API Scanning

How to setup the Crashtest Security Suite to pentest Application Programming Interfaces (APIs).

To scan an application programming interface (API), the security scanner needs to get a starting point for the security scan. This starting point is a Swagger 2.0 file which is a machine readable API description. The security scanner will read the swagger file before each scan and scan the single endpoints for the vulnerabilities.

Configuring a Project

When creating a project, you may configure the path of the swagger file as shown in the following screenshot. The swagger file can be a JSON or YAML file.

Screenshot 2019-02-15 at 15.56.57

When creating the Swagger file make sure that the defined host must match the project URL. To confirm whether your Swagger file is valid, you can use: https://editor.swagger.io/

If you need help to create Swagger Documentation, please don't hesitate to contact us. Depending on your current documentation, we can either suggest tools for conversion or we can help you personally to create the documentation.

Configuring Authentication

To use the API scanner with a protected API, you can configure authentication via Header fields or GET parameters. Open the project preferences and scroll to API Authentication. Click on the + icon to add a new authentication method.

Screen Shot 2018-09-14 at 16.38.47

If you are using an HTTP header such as a JWT Token, it will be sent with each request used for scanning the API as a header field. If you chose GET Parameter as the authentication type, the parameter will be added to each request as GET parameter. This is useful e.g. if you are using an API key. Please make sure that the token you provide has a lifetime that is long enough, so that the full scan is done while being logged in.

Screen Shot 2018-09-14 at 16.42.28

After configuring the parameters, you can check that they are set correctly.

Screen Shot 2018-09-14 at 16.42.38