Configuring Vulnerability Scans for APIs

Configuration of vulnerability scans for APIs has the following steps:

  • Step 1: Activating the Scan your API for vulnerabilities plan item.
  • Step 2: Configuring the security controls of the target application.
  • Step 3: Activating the Scan your APIs for vulnerabilities configurations security control.

Authentication modes

There are two authentication modes:

  • Without authentication, for black box testing.
  • With authentication, highly recommended for deeper security scanning to identify more security risks.

Prerequisites

  • Slack integration to receive notifications.
  • Deployment-based scanning to trigger runtime scanning tools when a new code deployment is detected.

Step 1: Plan item activation

  1. Select Security Plans from the left menu, scroll to a plan that includes DAST scanning, and then click View Plan.

  2. Scroll to Web Application Security and click Jit -012 Scan you API for vulnerabilities.

  3. Click Activate to display the Configure Security Control dialog box.

  4. To configure settings, click Activate and then click Configure to display the Configure Security Control dialog box.

Step 2: Configuring Security Controls

Setting the target

FieldDescription
Application NameName of the application that is scanned.
Open API (Swagger) file URL / Upload FileThe URL where the OpenAPI file file is hosted. The Swagger file has to be valid OpenAPI format (validate here) and must not include Non-ASCII characters.
(Optional) Exclude URLsURLs that are not scanned. For example, Logout. We recommend excluding Logout so that Jit scanning remains continually connected.
API DomainThe base URL where the API is hosted, serving as the entry point for making API requests.
Enable AuthenticationWe recommend enabling this option for enhanced security scanning. See Configuration with authentication below.

Setting the scanning trigger

FieldDescription
Scan DailyZAP scans your application daily.
Scan on deployment (only for GitHub)Jit scans your application when a deployment event is detected in your GitHub account.
Environment name (only for GitHub)The environment defined in the deployment YAML on Github actions. Jit needs an exact match between the environment name defined in Jit and in Github Actions to trigger a scan. See Deployment-based Scanning.

Configuration with authentication

Check Enable authentication. There are four types of authentication:

Authentication TypeFieldsDescription
Form-based authenticationLogin URLLogin URL for authentication.
UsernameUsername to be authenticated.
PasswordPassword to be authenticated.
Enable Selectors ConfigurationCheck to enable enhanced authentication using the username and password selectors that are derived from the source of the Login's web page. When unchecked, Jit searches for common selectors. See Configuring authentication using selectors below.
Local storageLocal Storage Item KeyThe specific identifier used in the Web Storage API for storing and retrieving data in the web browser's local storage.
Local Storage Item ValueThe actual information that is stored and retrieved using a specific key.
Custom cookieCookie nameName of the cookie used for authentication.
Cookie valueValue of the cookie used for authentication.
Bearer token headerValueThe value of the bearer token header consisting of the word Bearer followed by a space and then the actual token.

Configuring authentication using selectors**

  1. Check Enable Selectors Configuration.
  2. To complete the Username Field Selector and Password Field Selector fields, go to your application's website and open the Developer Tools and then use the Inspect Element to find the matching selectors for the Username and Password.
    For example:

  3. Copy the text into the Username Field Selector and Password Field Selector fields.

Step 3: Activate the Scan your APIs for vulnerabilities security control

Click Activate. Jit creates a header based on your configurations and shares the authentication information with ZAP. The header is integrated by ZAP and used to authenticate each page included in the scan. Jit then generates security findings.


🔒

Whitelisting Jit DAST scanners

To perform API scans, Zap requires access to your APIs. If your APIs are secured with a whitelist, please ensure the following IP addresses are included:

  • 3.220.250.224/32
  • 52.45.232.22/32

Adding these IP addresses to your whitelist will enable Zap to conduct its scans without interruption.