DAST browser-based crawler vulnerability checks
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
The DAST browser-based crawler provides vulnerability checks that are used to scan for vulnerabilities in the site under test.
Passive Checks
| ID | Check | Severity | Type |
|---|---|---|---|
| 1004.1 | Sensitive cookie without HttpOnly attribute | Low | Passive |
| 16.1 | Missing Content-Type header | Low | Passive |
| 16.10 | Content-Security-Policy violations | Info | Passive |
| 16.2 | Server header exposes version information | Low | Passive |
| 16.3 | X-Powered-By header exposes version information | Low | Passive |
| 16.4 | X-Backend-Server header exposes server information | Info | Passive |
| 16.5 | AspNet header exposes version information | Low | Passive |
| 16.6 | AspNetMvc header exposes version information | Low | Passive |
| 16.7 | Strict-Transport-Security header missing or invalid | Low | Passive |
| 16.8 | Content-Security-Policy analysis | Info | Passive |
| 16.9 | Content-Security-Policy-Report-Only analysis | Info | Passive |
| 200.1 | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive |
| 209.1 | Generation of error message containing sensitive information | Low | Passive |
| 209.2 | Generation of database error message containing sensitive information | Low | Passive |
| 287.1 | Insecure authentication over HTTP (Basic Authentication) | Medium | Passive |
| 287.2 | Insecure authentication over HTTP (Digest Authentication) | Low | Passive |
| 319.1 | Mixed Content | Info | Passive |
| 352.1 | Absence of anti-CSRF tokens | Medium | Passive |
| 359.1 | Exposure of Private Personal Information (PII) to an unauthorized actor (credit card) | Medium | Passive |
| 359.2 | Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number) | Medium | Passive |
| 548.1 | Exposure of information through directory listing | Low | Passive |
| 598.1 | Use of GET request method with sensitive query strings (session ID) | Medium | Passive |
| 598.2 | Use of GET request method with sensitive query strings (password) | Medium | Passive |
| 598.3 | Use of GET request method with sensitive query strings (Authorization header details) | Medium | Passive |
| 601.1 | URL redirection to untrusted site ('open redirect') | Low | Passive |
| 614.1 | Sensitive cookie without Secure attribute | Low | Passive |
| 693.1 | Missing X-Content-Type-Options: nosniff | Low | Passive |
| 798.2 | Exposure of confidential secret or token Adobe Client ID (OAuth Web) | High | Passive |
| 798.3 | Exposure of confidential secret or token Adobe client secret | High | Passive |
| 798.4 | Exposure of confidential secret or token Age secret key | High | Passive |
| 798.7 | Exposure of confidential secret or token Alibaba AccessKey ID | High | Passive |
| 798.8 | Exposure of confidential secret or token Alibaba Secret Key | High | Passive |
| 798.9 | Exposure of confidential secret or token Asana client ID | High | Passive |
| 798.10 | Exposure of confidential secret or token Asana client secret | High | Passive |
| 798.11 | Exposure of confidential secret or token Atlassian API token | High | Passive |
| 798.12 | Exposure of confidential secret or token AWS access token | High | Passive |
| 798.13 | Exposure of confidential secret or token Bitbucket client ID | High | Passive |
| 798.14 | Exposure of confidential secret or token Bitbucket client secret | High | Passive |
| 798.17 | Exposure of confidential secret or token Beamer API token | High | Passive |
| 798.20 | Exposure of confidential secret or token Clojars deploy token | High | Passive |
| 798.23 | Exposure of confidential secret or token Contentful delivery API token | High | Passive |
| 798.24 | Exposure of confidential secret or token Databricks API token | High | Passive |
| 798.26 | Exposure of confidential secret or token Discord API key | High | Passive |
| 798.27 | Exposure of confidential secret or token Discord client ID | High | Passive |
| 798.28 | Exposure of confidential secret or token Discord client secret | High | Passive |
