password": "mypassword"
        }
    }
  • typeValues: select for an exact match on the type attribute of an <input> HTML element. For example:
    <form>
      <input name="email-1234" type="email">
      <input name="username-5678" type="text">
      <input name="password-9999" type="password">
    </form>
    "formValues": {
        "typeValues": {
            "text": "myuser",
            "password": "mypassword",
            "email": "myuser@example.com"
        }
    }
  • nameRegexValues: select for a regular expression match using the name attribute of an <input> HTML element. For example:
    <form>
      <input name="username">
      <input name="password" type="password">
    </form>
    "formValues": {
        "nameRegexValues": {
            "username-\d+": "myuser",
            "password-\d+": "mypassword"
        }
    }
headers Optional An array of Name,Value pairs (note the capitalization). For example:
"headers": [
    {"Name": "foo", "Value": "bar"}
]
cookies Optional An array of Cookie objects as Name,Value pairs. Other cookie properties, such as Path or Expires, are supported too. For example:
"cookies": [
    {"Name": "session", "Value": "123"}
]

For example:

"authSettings": {
  "loginType": "SAML",
  "settings": {
    "ssoLoginURL": "https://mycompany.okta.com/app/12345",
    "formValues": {
      "nameValues": {
        "username": "admin",
        "password": "password123"
      }
    }
  }
}

Selenium

Authenticate using a Selenium .side file, generated from the Selenium IDE browser extension.

Table 4. scan-settings.json, Selenium authentication reference
Setting Optional/Required Description
sideFileContents Optional The contents of the .side file, in JSON format.

For example:

"authSettings": {
    "loginType": "selenium",
    "settings": {
      "sideFileContents": {
        "id": "629c40d4-ea61-42c3-9ce5-80e59da8a988",
        "version": "2.0",
        "name": "selenium-example",
        "url": "https://example.com",
        "tests": [...],
        "suites": [...],
        "urls": [
          "https://example.com/"
        ],
        "plugins": []
      }
    }
  },