How to scan an API

How to setup the Crashtest Security Suite to pentest Application Programming Interfaces (APIs).

To scan an application programming interface (API), the security scanner needs to get a starting point for the security scan. This starting point is a Swagger 2.0 or OpenAPI v3 file which is a machine readable API description. For better readability, we will use the Term Swagger file within this documentation. The security scanner will read the swagger file before each scan and scan the single endpoints for the vulnerabilities.

Configuring a Project

When creating a project, you may configure the path of the Swagger file as shown in the following screenshot. The swagger file can be a JSON or YAML file.

Screenshot 2020-04-02 at 15.38.46

When creating the Swagger file make sure that the defined host must match the project URL. To confirm whether your Swagger file is valid, you can use: https://editor.swagger.io/

The best way to create your Swagger file is to generate it from your API source code using annotations. An example of a Swagger Annotation for PHP looks as follows:

* @OA\Post(
* path="/auth/login",
* summary="Login a user",
* operationId="postLogin",
* tags={"auth"},
* @OA\Parameter(
* name="email",
* description="Email address of the user",
* required=true,
* example="user@user.com",
* in="query",
* @OA\Schema(type="string")
* ),
* @OA\Parameter(
* name="password",
* description="Password of the user",
* required=true,
* example="12345678"
* in="query",
* @OA\Schema(type="string")
* ),
* @OA\Response(response=500, description="internal server error"),
* @OA\Response(
* response=200,
* description="The login response",
* @OA\Schema(
* type="object",
* @OA\Property(property="token", type="string", description="JWT Token for user authentication")
* )
* )
* )

In order to provide valid data for the security scanner, you can use example values inside your Swagger file. When doing an injection in any field, we will keep the other fields stable based on the value that is defined as the example value. Therefore it is best to provide example values when possible as described in the Swagger Documentation

If you need help to create your Swagger file, please don't hesitate to contact us.

Configuring Authentication

To use the API scanner with a protected API, you can configure authentication via Header fields or GET parameters. Open the project preferences and scroll to API Authentication. Click on the + icon to add a new authentication method.

Screen Shot 2018-09-14 at 16.38.47

If you are using an HTTP header such as a JWT Token, it will be sent with each request used for scanning the API as a header field. If you chose GET Parameter as the authentication type, the parameter will be added to each request as GET parameter. This is useful e.g. if you are using an API key. Please make sure that the token you provide has a lifetime that is long enough, so that the full scan is done while being logged in.

Screen Shot 2018-09-14 at 16.42.28

After configuring the parameters, you can check that they are set correctly.

Screen Shot 2018-09-14 at 16.42.38