Ability to sanitize static API archives such as HAR for API Fuzzing

Problem to solve

Users provide static archives of HTTP messages used by API Fuzzing to perform testing of a web API. The archives may contain sensitive information such as authentication tokens, or session cookies. This becomes a security issue if the archive is checked into the repository or the information shows up in application logs.

Capturing an issue raised here: !35926 (comment 401939139)

Intended users

The following users could be asked to provide a HAR file, or assist in analyzer configuration.

• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sam (Security Analyst)
• Simone (Software Engineer in Test)

User experience goal

Proposal

Provide functionality to sanitize the archive. Some information can be sanitized automatically, but it should be expected the user will need to provide additional information in many cases.

This issue affects multiple formats: HAR, Postman Collection, BURP Projects

Automatic removal of...

1. Authorization header
2. Well known session cookie names

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references