Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #383083
Closed
Open
Issue created Nov 17, 2022 by Nikhil George@ngeorge1Developer

DAST API scanner includes Authorization header value in vulnerabilities

Summary

Vulnerabilities created by DAST API scanner do not mask or remove the Authorization header values. This header is used for authenticating the scanner to the target application. The authentication tokens will be accessible to anyone who has access to the vulnerability.

Example https://gitlab.com/gitlab-com/gl-security/appsec/dast-scan-4-fedramp/-/security/vulnerabilities/62832546

Even though it is recommended to run scans on non-production environments, authentication credentials are sensitive information and are recommended to be masked or removed from the vulnerability to prevent unintended leaks. There could be also cases where scans are run on production environments because of various compliance/certification requirements in which case this issue will lead to production credential leaks.

Steps to reproduce

Run authenticated API scan and check the vulnerability report.

Example Project

https://gitlab.com/gitlab-com/gl-security/appsec/dast-scan-4-fedramp/-/security/vulnerabilities/62832546

What is the current bug behavior?

Authentication credentials are included in the vulnerability.

What is the expected correct behavior?

Authentication credentials are not included in the vulnerability.

Relevant logs and/or screenshots

Screenshot_2022-11-17_at_15.12.58

Proposal

  1. Replace Authorization header value with XXXXXXXXXX (10 X characters)
  2. Replace in report vulnerability details
  3. Replace in Postman file generation
  4. Replace in Raw message zip file

Extend method used to reconstruct messages to support hiding secrets.

Edited Nov 17, 2022 by Michael Eddington
Assignee
Assign to
Time tracking