API security testing vulnerability checks

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
History

API security testing provides vulnerability checks that are used to scan for vulnerabilities in the API under test.

Passive checks

CheckSeverityTypeProfiles
Application information checkMediumPassivePassive, Passive-Quick, Active-Quick, Active-Full, Quick, Full
Cleartext authentication checkHighPassivePassive, Passive-Quick, Active-Quick, Active-Full, Quick, Full
JSON hijackingMediumPassivePassive, Passive-Quick, Active-Quick, Active-Full, Quick, Full
Sensitive informationHighPassivePassive, Passive-Quick, Active-Quick, Active-Full, Quick, Full
Session cookieMediumPassivePassive, Passive-Quick, Active-Quick, Active-Full, Quick, Full

Active checks

CheckSeverityTypeProfiles
CORSMediumActiveActive-Full, Full
DNS rebindingMediumActiveActive-Full, Full
Framework debug modeHighActiveActive-Quick, Active-Full, Quick, Full
Heartbleed OpenSSL vulnerabilityHighActiveActive-Full, Full
HTML injection checkMediumActiveActive-Quick, Active-Full, Quick, Full
Insecure HTTP methodsMediumActiveActive-Quick, Active-Full, Quick, Full
JSON injectionMediumActiveActive-Quick, Active-Full, Quick, Full
Open redirectMediumActiveActive-Full, Full
OS command injectionHighActiveActive-Quick, Active-Full, Quick, Full
Path traversalHighActiveActive-Full, Full
Sensitive fileMediumActiveActive-Full, Full
ShellshockHighActiveActive-Full, Full
SQL injectionHighActiveActive-Quick, Active-Full, Quick, Full
TLS configurationHighActiveActive-Full, Full
Authentication tokenHighActiveActive-Quick, Active-Full, Quick, Full
XML external entityHighActiveActive-Full, Full
XML injectionMediumActiveActive-Quick, Active-Full, Quick, Full

API security testing checks by profile

Passive-Quick

Active-Quick

Active-Full

Quick

Full