DAST API should recognize security attribute of the OpenAPI schema and do not check authentication on such endpoints
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
At the moment, DAST API. DAST API does not recognize the security attribute of the OpenAPI schema. Authentication is applied to all operations. This results in customers getting many false positives from a DAST scan because DAST API checks Authorization tokens on endpoints that are marked as public in OpenAPI spec.
DAST API should not check Authorization tokens on endpoints that are marked as public in OpenAPI spec.
This proposal is a follow up to a customer request.
Current workaround is to modify DAST API configuration file to remove the recognized auth tokens from the public routes. This is not optimal as it requires customers to maintain a list of routes in both the DAST configration file and OpenAPI spec.
Here is an example configuration file with the auth tokens removed from the /admins/meta route. Compare to the default config file to see the differences.