DAST browser-based crawler vulnerability checks
DETAILS: Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
The DAST browser-based crawler provides vulnerability checks that are used to scan for vulnerabilities in the site under test.
Passive Checks
| ID | Check | Severity | Type |
|---|---|---|---|
| 1004.1 | Sensitive cookie without HttpOnly attribute | Low | Passive |
| 16.1 | Missing Content-Type header | Low | Passive |
| 16.10 | Content-Security-Policy violations | Info | Passive |
| 16.2 | Server header exposes version information | Low | Passive |
| 16.3 | X-Powered-By header exposes version information | Low | Passive |
| 16.4 | X-Backend-Server header exposes server information | Info | Passive |
| 16.5 | AspNet header exposes version information | Low | Passive |
| 16.6 | AspNetMvc header exposes version information | Low | Passive |
| 16.7 | Strict-Transport-Security header missing or invalid | Low | Passive |
| 16.8 | Content-Security-Policy analysis | Info | Passive |
| 16.9 | Content-Security-Policy-Report-Only analysis | Info | Passive |
| 200.1 | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive |
| 209.1 | Generation of error message containing sensitive information | Low | Passive |
| 209.2 | Generation of database error message containing sensitive information | Low | Passive |
| 287.1 | Insecure authentication over HTTP (Basic Authentication) | Medium | Passive |
| 287.2 | Insecure authentication over HTTP (Digest Authentication) | Low | Passive |
| 319.1 | Mixed Content | Info | Passive |
| 352.1 | Absence of anti-CSRF tokens | Medium | Passive |
| 359.1 | Exposure of Private Personal Information (PII) to an unauthorized actor (credit card) | Medium | Passive |
| 359.2 | Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number) | Medium | Passive |
| 548.1 | Exposure of information through directory listing | Low | Passive |
| 598.1 | Use of GET request method with sensitive query strings (session ID) | Medium | Passive |
| 598.2 | Use of GET request method with sensitive query strings (password) | Medium | Passive |
| 598.3 | Use of GET request method with sensitive query strings (Authorization header details) | Medium | Passive |
| 601.1 | URL redirection to untrusted site ('open redirect') | Low | Passive |
| 614.1 | Sensitive cookie without Secure attribute | Low | Passive |
| 693.1 | Missing X-Content-Type-Options: nosniff | Low | Passive |
| 798.1 | Exposure of confidential secret or token Adafruit API Key | High | Passive |
| 798.2 | Exposure of confidential secret or token Adobe Client ID (OAuth Web) | High | Passive |
| 798.3 | Exposure of confidential secret or token Adobe Client Secret | High | Passive |
| 798.4 | Exposure of confidential secret or token Age secret key | High | Passive |
| 798.5 | Exposure of confidential secret or token Airtable API Key | High | Passive |
| 798.6 | Exposure of confidential secret or token Algolia API Key | High | Passive |
| 798.7 | Exposure of confidential secret or token Alibaba AccessKey ID | High | Passive |
| 798.8 | Exposure of confidential secret or token Alibaba Secret Key | High | Passive |
| 798.9 | Exposure of confidential secret or token Asana Client ID | High | Passive |
| 798.10 | Exposure of confidential secret or token Asana Client Secret | High | Passive |
| 798.11 | Exposure of confidential secret or token Atlassian API token | High | Passive |
| 798.12 | Exposure of confidential secret or token AWS | High | Passive |
| 798.13 | Exposure of confidential secret or token Bitbucket Client ID | High | Passive |
| 798.14 | Exposure of confidential secret or token Bitbucket Client Secret | High | Passive |
| 798.15 | Exposure of confidential secret or token Bittrex Access Key | High | Passive |
| 798.16 | Exposure of confidential secret or token Bittrex Secret Key | High | Passive |
| 798.17 | Exposure of confidential secret or token Beamer API token | High | Passive |
| 798.18 | Exposure of confidential secret or token Codecov Access Token | High | Passive |
| 798.19 | Exposure of confidential secret or token Coinbase Access Token | High | Passive |
| 798.20 | Exposure of confidential secret or token Clojars API token | High | Passive |
| 798.21 | Exposure of confidential secret or token Confluent Access Token | High | Passive |
| 798.22 | Exposure of confidential secret or token Confluent Secret Key | High | Passive |
| 798.23 | Exposure of confidential secret or token Contentful delivery API token | High | Passive |
| 798.24 | Exposure of confidential secret or token Databricks API token | High | Passive |
| 798.25 | Exposure of confidential secret or token Datadog Access Token | High | Passive |
| 798.26 | Exposure of confidential secret or token Discord API key | High | Passive |
| 798.27 | Exposure of confidential secret or token Discord client ID | High | Passive |
| 798.28 | Exposure of confidential secret or token Discord client secret | High | Passive |
