Header Reflection in Invalid URLs
Adds a random header to a request for a non-existent page and checks if it is reflected in the response.
Security Misconfiguration (SM)
How this template works
APIs Selection
The API selection filters in this template specify the criteria for selecting the API requests to be executed. It filters the requests based on the response code (between 200 and 299), extracts the URL into a variable, checks if the response payload contains the HTML doctype, and ensures that the method is GET.
Execute request
The execute section of the template defines the type of execution as "single" and includes a list of requests to be executed. In this case, there is only one request defined. It adds a custom header to the request, modifies the URL by appending a slash and then replacing any trailing slashes with '/random-url'.
Validation
The validation section specifies the criteria for validating the response of the executed request. In this template, it checks if the response payload contains the string "akto'". If the response payload contains this string, the validation is considered successful.
Frequently asked questions
What is the purpose of adding a random header to a request for a non-existent page in this test
How does this test help in identifying security misconfigurations related to header reflection in invalid URLs
What is the impact of finding an XSS vulnerability on the website during this test
What are the selection filters used in this test to determine which requests to include
How is the URL modified in this test
What is the validation criteria for a successful test execution
"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "
Security team,
Rippling
Explore other tests
eSMTP - Config Discovery
Nginx - Git Configuration Exposure
Laravel - Sensitive Information Disclosure
Docker Container - Misconfiguration Exposure
Msmtp - Config Exposure
Parameters.yml - File Discovery
Mongo Express - Unauthenticated Access
Apache Airflow Configuration Exposure
Dockerrun AWS Configuration Exposure
Apache Config file disclosure
Appspec Yml Disclosure
CGI script environment variable
