2.6 KiB
2.6 KiB
| stage | group | info |
|---|---|---|
| Secure | Dynamic Analysis | To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments |
DAST browser-based crawler vulnerability checks (ULTIMATE)
The DAST browser-based crawler provides a number of vulnerability checks that are used to scan for vulnerabilities in the site under test.
| ID | Check | Severity | Type |
|---|---|---|---|
| 1004.1 | Sensitive cookie without HttpOnly attribute | Low | Passive |
| 16.1 | Missing Content-Type header | Low | Passive |
| 16.2 | Server header exposes version information | Low | Passive |
| 16.3 | X-Powered-By header exposes version information | Low | Passive |
| 16.4 | X-Backend-Server header exposes server information | Info | Passive |
| 16.5 | AspNet header exposes version information | Low | Passive |
| 16.6 | AspNetMvc header exposes version information | Low | Passive |
| 16.7 | Strict-Transport-Security header missing or invalid | Low | Passive |
| 200.1 | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive |
| 209.1 | Generation of error message containing sensitive information | Low | Passive |
| 319.1 | Mixed Content | Info | Passive |
| 352.1 | Absence of anti-CSRF tokens | Medium | Passive |
| 359.1 | Exposure of Private Personal Information (PII) to an unauthorized actor (credit card) | Medium | Passive |
| 359.2 | Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number) | Medium | Passive |
| 548.1 | Exposure of information through directory listing | Low | Passive |
| 598.1 | Use of GET request method with sensitive query strings (session ID) | Medium | Passive |
| 598.2 | Use of GET request method with sensitive query strings (password) | Medium | Passive |
| 598.3 | Use of GET request method with sensitive query strings (Authorization header details) | Medium | Passive |
| 601.1 | URL redirection to untrusted site ('open redirect') | Low | Passive |
| 614.1 | Sensitive cookie without Secure attribute | Low | Passive |
| 693.1 | Missing X-Content-Type-Options: nosniff | Low | Passive |
| 829.1 | Inclusion of Functionality from Untrusted Control Sphere | Low | Passive |
| 829.2 | Invalid Sub-Resource Integrity values detected | Medium | Passive |