There are two ways to scan a REST API using AppCheck. The difference lies in how you make the scanner aware of the API's endpoints and valid parameter values to send to them.
With a Front-End
If your front-end application causes the user's browser to make calls to the API, then you can scan both the application and the API together. By crawling the front-end application the scanner will be able to view calls to the API and build a map of both the front-end and the API.
The benefits of this approach are:
- Simple setup: you can scan your API as easily as you scan the front-end application.
- The scanner sees real world requests being sent to the API, and so has a list of valid parameter values to use in its own requests.
- The front-end application is scanned as well as the API.
To configure such a scan, follow our guide How to Scan: Single-Page Applications (SPAs)
Without a Front-End
If there is no appropriate front-end application for your API, or the API calls are all made server-side and so would be invisible to a user, then the scanner will need to be told about the API's endpoints directly. This is done using a Swagger/OpenAPI file.
Import Your Swagger/OpenAPI File into an AppCheck API Workspace
Follow the guide How To Configure API Workspaces to create your Workspace(s).
Create a New Web Application Scan
Follow the guide How to Scan: Web Applications to create a new web application scan. Your scan target should be the root URL of your API.
Import the Workspace into the Scan
Select the following to import your workspace:
- Web Application Scanner Settings
- API Scanning
- Swagger / OpenAPI
- API Workspace
- Import Targets
- API Workspace
- Swagger / OpenAPI
- API Scanning
Configure Authentication
Though you will have configured authentication in the API Workspace, you still need to provide the same authentication information in the scan configuration.
This can be done in a number of different ways:
Automatic Authentication
If you successfully used Auth Automation in the workspace then the relevant settings are imported into the scan as part of the workspace. The only data not stored in this way are the credentials themselves, which should be added to the scan configuration in the following locations:
- Web Application Scanner Settings
- Authenticated Scanning
- Username
- Password
- Authenticated Scanning
Using an API-Key
Provide the name and value of the API Key in:
- Web Application Scanner Settings
- API Scanning
- Swagger / OpenAPI
- Seeded API Access Keys
- Swagger / OpenAPI
- API Scanning
The name of the API Key should come first, followed by a space, followed by the value. For example if the name of the API Key is "secret", this might look like:
secret 12345678-1234-1234-1234-1234567890ab
Using the API Authentication Plugin
- Web Application Scanner Settings
- Plugins
- API Scanning
- API Authentication Helper
- API Scanning
- Plugins
For more information on configuring this plugin, see How to Configure API Authentication Helper
Save and Run Your Scan
You have now configured a REST API scan. You can now save the scan and run/schedule it as required.
Comments
0 comments
Article is closed for comments.