| 798.29 | Exposure of confidential secret or token Doppler API token | High | Passive |
| 798.30 | Exposure of confidential secret or token Dropbox API secret | High | Passive |
| 798.31 | Exposure of confidential secret or token Dropbox long lived API token | High | Passive |
| 798.32 | Exposure of confidential secret or token Dropbox short lived API token | High | Passive |
| 798.33 | Exposure of confidential secret or token Drone CI Access Token | High | Passive |
| 798.34 | Exposure of confidential secret or token Duffel API token | High | Passive |
| 798.35 | Exposure of confidential secret or token Dynatrace API token | High | Passive |
| 798.36 | Exposure of confidential secret or token EasyPost API token | High | Passive |
| 798.37 | Exposure of confidential secret or token EasyPost test API token | High | Passive |
| 798.38 | Exposure of confidential secret or token Etsy Access Token | High | Passive |
| 798.39 | Exposure of confidential secret or token Facebook | High | Passive |
| 798.40 | Exposure of confidential secret or token Fastly API key | High | Passive |
| 798.41 | Exposure of confidential secret or token Finicity Client Secret | High | Passive |
| 798.42 | Exposure of confidential secret or token Finicity API token | High | Passive |
| 798.43 | Exposure of confidential secret or token Flickr Access Token | High | Passive |
| 798.44 | Exposure of confidential secret or token Finnhub Access Token | High | Passive |
| 798.46 | Exposure of confidential secret or token Flutterwave Secret Key | High | Passive |
| 798.47 | Exposure of confidential secret or token Flutterwave Encryption Key | High | Passive |
| 798.48 | Exposure of confidential secret or token Frame.io API token | High | Passive |
| 798.49 | Exposure of confidential secret or token FreshBooks Access Token | High | Passive |
| 798.50 | Exposure of confidential secret or token GoCardless API token | High | Passive |
| 798.52 | Exposure of confidential secret or token GitHub personal access token | High | Passive |
| 798.53 | Exposure of confidential secret or token GitHub OAuth Access Token | High | Passive |
| 798.54 | Exposure of confidential secret or token GitHub App Token | High | Passive |
| 798.55 | Exposure of confidential secret or token GitHub Refresh Token | High | Passive |
| 798.56 | Exposure of confidential secret or token GitLab personal access token | High | Passive |
| 798.57 | Exposure of confidential secret or token Gitter Access Token | High | Passive |
| 798.58 | Exposure of confidential secret or token HashiCorp Terraform user/org API token | High | Passive |
| 798.59 | Exposure of confidential secret or token Heroku API Key | High | Passive |
| 798.60 | Exposure of confidential secret or token HubSpot API Token | High | Passive |
| 798.61 | Exposure of confidential secret or token Intercom API Token | High | Passive |
| 798.62 | Exposure of confidential secret or token Kraken Access Token | High | Passive |
| 798.63 | Exposure of confidential secret or token Kucoin Access Token | High | Passive |
| 798.64 | Exposure of confidential secret or token Kucoin Secret Key | High | Passive |
| 798.65 | Exposure of confidential secret or token LaunchDarkly Access Token | High | Passive |
| 798.66 | Exposure of confidential secret or token Linear API Token | High | Passive |
| 798.67 | Exposure of confidential secret or token Linear Client Secret | High | Passive |
| 798.68 | Exposure of confidential secret or token LinkedIn Client ID | High | Passive |
| 798.69 | Exposure of confidential secret or token LinkedIn Client secret | High | Passive |
| 798.70 | Exposure of confidential secret or token Lob API Key | High | Passive |
| 798.72 | Exposure of confidential secret or token Mailchimp API key | High | Passive |
| 798.74 | Exposure of confidential secret or token Mailgun private API token | High | Passive |
| 798.75 | Exposure of confidential secret or token Mailgun webhook signing key | High | Passive |
| 798.77 | Exposure of confidential secret or token Mattermost Access Token | High | Passive |
| 798.78 | Exposure of confidential secret or token MessageBird API token | High | Passive |
| 798.80 | Exposure of confidential secret or token Netlify Access Token | High | Passive |
| 798.81 | Exposure of confidential secret or token New Relic user API Key | High | Passive |
| 798.82 | Exposure of confidential secret or token New Relic user API ID | High | Passive |
| 798.83 | Exposure of confidential secret or token New Relic ingest browser API token | High | Passive |
| 798.84 | Exposure of confidential secret or token npm access token | High | Passive |
| 798.86 | Exposure of confidential secret or token Okta Access Token | High | Passive |
| 798.87 | Exposure of confidential secret or token Plaid Client ID | High | Passive |
| 798.88 | Exposure of confidential secret or token Plaid Secret key | High | Passive |