| 798.29 | Exposure of confidential secret or token Doppler API token | High | Passive |
| 798.30 | Exposure of confidential secret or token Dropbox API secret/key | High | Passive |
| 798.31 | Exposure of confidential secret or token Dropbox long lived API token | High | Passive |
| 798.32 | Exposure of confidential secret or token Dropbox short lived API token | High | Passive |
| 798.34 | Exposure of confidential secret or token Duffel API token | High | Passive |
| 798.35 | Exposure of confidential secret or token Dynatrace API token | High | Passive |
| 798.36 | Exposure of confidential secret or token EasyPost production API key | High | Passive |
| 798.37 | Exposure of confidential secret or token EasyPost test API key | High | Passive |
| 798.39 | Exposure of confidential secret or token Facebook token | High | Passive |
| 798.40 | Exposure of confidential secret or token Fastly API user or automation token | High | Passive |
| 798.41 | Exposure of confidential secret or token Finicity client secret | High | Passive |
| 798.42 | Exposure of confidential secret or token Finicity API token | High | Passive |
| 798.46 | Exposure of confidential secret or token Flutterwave test secret key | High | Passive |
| 798.47 | Exposure of confidential secret or token Flutterwave test encrypted key | High | Passive |
| 798.48 | Exposure of confidential secret or token Frame.io API token | High | Passive |
| 798.50 | Exposure of confidential secret or token GoCardless API token | High | Passive |
| 798.52 | Exposure of confidential secret or token GitHub personal access token (classic) | High | Passive |
| 798.53 | Exposure of confidential secret or token GitHub OAuth Access Token | High | Passive |
| 798.54 | Exposure of confidential secret or token GitHub app token | High | Passive |
| 798.55 | Exposure of confidential secret or token GitHub refresh token | High | Passive |
| 798.56 | Exposure of confidential secret or token GitLab personal access token | High | Passive |
| 798.58 | Exposure of confidential secret or token HashiCorp Terraform API token | High | Passive |
| 798.59 | Exposure of confidential secret or token Heroku API key or application authorization token | High | Passive |
| 798.60 | Exposure of confidential secret or token HubSpot private app API token | High | Passive |
| 798.61 | Exposure of confidential secret or token Intercom API token | High | Passive |
| 798.66 | Exposure of confidential secret or token Linear API token | High | Passive |
| 798.67 | Exposure of confidential secret or token Linear client secret or ID (OAuth 2.0) | High | Passive |
| 798.68 | Exposure of confidential secret or token LinkedIn client ID | High | Passive |
| 798.69 | Exposure of confidential secret or token LinkedIn client secret | High | Passive |
| 798.70 | Exposure of confidential secret or token Lob API key | High | Passive |
| 798.72 | Exposure of confidential secret or token Mailchimp API key | High | Passive |
| 798.74 | Exposure of confidential secret or token Mailgun private API token | High | Passive |
| 798.75 | Exposure of confidential secret or token Mailgun webhook signing key | High | Passive |
| 798.78 | Exposure of confidential secret or token MessageBird access key | High | Passive |
| 798.81 | Exposure of confidential secret or token New Relic user API key | High | Passive |
| 798.82 | Exposure of confidential secret or token New Relic user API ID | High | Passive |
| 798.83 | Exposure of confidential secret or token New Relic ingest browser API token | High | Passive |
| 798.84 | Exposure of confidential secret or token npm access token | High | Passive |
| 798.90 | Exposure of confidential secret or token PlanetScale password | High | Passive |
| 798.91 | Exposure of confidential secret or token PlanetScale API token | High | Passive |
| 798.93 | Exposure of confidential secret or token Postman API token | High | Passive |
| 798.94 | Exposure of confidential secret or token SSH private key | High | Passive |
| 798.95 | Exposure of confidential secret or token Pulumi API token | High | Passive |
