There are two ways to scan a REST API using AppCheck. The difference lies in how you make the scanner aware of the API's endpoints and valid parameter values to send to them.
With a Front-End
If your front-end application causes the user's browser to make calls to the API, then you can scan both the application and the API together. By crawling the front-end application the scanner will be able to view calls to the API and build a map of both the front-end and the API.
The benefits of this approach are:
- Simple setup: you can scan your API as easily as you scan the front-end application.
- The scanner sees real world requests being sent to the API, and so has a list of valid parameter values to use in its own requests.
- The front-end application is scanned as well as the API.
To configure such a scan, follow our guide How to Scan: Single-Page Applications (SPAs)
Without a Front-End
If there is no appropriate front-end application for your API, or the API calls are all made server-side and so would be invisible to a user, then the scanner will need to be told about the API's endpoints directly. This is done using a Swagger/OpenAPI file.
Import Your Swagger/OpenAPI File into an AppCheck API Workspace
Follow the guide How To Configure API Workspaces to create your Workspace(s).
Create a New Web Application Scan
Follow the guide How to Scan: Web Applications to create a new web application scan. Your scan target should be the root URL of your API.
Import the Workspace into the Scan
Select the following to import your workspace:
- Web Application Scanner Settings
- API Scanning
- Swagger / OpenAPI
- API Workspace
- Import Targets
- API Workspace
- Swagger / OpenAPI
- API Scanning
You will need to re-import the Workspace into your scan configuration if you make any changes – the configuration is copied upon import, not linked.
Save and Run Your Scan
You have now configured a REST API scan. You can now save the scan and run/schedule it as required.
Comments
0 comments
Article is closed for comments.