DAST browser-based crawler vulnerability checks

The DAST browser-based crawler provides a number of vulnerability checks that are used to scan for vulnerabilities in the site under test.

Passive Checks

IDCheckSeverityType
1004.1Sensitive cookie without HttpOnly attributeLowPassive
16.1Missing Content-Type headerLowPassive
16.10Content-Security-Policy violationsInfoPassive
16.2Server header exposes version informationLowPassive
16.3X-Powered-By header exposes version informationLowPassive
16.4X-Backend-Server header exposes server informationInfoPassive
16.5AspNet header exposes version informationLowPassive
16.6AspNetMvc header exposes version informationLowPassive
16.7Strict-Transport-Security header missing or invalidLowPassive
16.8Content-Security-Policy analysisInfoPassive
16.9Content-Security-Policy-Report-Only analysisInfoPassive
200.1Exposure of sensitive information to an unauthorized actor (private IP address)LowPassive
209.1Generation of error message containing sensitive informationLowPassive
209.2Generation of database error message containing sensitive informationLowPassive
287.1Insecure authentication over HTTP (Basic Authentication)MediumPassive
287.2Insecure authentication over HTTP (Digest Authentication)LowPassive
319.1Mixed ContentInfoPassive
352.1Absence of anti-CSRF tokensMediumPassive
359.1Exposure of Private Personal Information (PII) to an unauthorized actor (credit card)MediumPassive
359.2Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number)MediumPassive
548.1Exposure of information through directory listingLowPassive
598.1Use of GET request method with sensitive query strings (session ID)MediumPassive
598.2Use of GET request method with sensitive query strings (password)MediumPassive
598.3Use of GET request method with sensitive query strings (Authorization header details)MediumPassive
601.1URL redirection to untrusted site (‘open redirect’)LowPassive
614.1Sensitive cookie without Secure attributeLowPassive
693.1Missing X-Content-Type-Options: nosniffLowPassive
798.1Exposure of confidential secret or token Adafruit API KeyHighPassive
798.2Exposure of confidential secret or token Adobe Client ID (OAuth Web)HighPassive
798.3Exposure of confidential secret or token Adobe Client SecretHighPassive
798.4Exposure of confidential secret or token Age secret keyHighPassive
798.5Exposure of confidential secret or token Airtable API KeyHighPassive
798.6Exposure of confidential secret or token Algolia API KeyHighPassive
798.7Exposure of confidential secret or token Alibaba AccessKey IDHighPassive
798.8Exposure of confidential secret or token Alibaba Secret KeyHighPassive
798.9Exposure of confidential secret or token Asana Client IDHighPassive
798.10Exposure of confidential secret or token Asana Client SecretHighPassive
798.11Exposure of confidential secret or token Atlassian API tokenHighPassive
798.12Exposure of confidential secret or token AWSHighPassive
798.13Exposure of confidential secret or token Bitbucket Client IDHighPassive
798.14Exposure of confidential secret or token Bitbucket Client SecretHighPassive
798.15Exposure of confidential secret or token Bittrex Access KeyHighPassive
798.16Exposure of confidential secret or token Bittrex Secret KeyHighPassive
798.17Exposure of confidential secret or token Beamer API tokenHighPassive
798.18Exposure of confidential secret or token Codecov Access TokenHighPassive
798.19Exposure of confidential secret or token Coinbase Access TokenHighPassive
798.20Exposure of confidential secret or token Clojars API tokenHighPassive
798.21Exposure of confidential secret or token Confluent Access TokenHighPassive
798.22Exposure of confidential secret or token Confluent Secret KeyHighPassive
798.23Exposure of confidential secret or token Contentful delivery API tokenHighPassive
798.24Exposure of confidential secret or token Databricks API tokenHighPassive
798.25Exposure of confidential secret or token Datadog Access TokenHighPassive
798.26Exposure of confidential secret or token Discord API keyHighPassive
798.27Exposure of confidential secret or token Discord client IDHighPassive
798.28Exposure of confidential secret or token Discord client secretHighPassive
798.29Exposure of confidential secret or token Doppler API tokenHighPassive
798.30Exposure of confidential secret or token Dropbox API secretHighPassive
798.31Exposure of confidential secret or token Dropbox long lived API tokenHighPassive
798.32Exposure of confidential secret or token Dropbox short lived API tokenHighPassive
798.33Exposure of confidential secret or token Drone CI Access TokenHighPassive
798.34Exposure of confidential secret or token Duffel API tokenHighPassive
798.35Exposure of confidential secret or token Dynatrace API tokenHighPassive
798.36Exposure of confidential secret or token EasyPost API tokenHighPassive
798.37Exposure of confidential secret or token EasyPost test API tokenHighPassive
798.38Exposure of confidential secret or token Etsy Access TokenHighPassive
798.39Exposure of confidential secret or token FacebookHighPassive
798.40Exposure of confidential secret or token Fastly API keyHighPassive
798.41Exposure of confidential secret or token Finicity Client SecretHighPassive
798.42Exposure of confidential secret or token Finicity API tokenHighPassive
798.43Exposure of confidential secret or token Flickr Access TokenHighPassive
798.44Exposure of confidential secret or token Finnhub Access TokenHighPassive
798.46Exposure of confidential secret or token Flutterwave Secret KeyHighPassive
798.47Exposure of confidential secret or token Flutterwave Encryption KeyHighPassive
798.48Exposure of confidential secret or token Frame.io API tokenHighPassive
798.49Exposure of confidential secret or token FreshBooks Access TokenHighPassive
798.50Exposure of confidential secret or token GoCardless API tokenHighPassive
798.52Exposure of confidential secret or token GitHub Personal Access TokenHighPassive
