Creating an API scan (full configuration)
ASoC supports different workflows for scanning a web API. If you have a Postman collection or recorded traffic of your web API, you can import it and use it as the basis for a scan by using the API scan configuration wizard. Alternatively, you can use the Postman collection files with the REST API.
Before you begin
- Backup your site before scanning.
- If you have not yet done so, Create an application for your scans.
- Verify with ASoC that you have permission to scan the domain (see Verifying a domain), or you can authorize domains without verification using Domain management.
- If your site is not available on the Internet, and an AppScan Presence does not yet exist on the server: Creating the AppScan Presence.
- If scanning a live production site, refer first to What changes should I make when scanning a live production site?
About this task
Procedure
- On the specific Application page, click Create scan, then click Create scan under DAST Dynamic Analysis to open the wizard.
- Select API scan.
-
API
Select the API explore method:
Setting
Options
Upload Postman collection or Upload recording
Based on the API explore method, upload the Postman files or traffic recording.
Domains to be tested
Add all domains that you want included in the scan. . You must add at least one domain to initiate a scan. All domains must be verified or allowed unless your network is private and you're using a Presence.
Both these formats are valid:
https://demo.testfire.net/
demo.testfire.net
Important: Domains not listed will not be scanned.
-
Targets: Private site scanning
Public site scanning is the default. If your site is not available on the Internet, click Private network. Select your presence from the list of connected presences.
If you have not yet created an AppScan Presence you can do so now by clicking the Presences link, and referring to Creating the AppScan Presence.
-
Authentication and connectivity: API authentication
If your imported data requires a login recording, upload it so AppScan can scan endpoints that need authentication. You can also use third-party tools to record the login and upload the file here.
Setting
Options
Login recording
- Use a login recording
- If a special login procedure is needed, select this option to upload
a recording of the procedure that ASoC must use
whenever it logs in to the applications during the scan. You can
record using the AppScan
Activity Recorder (saved as a
CONFIG
file) or AppScan Standard (exported as aLOGIN
file).Important: The recorded login sequence must contain the following requests:- Login/authorization request
- An additional logged-in/authorized request. This "extra" request helps AppScan identify a successful authorization and maintain a session when testing the application.
For details about recording a
CONFIG
orLOGIN
file see Recording traffic and Recording the login using AppScan Standard.
-
Authentication and connectivity: HTTP authentication
In addition to the login information, indicate whether the application requires HTTP authentication (Negotiate, NTLM, Kerberos, ADFS, Basic, or Digest). Enter the Username, Password, and Domain (optional) for ASoC to use during the scan.
-
Authentication and connectivity: Communication
Set the maximum number of requests that ASoC can send to the site simultaneously.
Setting
Options
Number of threads
Reduce the limit if your site does not allow this amount; if your site does not allow simultaneous threads at all, reduce the limit to 1.
Server communication timeout
- Adjust automatically during the scan
- Allow ASoC to decide how long to wait for any particular response before timing out. This can significantly reduce scan time.
- Fixed
- Set the maximum time ASoC waits for a response before timing out. Increase this setting if your site's responses are slow and ASoC is missing responses due to the short timeout.
Max request rate
By default, ASoC sends its requests to the site as fast as possible. If this limit will overload your network or server, you can reduce it.
-
Authentication and connectivity: Form fill
When enabled, ASoC uses the AppScan Standard default automatic form fill parameters to complete forms automatically during the scan. This cannot be changed using the wizard.
Setting
Options
Automatic form fill
ASoC uses AppScan Standard's default form fill parameter values to fill and submit forms during the scan.Note: If you turn off automatic form fill and scan in AppScan on Cloud, it will remove all the information filled in the forms except for the login management data. AppScan will not fill in the forms automatically during scanning. When you import this scan into AppScan Standard, automatic form fill is enabled, but the form filling data, except for login management, will be empty. -
Tests: Test policy and optimization
Define the collection of tests that will be sent to the application during testing (the test policy), and apply optimization for faster scans at times in the product lifecycle when speed is more important to you than scan depth.
Setting
Options
Test policy
Select one of the five predefined test policies based on the level of coverage required. The default is Default that includes all tests except invasive and port listener tests. For details, see Test policy.Tip: Test policy is different from application policy.Test optimization
Select the level of tradeoff between scan speed and issue coverage for your needs. The slider offers four levels. The default is Fast. For details, see Test Optimization.
-
Tests: Test options
Choose whether to send tests on login and logout pages. If you choose to send tests on login pages, specify whether to send session identifiers.
Setting
Options
Login/Logout tests Choose whether to send tests on login and logout pages. If you choose to send tests on login pages, specify whether to send session identifiers. Report vulnerable components AppScan finds vulnerabilities in third-party components and recommends updates. -
Preferences: Schedule
Specify when the scan runs: now, later, or on a schedule.
Setting
Options
Scan now
Your scan runs as soon as setup and review are complete.
Save for later
Your configuration is saved when completed. You can run the scan later.
Schedule Your configuration is saved, and one or more scans run as configured:- Select a date and time. Enter these according to the time zone configured on your machine, but note that times will be converted to UTC when displayed in the user interface.
- To run the scan more than once, select the
Repeat, and then choose:
- Daily, and select a daily interval (1-30 days)
- Weekly, and select which day, or
- Monthly, select a monthly interval, and then select which numerical day of the month, or which weekday of the month (first, second, third, fourth, last).
Note: If the maximum number of concurrent scans are running when the scheduled time arrives, the scan starts as soon as allowed by your subscription. - Set the End date (the last date a scan will run), or click Remove end date to have the schedule run indefinitely.
-
Preferences: scan options
In the Scan options panel, you can:
- Elect to run the scan as a Personal scan.
- Elect to receive an email when the scan is complete.
-
Summary
Edit the name of the scan, if desired, and review the settings selected for the scan. Click Back to previous panels to make adjustments if needed.
- Click Scan.
Results
What to do next
See Results.