DAST browser-based crawler vulnerability checks

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

The DAST browser-based crawler provides vulnerability checks that are used to scan for vulnerabilities in the site under test.

Passive Checks

IDCheckSeverityType
1004.1Sensitive cookie without HttpOnly attributeLowPassive
16.1Missing Content-Type headerLowPassive
16.10Content-Security-Policy violationsInfoPassive
16.2Server header exposes version informationLowPassive
16.3X-Powered-By header exposes version informationLowPassive
16.4X-Backend-Server header exposes server informationInfoPassive
16.5AspNet header exposes version informationLowPassive
16.6AspNetMvc header exposes version informationLowPassive
16.7Strict-Transport-Security header missing or invalidLowPassive
16.8Content-Security-Policy analysisInfoPassive
16.9Content-Security-Policy-Report-Only analysisInfoPassive
200.1Exposure of sensitive information to an unauthorized actor (private IP address)LowPassive
209.1Generation of error message containing sensitive informationLowPassive
209.2Generation of database error message containing sensitive informationLowPassive
287.1Insecure authentication over HTTP (Basic Authentication)MediumPassive
287.2Insecure authentication over HTTP (Digest Authentication)LowPassive
319.1Mixed ContentInfoPassive
352.1Absence of anti-CSRF tokensMediumPassive
359.1Exposure of Private Personal Information (PII) to an unauthorized actor (credit card)MediumPassive
359.2Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number)MediumPassive
548.1Exposure of information through directory listingLowPassive
598.1Use of GET request method with sensitive query strings (session ID)MediumPassive
598.2Use of GET request method with sensitive query strings (password)MediumPassive
598.3Use of GET request method with sensitive query strings (Authorization header details)MediumPassive
601.1URL redirection to untrusted site (‘open redirect’)LowPassive
614.1Sensitive cookie without Secure attributeLowPassive
693.1Missing X-Content-Type-Options: nosniffLowPassive
798.2Exposure of confidential secret or token Adobe Client ID (OAuth Web)HighPassive
798.3Exposure of confidential secret or token Adobe client secretHighPassive
798.4Exposure of confidential secret or token Age secret keyHighPassive
798.7Exposure of confidential secret or token Alibaba AccessKey IDHighPassive
798.8Exposure of confidential secret or token Alibaba Secret KeyHighPassive
798.9Exposure of confidential secret or token Asana client IDHighPassive
798.10Exposure of confidential secret or token Asana client secretHighPassive
798.11Exposure of confidential secret or token Atlassian API tokenHighPassive
798.12Exposure of confidential secret or token AWS access tokenHighPassive
798.13Exposure of confidential secret or token Bitbucket client IDHighPassive
798.14Exposure of confidential secret or token Bitbucket client secretHighPassive
798.17Exposure of confidential secret or token Beamer API tokenHighPassive
798.20Exposure of confidential secret or token Clojars deploy tokenHighPassive
798.23Exposure of confidential secret or token Contentful delivery API tokenHighPassive
798.24Exposure of confidential secret or token Databricks API tokenHighPassive
798.26Exposure of confidential secret or token Discord API keyHighPassive
798.27Exposure of confidential secret or token Discord client IDHighPassive
798.28Exposure of confidential secret or token Discord client secretHighPassive
798.29Exposure of confidential secret or token Doppler API tokenHighPassive
798.30Exposure of confidential secret or token Dropbox API secret/keyHighPassive
798.31Exposure of confidential secret or token Dropbox long lived API tokenHighPassive
798.32Exposure of confidential secret or token Dropbox short lived API tokenHighPassive
798.34Exposure of confidential secret or token Duffel API tokenHighPassive
798.35Exposure of confidential secret or token Dynatrace API tokenHighPassive
798.36Exposure of confidential secret or token EasyPost production API keyHighPassive
798.37Exposure of confidential secret or token EasyPost test API keyHighPassive
798.39Exposure of confidential secret or token Facebook tokenHighPassive
798.40Exposure of confidential secret or token Fastly API user or automation tokenHighPassive
798.41Exposure of confidential secret or token Finicity client secretHighPassive
798.42Exposure of confidential secret or token Finicity API tokenHighPassive
798.46Exposure of confidential secret or token Flutterwave test secret keyHighPassive
798.47Exposure of confidential secret or token Flutterwave test encrypted keyHighPassive
