Scan Your API for Vulnerabilities (DAST)
Description
APIs can be both a huge asset and a significant threat. While APIs offer the availability of various resources for developers, they can at the same time serve as a valuable gateway for attackers to find and exploit security weaknesses and misconfigurations. Hence, API scanning is an important tool to help you secure your web application APIs.
Use this security control to ensure that your APIs are secure before, during, and after production.
For API scanning, Jit uses OWASP Zed Attack Proxy, the world's most popular open-source web security tool. Jit runs ZAP on a daily basis and depending on the user's preferences, Jit can run it with no authentication at all (what's often referred to as black box testing) or using various authentication methods (a.k.a grey box testing).
ZAP detects an extensive list of weaknesses, misconfigurations, and security vulnerabilities in APIs. For the full list of ZAP alerts, refer to this page.
Scan types
Jit implements passive scans for API scanning:
- Passive scans scan all HTTP messages (requests and responses) sent to the web application being tested, but do not make any changes to these messages.
- In contrast, active scans (not supported for API scanning) attempt to find potential vulnerabilities by using known attacks against the selected targets.
Configuration
To run ZAP against your web application APIs, begin by navigating to the My Plan page.
Authentication
We highly recommend that you configure ZAP to authenticate to your application because it will enable deeper security scanning— potentially uncovering more security risks.
Additional prerequisites
The features below require additional configuration steps to be used with this security control—
Configuring API scanning without authentication
To configure scanning for an API without authentication—
- From the My Plan page, select the Scan your API for vulnerabilities security control and select Activate Security Control.
- Enter the following in the Target Application tab:
- The name of your application.
- The URL of the remote Open API (Swagger) file.
- If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
- The API Domain. This is the domain component of the API URL.
- Select the Triggers tab.
- For daily scans, select Scan Daily.
- For deployment-based scanning, select Scan on deployment. Add the name of your environment and the specific accounts you want to scan. Note that additional configuration steps are required to enable deployment-based scanning.
- Select the Notifications tab. If you want to receive Slack notifications each time this security control reveals a security finding, select that option here. Note that additional configuration steps are required to enable Slack integration.
- Select Finish.
Configuring API scanning with authentication
Some authentication methods require information from either HTTP request headers or form selectors. If you do not know how to obtain this information, see Retrieving Authentication Information With Browser Developer Tools for instructions.
To configure scanning for an API with authentication—
- From the My Plan page, select the Scan your API for vulnerabilities security control and select Activate Security Control.
- Enter the following in the Target Application tab:
- The name of your application.
- The URL of the remote Open API (Swagger) file.
- If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
- The API Domain. This is the domain component of the API URL.
- Select the Enable Authentication checkbox and enter the details of your preferred authentication method. Custom headers are added to every request made by the web application scanner. Tokens must be valid and not expired. Token information is encrypted once you apply your configuration.
- Select the Triggers tab.
- For daily scans, select Scan Daily.
- For deployment-based scanning, select Scan on deployment. Add the name of your environment and the specific accounts you want to scan. Note that additional configuration steps are required to enable deployment-based scanning.
- Select the Notifications tab. If you want to receive Slack notifications each time this security control reveals a security finding, select that option here. Note that additional configuration steps are required to enable Slack integration.
- Select Finish.
Jit Workflow Details
See below for descriptions of the processes Jit executes to implement this security control.
Non-authenticated
- When you activate the security control, ZAP runs scans on the target URL.
- Jit generates security findings.
Form-based authentication
- When you activate the security control, Jit creates a Selenium script that runs on the target login page.
- After successful login, the login page returns the token or cookie in its response header.
- Jit provides this authentication information to ZAP, which uses it to authenticate into each page included in the scan.
- Jit generates security findings.
Selenium
Selenium is an open source tool used to automate web browsers. For further information, see selenium.dev.
Token/cookie/custom header-based authentication
- When you activate the security control, Jit creates a header based on the user configuration.
- Jit provides this authentication information to ZAP, which uses it to authenticate into each page included in the scan.
- Jit generates security findings.
Updated about 1 month ago