There are two ways to scan a SOAP API using AppCheck. The difference lies in how you make the scanner aware of the API's endpoints and valid parameter values to send to them.
With a Front-End
If your front-end application causes the user's browser to make calls to the API, then you can scan both the application and the API together. By crawling the front-end application the scanner will be able to view calls to the API and build a map of both the front-end and the API.
The benefits of this approach are:
- Simple setup: you can scan your API as easily as you scan the front-end application.
- The scanner sees real world requests being sent to the API, and so has a list of valid parameter values to use in its own requests.
- The front-end application is scanned as well as the API.
To configure such a scan, follow our guide How to Scan: Single-Page Applications (SPAs)
Without a Front-End
If there is no appropriate front-end application for your API, or the API calls are all made server-side and so would be invisible to a user, then the scanner will need to be told about the API's endpoints directly. This is done using a Web Service Description Language (WSDL) file.
The benefits of this approach are:
- Can be used in cases where there is no appropriate front-end application.
- Allows finer control of the endpoints and parameter values used in the scan.
Create a Web Application Scan
Follow the guide to create a web application scan. The target should be the root URL of your API endpoints, for example https://api.example.com.
Configure the WSDL Targets Plugin
Whilst by default the scanner will attempt to discover WSDL files automatically, a web application scanner plugin is available to help ensure they are successfully imported. This plugin can be found in
- Scan Settings
- Web Application Scanner Settings
- Plugins
- Discover/API Scanning
- WSDL Targets
- Discover/API Scanning
- Plugins
- Web Application Scanner Settings
First ensure the tick box is ticked to enable the plugin:
Next, click on the plugin name to open its details box, then add the URLs of your WSDL file(s) in the following field:
- Configuration
- Detection Options
- WSDL URLs
- Detection Options
Finally, close the plugin details box.
Save and Run Your Scan
You have now configured a SOAP API scan. You can now save the scan and run/schedule it as required.
Comments
0 comments
Article is closed for comments.