| 798.96 | Exposure of confidential secret or token PyPi upload token | High | Passive |
| 798.97 | Exposure of confidential secret or token RubyGems API token | High | Passive |
| 798.101 | Exposure of confidential secret or token SendGrid API token | High | Passive |
| 798.102 | Exposure of confidential secret or token Brevo API token | High | Passive |
| 798.104 | Exposure of confidential secret or token Shippo API token | High | Passive |
| 798.105 | Exposure of confidential secret or token Shopify personal access token | High | Passive |
| 798.106 | Exposure of confidential secret or token Shopify custom app access token | High | Passive |
| 798.107 | Exposure of confidential secret or token Shopify private app access token | High | Passive |
| 798.108 | Exposure of confidential secret or token Shopify shared secret | High | Passive |
| 798.109 | Exposure of confidential secret or token Slack bot user OAuth token | High | Passive |
| 798.110 | Exposure of confidential secret or token Slack webhook | High | Passive |
| 798.111 | Exposure of confidential secret or token Stripe live secret key | High | Passive |
| 798.117 | Exposure of confidential secret or token Twilio API key | High | Passive |
| 798.118 | Exposure of confidential secret or token Twitch OAuth client secret | High | Passive |
| 798.121 | Exposure of confidential secret or token X token | High | Passive |
| 798.124 | Exposure of confidential secret or token Typeform personal access token | High | Passive |
| 798.130 | Exposure of confidential secret or token Anthropic API key | High | Passive |
| 798.131 | Exposure of confidential secret or token CircleCI access token | High | Passive |
| 798.132 | Exposure of confidential secret or token CircleCI Personal Access Token | High | Passive |
| 798.133 | Exposure of confidential secret or token Contentful preview API token | High | Passive |
| 798.134 | Exposure of confidential secret or token Contentful personal access token | High | Passive |
| 798.135 | Exposure of confidential secret or token DigitalOcean OAuth access token | High | Passive |
| 798.136 | Exposure of confidential secret or token DigitalOcean personal access token | High | Passive |
| 798.137 | Exposure of confidential secret or token DigitalOcean refresh token | High | Passive |
| 798.138 | Exposure of confidential secret or token GCP OAuth client secret | High | Passive |
| 798.139 | Exposure of confidential secret or token Google (GCP) service account | High | Passive |
| 798.140 | Exposure of confidential secret or token GitLab Personal Access Token (routable) | High | Passive |
| 798.141 | Exposure of confidential secret or token GitLab Personal Access Token (routable) | High | Passive |
| 798.142 | Exposure of confidential secret or token GitLab Pipeline trigger token | High | Passive |
| 798.143 | Exposure of confidential secret or token GitLab Runner registration token | High | Passive |
| 798.144 | Exposure of confidential secret or token GitLab Runner authentication token | High | Passive |
| 798.145 | Exposure of confidential secret or token GitLab Feed token | High | Passive |
| 798.146 | Exposure of confidential secret or token GitLab OAuth application secret | High | Passive |
| 798.147 | Exposure of confidential secret or token GitLab feed token v2 | High | Passive |
| 798.148 | Exposure of confidential secret or token GitLab Kubernetes agent token | High | Passive |
| 798.149 | Exposure of confidential secret or token GitLab incoming email token | High | Passive |
| 798.150 | Exposure of confidential secret or token GitLab deploy token | High | Passive |
| 798.151 | Exposure of confidential secret or token GitLab SCIM OAuth token | High | Passive |
| 798.152 | Exposure of confidential secret or token GitLab CI build token | High | Passive |
| 798.153 | Exposure of confidential secret or token Grafana API token | High | Passive |
| 798.154 | Exposure of confidential secret or token HashiCorp Vault batch token | High | Passive |
| 798.155 | Exposure of confidential secret or token Instagram access token | High | Passive |