798.53Exposure of confidential secret or token GitHub OAuth Access TokenHighPassive
798.54Exposure of confidential secret or token GitHub App TokenHighPassive
798.55Exposure of confidential secret or token GitHub Refresh TokenHighPassive
798.56Exposure of confidential secret or token GitLab Personal Access TokenHighPassive
798.57Exposure of confidential secret or token Gitter Access TokenHighPassive
798.58Exposure of confidential secret or token HashiCorp Terraform user/org API tokenHighPassive
798.59Exposure of confidential secret or token Heroku API KeyHighPassive
798.60Exposure of confidential secret or token HubSpot API TokenHighPassive
798.61Exposure of confidential secret or token Intercom API TokenHighPassive
798.62Exposure of confidential secret or token Kraken Access TokenHighPassive
798.63Exposure of confidential secret or token Kucoin Access TokenHighPassive
798.64Exposure of confidential secret or token Kucoin Secret KeyHighPassive
798.65Exposure of confidential secret or token LaunchDarkly Access TokenHighPassive
798.66Exposure of confidential secret or token Linear API TokenHighPassive
798.67Exposure of confidential secret or token Linear Client SecretHighPassive
798.68Exposure of confidential secret or token LinkedIn Client IDHighPassive
798.69Exposure of confidential secret or token LinkedIn Client secretHighPassive
798.70Exposure of confidential secret or token Lob API KeyHighPassive
798.72Exposure of confidential secret or token Mailchimp API keyHighPassive
798.74Exposure of confidential secret or token Mailgun private API tokenHighPassive
798.75Exposure of confidential secret or token Mailgun webhook signing keyHighPassive
798.77Exposure of confidential secret or token Mattermost Access TokenHighPassive
798.78Exposure of confidential secret or token MessageBird API tokenHighPassive
798.80Exposure of confidential secret or token Netlify Access TokenHighPassive
798.81Exposure of confidential secret or token New Relic user API KeyHighPassive
798.82Exposure of confidential secret or token New Relic user API IDHighPassive
798.83Exposure of confidential secret or token New Relic ingest browser API tokenHighPassive
798.84Exposure of confidential secret or token npm access tokenHighPassive
798.86Exposure of confidential secret or token Okta Access TokenHighPassive
798.87Exposure of confidential secret or token Plaid Client IDHighPassive
798.88Exposure of confidential secret or token Plaid Secret keyHighPassive
798.89Exposure of confidential secret or token Plaid API TokenHighPassive
798.90Exposure of confidential secret or token PlanetScale passwordHighPassive
798.91Exposure of confidential secret or token PlanetScale API tokenHighPassive
798.92Exposure of confidential secret or token PlanetScale OAuth tokenHighPassive
798.93Exposure of confidential secret or token Postman API tokenHighPassive
798.94Exposure of confidential secret or token Private KeyHighPassive
798.95Exposure of confidential secret or token Pulumi API tokenHighPassive
798.96Exposure of confidential secret or token PyPI upload tokenHighPassive
798.97Exposure of confidential secret or token RubyGems API tokenHighPassive
798.98Exposure of confidential secret or token RapidAPI Access TokenHighPassive
798.99Exposure of confidential secret or token Sendbird Access IDHighPassive
798.100Exposure of confidential secret or token Sendbird Access TokenHighPassive
798.101Exposure of confidential secret or token SendGrid API tokenHighPassive
798.102Exposure of confidential secret or token Sendinblue API tokenHighPassive
798.103Exposure of confidential secret or token Sentry Access TokenHighPassive
798.104Exposure of confidential secret or token Shippo API tokenHighPassive
798.105Exposure of confidential secret or token Shopify access tokenHighPassive
798.106Exposure of confidential secret or token Shopify custom access tokenHighPassive
798.107Exposure of confidential secret or token Shopify private app access tokenHighPassive
798.108Exposure of confidential secret or token Shopify shared secretHighPassive
798.109Exposure of confidential secret or token Slack tokenHighPassive
798.110Exposure of confidential secret or token Slack WebhookHighPassive
798.111Exposure of confidential secret or token StripeHighPassive
798.112Exposure of confidential secret or token Square Access TokenHighPassive
798.113Exposure of confidential secret or token Squarespace Access TokenHighPassive
798.114Exposure of confidential secret or token SumoLogic Access IDHighPassive
798.115Exposure of confidential secret or token SumoLogic Access TokenHighPassive
798.116Exposure of confidential secret or token Travis CI Access TokenHighPassive
798.117Exposure of confidential secret or token Twilio API KeyHighPassive
798.118Exposure of confidential secret or token Twitch API tokenHighPassive
798.119Exposure of confidential secret or token Twitter API KeyHighPassive
798.120Exposure of confidential secret or token Twitter API SecretHighPassive
798.121Exposure of confidential secret or token Twitter Access TokenHighPassive
798.122Exposure of confidential secret or token Twitter Access SecretHighPassive
798.123Exposure of confidential secret or token Twitter Bearer TokenHighPassive
798.124Exposure of confidential secret or token Typeform API tokenHighPassive
798.125Exposure of confidential secret or token Yandex API KeyHighPassive
798.126Exposure of confidential secret or token Yandex AWS Access TokenHighPassive
798.127Exposure of confidential secret or token Yandex Access TokenHighPassive
798.128Exposure of confidential secret or token Zendesk Secret KeyHighPassive
829.1Inclusion of Functionality from Untrusted Control SphereLowPassive
829.2Invalid Sub-Resource Integrity values detectedMediumPassive

Active Checks

IDCheckSeverityType
22.1Improper limitation of a pathname to a restricted directory (Path traversal)HighActive