There are two ways to scan a GraphQL API using AppCheck. The difference lies in how you make the scanner aware of the API's endpoints and valid parameter values to send to them.
With a Front-End
If your front-end application causes the user's browser to make calls to the API, then you can scan both the application and the API together. By crawling the front-end application the scanner will be able to view calls to the API and build a map of both the front-end and the API.
The benefits of this approach are:
- Simple setup: you can scan your API as easily as you scan the front-end application.
- The scanner sees real world requests being sent to the API, and so has a list of valid parameter values to use in its own requests.
- The front-end application is scanned as well as the API.
To configure such a scan, follow our guide How to Scan: Single-Page Applications (SPAs)
Without a Front-End
If there is no appropriate front-end application for your API, or the API calls are all made server-side and so would be invisible to a user, then the scanner will need to be told about the API's endpoints directly.
Create a New Web Application Scan
Follow the guide How to Scan: Web Applications to create a new web application scan. Your scan target should be the root URL of your API.
Specify the GraphQL Endpoint URL
Enter the GraphQL endpoint URL into following field in the scan configuration:
-
Web Application Scanner Settings
-
API Scanning
-
GraphQL
- GraphQL Endpoint
-
GraphQL
-
API Scanning
Configure Introspection Data
If possible enable introspection for your API. This will allow the AppCheck scanner to automatically discover the GraphQL schema and build a Mapped Attack Surface.
Without Introspection
If introspection cannot be enabled, perform the following steps to query your API manually and import the relevant data into AppCheck:
- Download the query from:
- Web Application Scanner Settings
- API Scanning
- GraphQL
- Download Query
- GraphQL
- API Scanning
- Run the query against your GraphQL.
- Export your results in JSON format.
- Add those results into the scan configuration in the following field:
- Web Application Scanner Settings
- API Scanning
- GraphQL
- Introspection Query Results
- GraphQL
- API Scanning
Configure Authentication
If querying your GraphQL requires authentication you can configure the API Authentication Helper plugin found in the following location:
- Web Application Scanner Settings
- Plugins
- API Scanning
- API Authentication Helper
- API Scanning
- Plugins
For more information on configuring this plugin, see How to Configure API Authentication Helper
Save and Run Your Scan
You have now configured a GraphQL scan. You can now save the scan and run/schedule it as required.
Comments
0 comments
Article is closed for comments.