| 798.156 | Exposure of confidential secret or token Intercom client secret or client ID | High | Passive |
| 798.157 | Exposure of confidential secret or token Ionic personal access token | High | Passive |
| 798.158 | Exposure of confidential secret or token Artifactory API Key | High | Passive |
| 798.159 | Exposure of confidential secret or token Artifactory Identity Token | High | Passive |
| 798.160 | Exposure of confidential secret or token MaxMind License Key | High | Passive |
| 798.161 | Exposure of confidential secret or token Meta access token | High | Passive |
| 798.162 | Exposure of confidential secret or token Oculus access token | High | Passive |
| 798.163 | Exposure of confidential secret or token Onfido Live API Token | High | Passive |
| 798.164 | Exposure of confidential secret or token OpenAI API key | High | Passive |
| 798.165 | Exposure of confidential secret or token Password in URL | High | Passive |
| 798.166 | Exposure of confidential secret or token PGP private key | High | Passive |
| 798.167 | Exposure of confidential secret or token PKCS8 private key | High | Passive |
| 798.168 | Exposure of confidential secret or token RSA private key | High | Passive |
| 798.169 | Exposure of confidential secret or token Segment public API token | High | Passive |
| 798.170 | Exposure of confidential secret or token Brevo SMTP token | High | Passive |
| 798.171 | Exposure of confidential secret or token Shippo Test API token | High | Passive |
| 798.172 | Exposure of confidential secret or token Slack app level token | High | Passive |
| 798.173 | Exposure of confidential secret or token SSH (DSA) private key | High | Passive |
| 798.174 | Exposure of confidential secret or token SSH (EC) private key | High | Passive |
| 798.175 | Exposure of confidential secret or token Stripe live restricted key | High | Passive |
| 798.176 | Exposure of confidential secret or token Stripe publishable live key | High | Passive |
| 798.177 | Exposure of confidential secret or token Stripe secret test key | High | Passive |
| 798.178 | Exposure of confidential secret or token Stripe restricted test key | High | Passive |
| 798.179 | Exposure of confidential secret or token Stripe publishable test key | High | Passive |
| 798.180 | Exposure of confidential secret or token Tailscale key | High | Passive |
| 798.181 | Exposure of confidential secret or token Yandex Cloud IAM cookie v1-1 | High | Passive |
| 798.182 | Exposure of confidential secret or token Yandex Cloud IAM cookie v1-2 | High | Passive |
| 798.183 | Exposure of confidential secret or token Yandex Cloud IAM cookie v1-3 | High | Passive |
| 798.184 | Exposure of confidential secret or token Yandex Cloud AWS API compatible access secret | High | Passive |
| 829.1 | Inclusion of Functionality from Untrusted Control Sphere | Low | Passive |
| 829.2 | Invalid Sub-Resource Integrity values detected | Medium | Passive |
Active Checks
| ID | Check | Severity | Type |
|---|---|---|---|
| 113.1 | Improper Neutralization of CRLF Sequences in HTTP Headers | High | Active |
| 1336.1 | Server-Side Template Injection | High | Active |
| 16.11 | TRACE HTTP method enabled | High | Active |
| 22.1 | Improper limitation of a pathname to a restricted directory (Path traversal) | High | Active |
| 611.1 | External XML Entity Injection (XXE) | High | Active |
| 74.1 | XSLT Injection | High | Active |
| 78.1 | OS Command Injection | High | Active |
| 79.1 | Cross Site Scripting | High | Active |
| 89.1 | SQL Injection | High | Active |
| 917.1 | Expression Language Injection | High | Active |
| 918.1 | Server-Side Request Forgery | High | Active |
| 94.1 | Server-side code injection (PHP) | High | Active |
| 94.2 | Server-side code injection (Ruby) | High | Active |
| 94.3 | Server-side code injection (Python) | High | Active |
| 94.4 | Server-side code injection (NodeJS) | High | Active |
| 943.1 | Improper neutralization of special elements in data query logic | High | Active |
| 98.1 | PHP Remote File Inclusion | High | Active |