Skip to content
代码片段 群组 项目
选择Git版本
  • main-jh 默认 受保护
  • master 受保护
  • pre-main-jh 受保护
  • task-67
  • 17-10-stable-ee 受保护
  • 17-9-stable-ee 受保护
  • task-51
  • fix-oauth-temp-email
  • hide-jh-override-epic-with-milestone
  • 17-8-stable-jh 受保护
  • 17-10-stable-jh 受保护
  • 17-9-stable-jh 受保护
  • 17-8-stable-ee 受保护
  • implement-epic-iterition
  • fix-epic-milestone-settings-graphql
  • 17-7-stable-ee 受保护
  • fix/epic-milestone-setting-feature-is-broken
  • 17-10-stable-jh-prepare
  • fix-pre-main-jh-pipeline-2025-03-14
  • 17-7-stable-jh 受保护
  • v17.9.4-ee 受保护
  • v17.8.6-jh 受保护
  • v17.10.1-jh 受保护
  • v17.9.3-jh 受保护
  • v17.8.6-ee 受保护
  • v17.9.3-ee 受保护
  • v17.10.1-ee 受保护
  • v17.10.0-jh 受保护
  • v17.10.0-ee 受保护
  • v17.10.0-rc42-ee 受保护
  • v17.9.2-jh 受保护
  • v17.8.5-jh 受保护
  • v17.7.7-jh 受保护
  • v17.7.7-ee 受保护
  • v17.8.5-ee 受保护
  • v17.9.2-ee 受保护
  • v17.9.1-jh 受保护
  • v17.8.4-jh 受保护
  • v17.7.6-jh 受保护
  • v17.7.6-ee 受保护
40 个结果
Blame 永久链接
代码所有者
将用户和群组指定为特定文件更改的核准人。 了解更多。
troubleshooting.md 16.58 KiB 
stage: Secure
group: Dynamic Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
type: reference, howto

Troubleshooting

The following troubleshooting scenarios have been collected from customer support cases. If you experience a problem not addressed here, or the information here does not fix your problem, create a support ticket. For more details, see the GitLab Support page.

When something goes wrong

When something goes wrong with a DAST scan, if you have a particular error message then check known problems.

Otherwise, try to discover the problem by answering the following questions:

What is the expected outcome?

Many users who encounter issues with a DAST scan have a good high-level idea of what they think the scanner should be doing. For example, it's not scanning particular pages, or it's not selecting a button on the page.

As much as possible, try to isolate the problem to help narrow the search for a solution. For example, take the situation where DAST isn't scanning a particular page. From where should DAST have found the page? What path did it take to navigate there? Were there elements on the referring page that DAST should have selected, but did not?

Is the outcome achievable by a human?

DAST cannot scan an application if a human cannot manually traverse the application.

Knowing the outcome you expect, try to replicate it manually using a browser on your machine. For example:

  • Open a new incognito/private browser window.
  • Open Developer Tools. Keep an eye on the console for error messages.
    • In Chrome: View -> Developer -> Developer Tools.
    • In Firefox: Tools -> Browser Tools -> Web Developer Tools.
  • If authenticating:
    • Navigate to the DAST_AUTH_URL.
    • Type in the DAST_USERNAME in the DAST_USERNAME_FIELD.
    • Type in the DAST_PASSWORD in the DAST_PASSWORD_FIELD.
    • Select the DAST_SUBMIT_FIELD.
  • Select links and fill in forms. Navigate to the pages that aren't scanning correctly.
  • Observe how your application behaves. Notice if there is anything that might cause problems for an automated scanner.

Any reason why DAST would not work?

DAST cannot scan correctly when:

  • There is a CAPTCHA. Turn these off in the testing environment for the application being scanned.
  • It does not have access to the target application. Ensure the GitLab Runner can access the application using the URLs used in the DAST configuration.

How does your application work?

Understanding how your application works is vital to figuring out why a DAST scan isn't working. For example, the following situations may require additional configuration settings.

  • Is there a popup modal that hides elements?
  • Does a loaded page change dramatically after a certain period of time?
  • Is the application especially slow or fast to load?
  • Is the target application jerky while loading?
  • Does the application work differently based on the client's location?
  • Is the application a single-page application?
  • Does the application submit HTML forms, or does it use JavaScript and AJAX?
  • Does the application use websockets?
  • Does the application use a specific web framework?
  • Does selecting buttons run JavaScript before continuing the form submit? Is it fast, slow?
  • Is it possible DAST could be selecting or searching for elements before either the element or page is ready?

What is DAST doing?

Logging remains the best way to understand what DAST is doing:

Browser-based analyzer logging

The analyzer log is one of the most useful tools to help diagnose problems with a scan. Different parts of the analyzer can be logged at different levels.

Log message format

Log messages have the format [time] [log level] [log module] [message] [additional properties].

For example, the following log entry has level INFO, is part of the CRAWL log module, has the message Crawled path and the additional properties nav_id and path.

2021-04-21T00:34:04.000 INF CRAWL Crawled path nav_id=0cc7fd path="LoadURL [https://my.site.com:8090]"

Log destination