Callback service integration for API Security

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem

For some checks (such as XXE in DAST API), the target API will be provided an URL that when accessed will confirm the existence of a vulnerability, or otherwise be used during a vulnerability check.

This presents a problem when the target API runs outside of the runner (external IP address), as it is unable to connect back to the analyzer.

Proposal

Option 1: External helper service

Host an external helper service in GCP. The analyzer would request a callback URL from the service. The analyzer would provide the callback url to the target API during testing and verify if it was accessed.

While this option would work great for gitlab.com users, it might not work great for offline installs. Would offline installs need to configure there own service?

Edited Aug 25, 2025 by 🤖 GitLab Bot 🤖