Commit 049883a3 authored by Russell Dickenson's avatar Russell Dickenson Committed by Mike Jang

Move docs on how to view API fuzzing-detected vulnerabilities

parent 52c4b9a7
......@@ -953,7 +953,7 @@ faults it reports.
## Viewing fuzzing faults
The API Fuzzing analyzer produces a JSON report that is collected and used
[to populate the faults into GitLab vulnerability screens](../index.md#view-details-of-an-api-fuzzing-vulnerability).
[to populate the faults into GitLab vulnerability screens](#view-details-of-an-api-fuzzing-vulnerability).
Fuzzing faults show up as vulnerabilities with a severity of Unknown.
The faults that API fuzzing finds require manual investigation and aren't associated with a specific
......@@ -962,8 +962,42 @@ they should be fixed. See [handling false positives](#handling-false-positives)
for information about configuration changes you can make to limit the number of false positives
reported.
For additional information, see
[View details of an API Fuzzing vulnerability](../index.md#view-details-of-an-api-fuzzing-vulnerability).
### View details of an API Fuzzing vulnerability
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.7.
Faults detected by API Fuzzing occur in the live web application, and require manual investigation
to determine if they are vulnerabilities. Fuzzing faults are included as vulnerabilities with a
severity of Unknown. To facilitate investigation of the fuzzing faults, detailed information is
provided about the HTTP messages sent and received along with a description of the modification(s)
made.
Follow these steps to view details of a fuzzing fault:
1. You can view faults in a project, or a merge request:
- In a project, go to the project's **{shield}** **Security & Compliance > Vulnerability Report**
page. This page shows all vulnerabilities from the default branch only.
- In a merge request, go the merge request's **Security** section and click the **Expand**
button. API Fuzzing faults are available in a section labeled
**API Fuzzing detected N potential vulnerabilities**. Click the title to display the fault
details.
1. Click the fault's title to display the fault's details. The table below describes these details.
| Field | Description |
|:--------------------|:----------------------------------------------------------------------------------------|
| Description | Description of the fault including what was modified. |
| Project | Namespace and project in which the vulnerability was detected. |
| Method | HTTP method used to detect the vulnerability. |
| URL | URL at which the vulnerability was detected. |
| Request | The HTTP request that caused the fault. |
| Unmodified Response | Response from an unmodified request. This is what a normal working response looks like. |
| Actual Response | Response received from fuzzed request. |
| Evidence | How we determined a fault occurred. |
| Identifiers | The fuzzing check used to find this fault. |
| Severity | Severity of the finding is always Unknown. |
| Scanner Type | Scanner used to perform testing. |
### Security Dashboard
......
......@@ -178,43 +178,6 @@ authorization credentials. By default, content of specific headers are masked in
reports. You can specify the list of all headers to be masked. For details, see
[Hide sensitive information](dast/index.md#hide-sensitive-information).
## View details of an API Fuzzing vulnerability
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.7.
Faults detected by API Fuzzing occur in the live web application, and require manual investigation
to determine if they are vulnerabilities. Fuzzing faults are included as vulnerabilities with a
severity of Unknown. To facilitate investigation of the fuzzing faults, detailed information is
provided about the HTTP messages sent and received along with a description of the modification(s)
made.
Follow these steps to view details of a fuzzing fault:
1. You can view faults in a project, or a merge request:
- In a project, go to the project's **{shield}** **Security & Compliance > Vulnerability Report**
page. This page shows all vulnerabilities from the default branch only.
- In a merge request, go the merge request's **Security** section and click the **Expand**
button. API Fuzzing faults are available in a section labeled
**API Fuzzing detected N potential vulnerabilities**. Click the title to display the fault
details.
1. Click the fault's title to display the fault's details. The table below describes these details.
| Field | Description |
|:-----------------|:------------------------------------------------------------------ |
| Description | Description of the fault including what was modified. |
| Project | Namespace and project in which the vulnerability was detected. |
| Method | HTTP method used to detect the vulnerability. |
| URL | URL at which the vulnerability was detected. |
| Request | The HTTP request that caused the fault. |
| Unmodified Response | Response from an unmodified request. This is what a normal working response looks like. |
| Actual Response | Response received from fuzzed request. |
| Evidence | How we determined a fault occurred. |
| Identifiers | The fuzzing check used to find this fault. |
| Severity | Severity of the finding is always Unknown. |
| Scanner Type | Scanner used to perform testing. |
## Addressing vulnerabilities
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.8.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment