Browser-based check 16.1 should ignore responses that don't have a body
Problem
The Browser-based DAST check 16.1
checks to see if a response has a Content-Type
header. The check registers a finding for redirects and other responses without bodies. These are almost certainly false-positives.
Proposal
The check requires that a response is present, with the requirement: "has_response"
. This should be converted to a requirement: "has_response_body"
. The has response body requirement should also verify that a response is present.
Implementation
-
Requirement has_response_body
can be parsed in Browserker -
Requirement has_response_body
verifies that there is a response and it has a response body of length > 0 -
Requirement has_response_body
is understood by the schema -
Check 16.1
is updated to use the new requirement -
16.1
test is updated to verify it doesn't create a finding when there is no body
Edited by Aditya Tiwari