API security testing vulnerability checks
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
History
API security testing provides vulnerability checks that are used to scan for vulnerabilities in the API under test.
Passive checks
| Check | Severity | Type | Profiles |
|---|---|---|---|
| Application information check | Medium | Passive | Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full |
| Cleartext authentication check | High | Passive | Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full |
| JSON hijacking | Medium | Passive | Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full |
| Sensitive information | High | Passive | Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full |
| Session cookie | Medium | Passive | Passive, Passive-Quick, Active-Quick, Active-Full, Quick, Full |
Active checks
| Check | Severity | Type | Profiles |
|---|---|---|---|
| CORS | Medium | Active | Active-Full, Full |
| DNS rebinding | Medium | Active | Active-Full, Full |
| Framework debug mode | High | Active | Active-Quick, Active-Full, Quick, Full |
| Heartbleed OpenSSL vulnerability | High | Active | Active-Full, Full |
| HTML injection check | Medium | Active | Active-Quick, Active-Full, Quick, Full |
| Insecure HTTP methods | Medium | Active | Active-Quick, Active-Full, Quick, Full |
| JSON injection | Medium | Active | Active-Quick, Active-Full, Quick, Full |
| Open redirect | Medium | Active | Active-Full, Full |
| OS command injection | High | Active | Active-Quick, Active-Full, Quick, Full |
| Path traversal | High | Active | Active-Full, Full |
| Sensitive file | Medium | Active | Active-Full, Full |
| Shellshock | High | Active | Active-Full, Full |
| SQL injection | High | Active | Active-Quick, Active-Full, Quick, Full |
| TLS configuration | High | Active | Active-Full, Full |
| Authentication token | High | Active | Active-Quick, Active-Full, Quick, Full |
| XML external entity | High | Active | Active-Full, Full |
| XML injection | Medium | Active | Active-Quick, Active-Full, Quick, Full |
API security testing checks by profile
Passive-Quick
- Application information check
- Cleartext authentication check
- JSON hijacking
- Sensitive information
- Session cookie
Active-Quick
- Application information check
- Cleartext authentication check
- Framework debug mode
- HTML injection check
- Insecure HTTP methods
- JSON hijacking
- JSON injection
- OS command injection
- Sensitive information
- Session cookie
- SQL injection
- Authentication token
- XML injection
Active-Full
- Application information check
- Cleartext authentication check
- CORS
- DNS rebinding
- Framework debug mode
- Heartbleed OpenSSL vulnerability
- HTML injection check
- Insecure HTTP methods
- JSON hijacking
- JSON injection
- Open redirect
- OS command injection
- Path traversal
- Sensitive file
- Sensitive information
- Session cookie
- Shellshock
- SQL injection
- TLS configuration
- Authentication token
- XML injection
- XML external entity
Quick
- Application information check
- Cleartext authentication check
- Framework debug mode
- HTML injection check
- Insecure HTTP methods
- JSON hijacking
- JSON injection
- OS command injection
- Sensitive information
- Session cookie
- SQL injection
- Authentication token
- XML injection
Full
- Application information check
- Cleartext authentication check
- CORS
- DNS rebinding
- Framework debug mode
- Heartbleed OpenSSL vulnerability
- HTML injection check
- Insecure HTTP methods
- JSON hijacking
- JSON injection
- Open redirect
- OS command injection
- Path traversal
- Sensitive file
- Sensitive information
- Session cookie
- Shellshock
- SQL injection
- TLS configuration
- Authentication token
- XML injection
- XML external entity
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support