Closed LasneF closed 5 months ago
Documentation would requires more details for instance i got
1st lines indicate leak found ; yes but what can of leak ? , still the test passed successfully
2nd lines says Failed , but not a clear answer about why
having a 200 not clear why it is mentionned as suspicious ?
according to what i understood the datalleak is a parsing of sensitive data such as telephone as part of the returned payload ? i got in mine for instance date, jwtToken, PhoneNumberIN, PhoneNumberUS is that correct understanding ?
it is important to document here what the tooling is doing
For time being I've separated Data Leak and API test, so currently they're interpreted individually.
Yes, telephone number could be leading to failure of Data leak test.
I'll be make necessary changes for data leak tests for be reflected in overall API test results.
May be add as well a filter on the reporting HTML file
i am still not clear on what this kind of output means
Test Name: BOPLA Test Test Result: ❌ Failed Result Details: Endpoint might be vulnerable to BOPLA Test Response Filter: STATUS_CODE_FILTER Data Leak: No Data Leakage Found
we need to have further details on what STATUS_CODE_FILTER means
May be add as well a filter on the reporting HTML file
i am still not clear on what this kind of output means
Test Name: BOPLA Test Test Result: ❌ Failed Result Details: Endpoint might be vulnerable to BOPLA Test Response Filter: STATUS_CODE_FILTER Data Leak: No Data Leakage Found
we need to have further details on what STATUS_CODE_FILTER means
HTML report is kinda buggy at the moment and I'm not planning to update it any time soon. There are several challenges while handling HTML reports such as sanitizing and formatting data correctly which can be tricky and If I miss something it can lead to security issues.
STATUS_CODE_FILTER
is used internally to find indicator of vulnerability in few cases after receiving response from the API server.
I've clarified the usage of data_leak
and result
columns in the results table in README.md files for now.
Closing issue due to inactivity.
Documentation would requires more details for instance i got
1st lines indicate leak found ; yes but what can of leak ? , still the test passed successfully
2nd lines says Failed , but not a clear answer about why
having a 200 not clear why it is mentionned as suspicious ?
according to what i understood the datalleak is a parsing of sensitive data such as telephone as part of the returned payload ? i got in mine for instance date, jwtToken, PhoneNumberIN, PhoneNumberUS is that correct understanding ?
it is important to document here what the tooling is doing