DAST reports do not split out parameter, parameter location, and values

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Label this issue

Problem

Our DAST reports do not properly extract the vulnerability location data into it's necessary atomic fields, but instead put them in the param field as a description.

"location": {
   "hostname": "http://vulnapp:3000",
   "method": "POST",
   "param": "application/x-www-form-urlencoded form field search with injection '\"",
   "path": "/sql-injection"
},

Instead we should add new fields to separate this information:

"location": {
   "hostname": "http://vulnapp:3000",
   "method": "POST",
   "param_type": "application/x-www-form-urlencoded"
   "param": "search"
   "value": "'\"",
   "path": "/sql-injection"
}

This will make it easier for external tooling (such as benchmarking) to identify where the vulnerability exists without having to resort to parsing text based descriptions.

Edited Oct 21, 2025 by 🤖 GitLab Bot 🤖