798.48Exposure of confidential secret or token Frame.io API tokenHighPassive
798.50Exposure of confidential secret or token GoCardless API tokenHighPassive
798.52Exposure of confidential secret or token GitHub personal access token (classic)HighPassive
798.53Exposure of confidential secret or token GitHub OAuth Access TokenHighPassive
798.54Exposure of confidential secret or token GitHub app tokenHighPassive
798.55Exposure of confidential secret or token GitHub refresh tokenHighPassive
798.56Exposure of confidential secret or token GitLab personal access tokenHighPassive
798.58Exposure of confidential secret or token HashiCorp Terraform API tokenHighPassive
798.59Exposure of confidential secret or token Heroku API key or application authorization tokenHighPassive
798.60Exposure of confidential secret or token HubSpot private app API tokenHighPassive
798.61Exposure of confidential secret or token Intercom API tokenHighPassive
798.66Exposure of confidential secret or token Linear API tokenHighPassive
798.67Exposure of confidential secret or token Linear client secret or ID (OAuth 2.0)HighPassive
798.68Exposure of confidential secret or token LinkedIn client IDHighPassive
798.69Exposure of confidential secret or token LinkedIn client secretHighPassive
798.70Exposure of confidential secret or token Lob API keyHighPassive
798.72Exposure of confidential secret or token Mailchimp API keyHighPassive
798.74Exposure of confidential secret or token Mailgun private API tokenHighPassive
798.75Exposure of confidential secret or token Mailgun webhook signing keyHighPassive
798.78Exposure of confidential secret or token MessageBird access keyHighPassive
798.81Exposure of confidential secret or token New Relic user API keyHighPassive
798.82Exposure of confidential secret or token New Relic user API IDHighPassive
798.83Exposure of confidential secret or token New Relic ingest browser API tokenHighPassive
798.84Exposure of confidential secret or token npm access tokenHighPassive
798.90Exposure of confidential secret or token PlanetScale passwordHighPassive
798.91Exposure of confidential secret or token PlanetScale API tokenHighPassive
798.93Exposure of confidential secret or token Postman API tokenHighPassive
798.94Exposure of confidential secret or token SSH private keyHighPassive
798.95Exposure of confidential secret or token Pulumi API tokenHighPassive
798.96Exposure of confidential secret or token PyPi upload tokenHighPassive
798.97Exposure of confidential secret or token RubyGems API tokenHighPassive
798.101Exposure of confidential secret or token SendGrid API tokenHighPassive
798.102Exposure of confidential secret or token Brevo API tokenHighPassive
798.104Exposure of confidential secret or token Shippo API tokenHighPassive
798.105Exposure of confidential secret or token Shopify personal access tokenHighPassive
798.106Exposure of confidential secret or token Shopify custom app access tokenHighPassive
798.107Exposure of confidential secret or token Shopify private app access tokenHighPassive
798.108Exposure of confidential secret or token Shopify shared secretHighPassive
798.109Exposure of confidential secret or token Slack bot user OAuth tokenHighPassive
798.110Exposure of confidential secret or token Slack webhookHighPassive
798.111Exposure of confidential secret or token Stripe live secret keyHighPassive
798.117Exposure of confidential secret or token Twilio API keyHighPassive
798.118Exposure of confidential secret or token Twitch OAuth client secretHighPassive
798.121Exposure of confidential secret or token X tokenHighPassive
798.124Exposure of confidential secret or token Typeform personal access tokenHighPassive
798.130Exposure of confidential secret or token Anthropic API keyHighPassive
798.131Exposure of confidential secret or token CircleCI access tokenHighPassive
798.132Exposure of confidential secret or token CircleCI Personal Access TokenHighPassive
798.133Exposure of confidential secret or token Contentful preview API tokenHighPassive
798.134Exposure of confidential secret or token Contentful personal access tokenHighPassive
798.135Exposure of confidential secret or token DigitalOcean OAuth access tokenHighPassive
798.136Exposure of confidential secret or token DigitalOcean personal access tokenHighPassive
798.137Exposure of confidential secret or token DigitalOcean refresh tokenHighPassive
798.138Exposure of confidential secret or token GCP OAuth client secretHighPassive
798.139Exposure of confidential secret or token Google (GCP) service accountHighPassive
798.140Exposure of confidential secret or token GitLab Personal Access Token (routable)HighPassive
