API security testing vulnerability checks

Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
History
  • Renamed from DAST API vulnerability checks to API security testing vulnerability checks in GitLab 17.0.

API security testing provides vulnerability checks that are used to scan for vulnerabilities in the API under test.

Passive checks

Check Severity Type Profiles
Application information check Medium Passive Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full
Cleartext authentication check High Passive Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full
JSON hijacking Medium Passive Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full
Sensitive information High Passive Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full
Session cookie Medium Passive Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full

Active checks

Check Severity Type Profiles
CORS Medium Active Active-Full, Full
DNS rebinding Medium Active Active-Full, Full
Framework debug mode High Active Active-Quick, Active-Full, Quick, Full
Heartbleed OpenSSL vulnerability High Active Active-Full, Full
HTML injection check Medium Active Active-Quick, Active-Full, Quick, Full
Insecure HTTP methods Medium Active Active-Quick, Active-Full, Quick, Full
JSON injection Medium Active Active-Quick, Active-Full, Quick, Full
Open redirect Medium Active Active-Full, Full
OS command injection High Active Active-Quick, Active-Full, Quick, Full
Path traversal High Active Active-Full, Full
Sensitive file Medium Active Active-Full, Full
Shellshock High Active Active-Full, Full
SQL injection High Active Active-Quick, Active-Full, Quick, Full
TLS configuration High Active Active-Full, Full
Authentication token High Active Active-Quick, Active-Full, Quick, Full
XML external entity High Active Active-Full, Full
XML injection Medium Active Active-Quick, Active-Full, Quick, Full

API security testing checks by profile

Passive-Quick

Active-Quick

Active-Full

Quick

Full