DAST API scanner includes Authorization header value in vulnerabilities
Vulnerabilities created by DAST API scanner do not mask or remove the
Authorization header values. This header is used for authenticating the scanner to the target application. The authentication tokens will be accessible to anyone who has access to the vulnerability.
Even though it is recommended to run scans on non-production environments, authentication credentials are sensitive information and are recommended to be masked or removed from the vulnerability to prevent unintended leaks. There could be also cases where scans are run on production environments because of various compliance/certification requirements in which case this issue will lead to production credential leaks.
Steps to reproduce
Run authenticated API scan and check the vulnerability report.
What is the current bug behavior?
Authentication credentials are included in the vulnerability.
What is the expected correct behavior?
Authentication credentials are not included in the vulnerability.
Relevant logs and/or screenshots
Authorizationheader value with
Replace in report vulnerability details
Replace in Postman file generation
Replace in Raw message zip file
Extend method used to reconstruct messages to support hiding secrets.