798.141Exposure of confidential secret or token GitLab Personal Access Token (routable)HighPassive
798.142Exposure of confidential secret or token GitLab Pipeline trigger tokenHighPassive
798.143Exposure of confidential secret or token GitLab Runner registration tokenHighPassive
798.144Exposure of confidential secret or token GitLab Runner authentication tokenHighPassive
798.145Exposure of confidential secret or token GitLab Feed tokenHighPassive
798.146Exposure of confidential secret or token GitLab OAuth application secretHighPassive
798.147Exposure of confidential secret or token GitLab feed token v2HighPassive
798.148Exposure of confidential secret or token GitLab Kubernetes agent tokenHighPassive
798.149Exposure of confidential secret or token GitLab incoming email tokenHighPassive
798.150Exposure of confidential secret or token GitLab deploy tokenHighPassive
798.151Exposure of confidential secret or token GitLab SCIM OAuth tokenHighPassive
798.152Exposure of confidential secret or token GitLab CI build tokenHighPassive
798.153Exposure of confidential secret or token Grafana API tokenHighPassive
798.154Exposure of confidential secret or token HashiCorp Vault batch tokenHighPassive
798.155Exposure of confidential secret or token Instagram access tokenHighPassive
798.156Exposure of confidential secret or token Intercom client secret or client IDHighPassive
798.157Exposure of confidential secret or token Ionic personal access tokenHighPassive
798.158Exposure of confidential secret or token Artifactory API KeyHighPassive
798.159Exposure of confidential secret or token Artifactory Identity TokenHighPassive
798.160Exposure of confidential secret or token MaxMind License KeyHighPassive
798.161Exposure of confidential secret or token Meta access tokenHighPassive
798.162Exposure of confidential secret or token Oculus access tokenHighPassive
798.163Exposure of confidential secret or token Onfido Live API TokenHighPassive
798.164Exposure of confidential secret or token OpenAI API keyHighPassive
798.165Exposure of confidential secret or token Password in URLHighPassive
798.166Exposure of confidential secret or token PGP private keyHighPassive
798.167Exposure of confidential secret or token PKCS8 private keyHighPassive
798.168Exposure of confidential secret or token RSA private keyHighPassive
798.169Exposure of confidential secret or token Segment public API tokenHighPassive
798.170Exposure of confidential secret or token Brevo SMTP tokenHighPassive
798.171Exposure of confidential secret or token Shippo Test API tokenHighPassive
798.172Exposure of confidential secret or token Slack app level tokenHighPassive
798.173Exposure of confidential secret or token SSH (DSA) private keyHighPassive
798.174Exposure of confidential secret or token SSH (EC) private keyHighPassive
798.175Exposure of confidential secret or token Stripe live restricted keyHighPassive
798.176Exposure of confidential secret or token Stripe publishable live keyHighPassive
798.177Exposure of confidential secret or token Stripe secret test keyHighPassive
798.178Exposure of confidential secret or token Stripe restricted test keyHighPassive
798.179Exposure of confidential secret or token Stripe publishable test keyHighPassive
798.180Exposure of confidential secret or token Tailscale keyHighPassive
798.181Exposure of confidential secret or token Yandex Cloud IAM cookie v1-1HighPassive
798.182Exposure of confidential secret or token Yandex Cloud IAM cookie v1-2HighPassive
798.183Exposure of confidential secret or token Yandex Cloud IAM cookie v1-3HighPassive
798.184Exposure of confidential secret or token Yandex Cloud AWS API compatible access secretHighPassive
829.1Inclusion of Functionality from Untrusted Control SphereLowPassive
829.2Invalid Sub-Resource Integrity values detectedMediumPassive

Active Checks

IDCheckSeverityType
113.1Improper Neutralization of CRLF Sequences in HTTP HeadersHighActive
1336.1Server-Side Template InjectionHighActive
16.11TRACE HTTP method enabledHighActive
22.1Improper limitation of a pathname to a restricted directory (Path traversal)HighActive
611.1External XML Entity Injection (XXE)HighActive
74.1XSLT InjectionHighActive
78.1OS Command InjectionHighActive
79.1Cross Site ScriptingHighActive
89.1SQL InjectionHighActive
917.1Expression Language InjectionHighActive
918.1Server-Side Request ForgeryHighActive
94.1Server-side code injection (PHP)HighActive
94.2Server-side code injection (Ruby)HighActive
94.3Server-side code injection (Python)HighActive
94.4Server-side code injection (NodeJS)HighActive
943.1Improper neutralization of special elements in data query logicHighActive
98.1PHP Remote File InclusionHighActive