RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k
stars
283
forks
source link
Trace database requests include authorization token #881
When the trace database is enabled, authorization tokens included in requests are being logged in plain text. They should be replaced with _OMITTED_AUTH_TOKEN_ (like the network logs).
Steps to reproduce
Set use_trace_database to true in engine settings
Specify an authentication token module in settings
Run RESTler against service
Expected results
Tokens values are replaced with _OMITTED_AUTH_TOKEN_
Description
When the trace database is enabled, authorization tokens included in requests are being logged in plain text. They should be replaced with
_OMITTED_AUTH_TOKEN_(like the network logs).Steps to reproduce
use_trace_databaseto true in engine settingsExpected results
Tokens values are replaced with
_OMITTED_AUTH_TOKEN_Actual results
Token values are logged in plain text.
Environment details
RESTler version 9.2.4