| 798.89 | Exposure of confidential secret or token Plaid API Token | High | Passive |
| 798.90 | Exposure of confidential secret or token PlanetScale password | High | Passive |
| 798.91 | Exposure of confidential secret or token PlanetScale API token | High | Passive |
| 798.92 | Exposure of confidential secret or token PlanetScale OAuth token | High | Passive |
| 798.93 | Exposure of confidential secret or token Postman API token | High | Passive |
| 798.94 | Exposure of confidential secret or token Private Key | High | Passive |
| 798.95 | Exposure of confidential secret or token Pulumi API token | High | Passive |
| 798.96 | Exposure of confidential secret or token PyPI upload token | High | Passive |
| 798.97 | Exposure of confidential secret or token RubyGems API token | High | Passive |
| 798.98 | Exposure of confidential secret or token RapidAPI Access Token | High | Passive |
| 798.99 | Exposure of confidential secret or token Sendbird Access ID | High | Passive |
| 798.100 | Exposure of confidential secret or token Sendbird Access Token | High | Passive |
| 798.101 | Exposure of confidential secret or token SendGrid API token | High | Passive |
| 798.102 | Exposure of confidential secret or token Sendinblue API token | High | Passive |
| 798.103 | Exposure of confidential secret or token Sentry Access Token | High | Passive |
| 798.104 | Exposure of confidential secret or token Shippo API token | High | Passive |
| 798.105 | Exposure of confidential secret or token Shopify access token | High | Passive |
| 798.106 | Exposure of confidential secret or token Shopify custom access token | High | Passive |
| 798.107 | Exposure of confidential secret or token Shopify private app access token | High | Passive |
| 798.108 | Exposure of confidential secret or token Shopify shared secret | High | Passive |
| 798.109 | Exposure of confidential secret or token Slack token | High | Passive |
| 798.110 | Exposure of confidential secret or token Slack Webhook | High | Passive |
| 798.111 | Exposure of confidential secret or token Stripe | High | Passive |
| 798.112 | Exposure of confidential secret or token Square Access Token | High | Passive |
| 798.113 | Exposure of confidential secret or token Squarespace Access Token | High | Passive |
| 798.114 | Exposure of confidential secret or token SumoLogic Access ID | High | Passive |
| 798.115 | Exposure of confidential secret or token SumoLogic Access Token | High | Passive |
| 798.116 | Exposure of confidential secret or token Travis CI Access Token | High | Passive |
| 798.117 | Exposure of confidential secret or token Twilio API Key | High | Passive |
| 798.118 | Exposure of confidential secret or token Twitch API token | High | Passive |
| 798.119 | Exposure of confidential secret or token Twitter API Key | High | Passive |
| 798.120 | Exposure of confidential secret or token Twitter API Secret | High | Passive |
| 798.121 | Exposure of confidential secret or token Twitter Access Token | High | Passive |
| 798.122 | Exposure of confidential secret or token Twitter Access Secret | High | Passive |
| 798.123 | Exposure of confidential secret or token Twitter Bearer Token | High | Passive |
| 798.124 | Exposure of confidential secret or token Typeform API token | High | Passive |
| 798.125 | Exposure of confidential secret or token Yandex API Key | High | Passive |
| 798.126 | Exposure of confidential secret or token Yandex AWS Access Token | High | Passive |
| 798.127 | Exposure of confidential secret or token Yandex Access Token | High | Passive |
| 798.128 | Exposure of confidential secret or token Zendesk Secret Key | High | Passive |
| 829.1 | Inclusion of Functionality from Untrusted Control Sphere | Low | Passive |
| 829.2 | Invalid Sub-Resource Integrity values detected | Medium | Passive |
Active Checks
| ID | Check | Severity | Type |
|---|---|---|---|
| 113.1 | Improper Neutralization of CRLF Sequences in HTTP Headers | High | Active |
| 1336.1 | Server-Side Template Injection | High | Active |
| 16.11 | TRACE HTTP method enabled | High | Active |
| 22.1 | Improper limitation of a pathname to a restricted directory (Path traversal) | High | Active |
| 611.1 | External XML Entity Injection (XXE) | High | Active |
| 74.1 | XSLT Injection | High | Active |
| 78.1 | OS Command Injection | High | Active |
| 89.1 | SQL Injection | High | Active |
| 917.1 | Expression Language Injection | High | Active |
| 918.1 | Server-Side Request Forgery | High | Active |
| 94.1 | Server-side code injection (PHP) | High | Active |
| 94.2 | Server-side code injection (Ruby) | High | Active |
| 94.3 | Server-side code injection (Python) | High | Active |
| 94.4 | Server-side code injection (NodeJS) | High | Active |
| 943.1 | Improper neutralization of special elements in data query logic | High | Active |
| 98.1 | PHP Remote File Inclusion | High | Active |