Ensure Your APIs are Secure (DAST)

Description

APIs can be both a huge asset and a significant threat. While APIs offer the availability of various resources for developers, they can at the same time serve as a valuable gateway for attackers to find and exploit security weaknesses and misconfigurations. Hence, API scanning is an important tool to help you secure your web application APIs.

Use this security requirement to ensure that your APIs are secure before, during, and after production.

For API scanning, Jit uses OWASP Zed Attack Proxy, the world's most popular open-source web security tool. Jit runs ZAP on a daily basis and depending on the user's preferences, Jit can run it with no authentication at all (what's often referred to as black box testing) or using various authentication methods (a.k.a grey box testing).

ZAP detects an extensive list of weaknesses, misconfigurations, and security vulnerabilities in APIs. For the full list of ZAP alerts, refer to this page.

📘

Scan types

Jit implements passive scans for API scanning:

  • Passive scans scan all HTTP messages (requests and responses) sent to the web application being tested, but do not make any changes to these messages.
  • In contrast, active scans (not supported for API scanning) attempt to find potential vulnerabilities by using known attacks against the selected targets.

Configuration

To run ZAP against your web application APIs, begin by navigating to the My Plan page.

Select the Ensure your API is secure security requirement from the list, and then select Configure in the bottom right corner of the Item Details panel to open the configuration dialog.

📘

Authentication

We highly recommend that you configure ZAP to authenticate to your application because it will enable deeper security scanning— potentially uncovering more security risks.

Configuring API scanning without authentication

To configure scanning for an API without authentication—

  1. From the configuration dialog, enter the URL of the remote Open API (Swagger) file in Open API file URL (Target API Definition).
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Enter an API Domain. This is the domain component of the API URL.
  4. Select Apply.

Configuring API scanning with authentication

The following authentication methods require information from either HTTP request headers or form selectors. If you do not know how to obtain this information, see Retrieving Authentication Information With Browser Developer Tools for instructions.

Configuring API scanning with form-based authentication

Form-based authentication enables the scanner to log in to your application via a username and password.

To configure scanning for an API with form-based authentication—

  1. From the configuration dialog, enter the URL of the remote Open API (Swagger) file in Target API Definition.
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Enter an API Domain. This is the domain component of the API URL.
  4. Select the Enable Authentication checkbox.
  5. Select Form-based authentication from the Authentication method dropdown.
  6. Enter a Login URL. This is the URL of the sign-in page.
  7. Enter the Username and Password used for authentication.
  8. Enter the CSS selectors that identify the username and password fields in the Username Field Selector and Password Field Selector.
  9. Select Apply.

Configuring API scanning with authentication via a bearer token

To configure scanning for an API with authentication via a bearer token—

  1. From the configuration dialog, enter the URL of the remote Open API (Swagger) file in Target API Definition.
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Enter an API Domain. This is the domain component of the API URL.
  4. Select the Enable Authentication checkbox.
  5. Select Bearer token header from the Authentication method dropdown.
  6. Enter your JWT (generated from your application) in the Value field. Tokens must be valid and not expired. Note that the information entered into this field is encrypted once you apply your configuration. Jit provides a preview of the header after you have entered this information.
  7. Select Apply.

Configuring API scanning with authentication via a cookie

A cookie is an HTTP request header used in requests sent by the user to the server.

To configure scanning for an API with authentication via a cookie—

  1. From the configuration dialog, enter the URL of the remote Open API (Swagger) file in Target API Definition.
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Enter an API Domain. This is the domain component of the API URL.
  4. Select the Enable Authentication checkbox.
  5. Select Cookie header from the Authentication method dropdown.
  6. Enter your cookie token in the Value field. Tokens must be valid and not expired. Note that the information entered into this field is encrypted once you apply your configuration. Jit provides a preview of the header after you have entered this information.
  7. Select Apply.

Configuring API scanning with authentication via a custom header

The custom header you configure is added to every request made by the web application scanner.

To configure scanning for an API with authentication via a custom header—

  1. From the configuration dialog, enter the URL of the remote Open API (Swagger) file in Target API Definition.
  2. If required, enter any URLs to exclude from the scan in Exclude URLs. This can be a list of multiple full or regex URLs separated by commas.
  3. Enter an API Domain. This is the domain component of the API URL.
  4. Select the Enable Authentication checkbox.
  5. Select Custom header from the Authentication method dropdown.
  6. Enter a Key to use in the header. This field accepts free text.
  7. Enter your token in the Value field. Tokens must be valid and not expired. Note that the information entered into this field is encrypted once you apply your configuration. Jit provides a preview of the header after you have entered this information.
  8. Select Apply.

Jit Workflow Details

See below for descriptions of the processes Jit executes to implement this security requirement.

Non-authenticated

  1. When you activate the security requirement, ZAP runs scans on the target URL.
  2. Jit generates security findings.

Form-based authentication

  1. When you activate the security requirement, Jit creates a Selenium script that runs on the target login page.
  2. After successful login, the login page returns the token or cookie in its response header.
  3. Jit provides this authentication information to ZAP, which uses it to authenticate into each page included in the scan.
  4. Jit generates security findings.

📘

Selenium

Selenium is an open source tool used to automate web browsers. For further information, see selenium.dev.

Token/cookie/custom header-based authentication

  1. When you activate the security requirement, Jit creates a header based on the user configuration.
  2. Jit provides this authentication information to ZAP, which uses it to authenticate into each page included in the scan.
  3. Jit generates security findings.