DAST API scanner includes Authorization header value in vulnerabilities

Summary

Vulnerabilities created by DAST API scanner do not mask or remove the Authorization header values. This header is used for authenticating the scanner to the target application. The authentication tokens will be accessible to anyone who has access to the vulnerability.

Example https://gitlab.com/gitlab-com/gl-security/appsec/dast-scan-4-fedramp/-/security/vulnerabilities/62832546

Even though it is recommended to run scans on non-production environments, authentication credentials are sensitive information and are recommended to be masked or removed from the vulnerability to prevent unintended leaks. There could be also cases where scans are run on production environments because of various compliance/certification requirements in which case this issue will lead to production credential leaks.

Steps to reproduce

Run authenticated API scan and check the vulnerability report.

Example Project

https://gitlab.com/gitlab-com/gl-security/appsec/dast-scan-4-fedramp/-/security/vulnerabilities/62832546

What is the current bug behavior?

Authentication credentials are included in the vulnerability.

What is the expected correct behavior?

Authentication credentials are not included in the vulnerability.

Relevant logs and/or screenshots

Proposal

1. Replace Authorization header value with XXXXXXXXXX (10 X characters)
2. Replace in report vulnerability details
3. Replace in Postman file generation
4. Replace in Raw message zip file

Extend method used to reconstruct messages to support hiding secrets.