Creating an API scan (full configuration)

ASoC supports different workflows for scanning a web API. If you have a Postman collection or recorded traffic of your web API, you can import it and use it as the basis for a scan by using the API scan configuration wizard. Alternatively, you can use the Postman collection files with the REST API.

Before you begin

About this task

This topic discusses the configuration options available for an API scan.

Procedure

  1. On the specific Application page, click Create scan, then click Create scan under DAST Dynamic Analysis to open the wizard.
  2. Select API scan.
  3. API
    Select the API explore method:

    Setting

    Options

    Upload Postman collection or Upload recording

    Based on the API explore method, upload the Postman files or traffic recording.

    Domains to be tested

    Add all domains that you want included in the scan. . You must add at least one domain to initiate a scan. All domains must be verified or allowed unless your network is private and you're using a Presence.

    Both these formats are valid:

    • https://demo.testfire.net/
    • demo.testfire.net
      Important: Domains not listed will not be scanned.
  4. Targets: Private site scanning

    Public site scanning is the default. If your site is not available on the Internet, click Private network. Select your presence from the list of connected presences. API configuration showing Private site scanning options

    If you have not yet created an AppScan Presence you can do so now by clicking the Presences link, and referring to Creating the AppScan Presence.

  5. Authentication and connectivity: API authentication
    If your imported data requires a login recording, upload it so AppScan can scan endpoints that need authentication. API configuration showing login recording upload option

    Setting

    Options

    Login recording

    Use a login recording
    If a special login procedure is needed, select this option to upload a recording of the procedure that ASoC must use whenever it logs in to the applications during the scan. You can record using the AppScan Activity Recorder (saved as a CONFIG file) or AppScan Standard (exported as a LOGIN file).
    Important: The recorded login sequence must contain the following requests:
    • Login/authorization request
    • An additional logged-in/authorized request. This "extra" request helps AppScan identify a successful authorization and maintain a session when testing the application.

    For details about recording a CONFIG or LOGIN file see Recording traffic and Recording the login using AppScan Standard.

  6. Authentication and connectivity: HTTP authentication

    In addition to the login information, indicate whether the application requires HTTP authentication (Negotiate, NTLM, Kerberos, ADFS, Basic, or Digest). Enter the Username, Password, and Domain (optional) for ASoC to use during the scan.

    API configuration showing HTTP authentication options
  7. Authentication and connectivity: Communication

    Set the maximum number of requests that ASoC can send to the site simultaneously.

    API configuration showing Communication options

    Setting

    Options

    Number of threads

    Reduce the limit if your site does not allow this amount; if your site does not allow simultaneous threads at all, reduce the limit to 1.

    Server communication timeout

    Adjust automatically during the scan
    Allow ASoC to decide how long to wait for any particular response before timing out. This can significantly reduce scan time.
    Fixed
    Set the maximum time ASoC waits for a response before timing out. Increase this setting if your site's responses are slow and ASoC is missing responses due to the short timeout.

    Max request rate

    By default, ASoC sends its requests to the site as fast as possible. If this limit will overload your network or server, you can reduce it.

  8. Authentication and connectivity: Form fill

    When enabled, ASoC uses the AppScan Standard default automatic form fill parameters to complete forms automatically during the scan. This cannot be changed using the wizard.API configuration showing enable form fill option

    Setting

    Options

    Automatic form fill

    ASoC uses AppScan Standard's default form fill parameter values to fill and submit forms during the scan.
    Note: If you turn off automatic form fill and scan in AppScan on Cloud, it will remove all the information filled in the forms except for the login management data. AppScan will not fill in the forms automatically during scanning. When you import this scan into AppScan Standard, automatic form fill is enabled, but the form filling data, except for login management, will be empty.
  9. Tests: Test policy and optimization

    ASoC applies the AppScan Standard Default Test Policy to scans. This cannot be changed using the wizard.API configuration showing test policy and optimization options

    Setting

    Options

    Test policy

    Apply a different test policy by configuring the scan in AppScan Standard, or through the API. Test policy cannot be changed in the wizard.
    Tip: Test policy is different from application policy.

    Test optimization

    Select the level of tradeoff between scan speed and issue coverage for your needs. The slider offers four levels. The default is Fast. For details, see Test Optimization.

  10. Tests: Test options

    Choose whether to send tests on login and logout pages. If you choose to send tests on login pages, specify whether to send session identifiers.API configuration showing test options

    Setting

    Options

    Login/Logout tests Choose whether to send tests on login and logout pages. If you choose to send tests on login pages, specify whether to send session identifiers.
    Report vulnerable components AppScan finds vulnerabilities in third-party components and recommends updates.
  11. Preferences: Schedule

    Specify when the scan runs: now, later, or on a schedule.API configuration showing the scheduling options

    Setting

    Options

    Scan now

    Your scan runs as soon as setup and review are complete.

    Save for later

    Your configuration is saved when completed. You can run the scan later.

    Schedule
    Your configuration is saved, and one or more scans run as configured:
    1. Select a date and time. Enter these according to the time zone configured on your machine, but note that times will be converted to UTC when displayed in the user interface.
    2. To run the scan more than once, select the Repeat, and then choose:
      • Daily, and select a daily interval (1-30 days)
      • Weekly, and select which day, or
      • Monthly, select a monthly interval, and then select which numerical day of the month, or which weekday of the month (first, second, third, fourth, last).
      Note: If the maximum number of concurrent scans are running when the scheduled time arrives, the scan starts as soon as allowed by your subscription.
    3. Set the End date (the last date a scan will run), or click Remove end date to have the schedule run indefinitely.
  12. Preferences: scan options
    In the Scan options panel, you can:
    • Elect to run the scan as a Personal scan.
    • Elect to receive an email when the scan is complete.
    API configuration showing scan options
  13. Summary

    Edit the name of the scan, if desired, and review the settings selected for the scan. Click Back to previous panels to make adjustments if needed. API configuration showing summary of configuration options

  14. Click Scan.

Results

The new scan is added to the Scans view with its starting time, and a progress bar indicates that the scan is running. When the scan is complete the progress bar closes, the results are summarized in a graph, and (if selected) you receive an email notification.

What to do next

See Results.