Issue
In the L1 evidence for 2.1.1 The application shall not reveal passwords or session tokens in URL parameters, we ask for developers to provide the following:
URLs of API Resources
Expected URL & POST Parameters
How Clients are Expected to Authenticate to the API
In the L1 verification section, we state the following:
1. Execute authenticated Burp Suite scan on the target application using the ADA scan configuration and review evidence to validate API operations meet the specified requirements
Recommendation
We need to either review the provided evidence or execute the Burp scan without requiring the evidence noted above. This test case feels fairly automatable with Burp - my recommendation would be to use Burp Scan results as the evidence versus relying on the developer documentation.
Issue In the L1 evidence for
2.1.1 The application shall not reveal passwords or session tokens in URL parameters, we ask for developers to provide the following:In the L1 verification section, we state the following:
1. Execute authenticated Burp Suite scan on the target application using the ADA scan configuration and review evidence to validate API operations meet the specified requirementsRecommendation
We need to either review the provided evidence or execute the Burp scan without requiring the evidence noted above. This test case feels fairly automatable with Burp - my recommendation would be to use Burp Scan results as the evidence versus relying on the developer documentation.