DAST API scanner includes Authorization header value in vulnerabilities
Summary
Vulnerabilities created by DAST API scanner do not mask or remove the Authorization
header values. This header is used for authenticating the scanner to the target application. The authentication tokens will be accessible to anyone who has access to the vulnerability.
Even though it is recommended to run scans on non-production environments, authentication credentials are sensitive information and are recommended to be masked or removed from the vulnerability to prevent unintended leaks. There could be also cases where scans are run on production environments because of various compliance/certification requirements in which case this issue will lead to production credential leaks.
Steps to reproduce
Run authenticated API scan and check the vulnerability report.
Example Project
What is the current bug behavior?
Authentication credentials are included in the vulnerability.
What is the expected correct behavior?
Authentication credentials are not included in the vulnerability.
Relevant logs and/or screenshots
Proposal
-
Replace Authorization
header value withXXXXXXXXXX
(10X
characters) -
Replace in report vulnerability details -
Replace in Postman file generation -
Replace in Raw message zip file
Extend method used to reconstruct messages to support hiding secrets.