Web API scanning
HCL AppScan Enterprise is a scalable enterprise solution that allows organizations to manage their application security program for their web applications and web APIs. It features cutting edge methods and techniques to identify security vulnerabilities to help protect applications from the threat of cyber-attacks.
HCL AppScan Enterprise Dynamic Analysis engine, evaluates application security at runtime by attacking the application using techniques analogous to methodologies used by hackers. The result of the tests includes a rich set of data ranging from application inventory to detailed attack traffic which can be reproduced for validation and fix. This data can be examined and processed in the UI or exported in various formats for sharing in other tools.
To scan a web API, AppScan Enterprise must get the generated API traffic, and then use this data to perform tests in an automated way.
There are few ways to provide AppScan Enterprise with the data for API scanning:
- Record traffic using AppScan Dynamic Analysis Client (ADAC)
- Using Postman or SoapUI integration
- Using any other external client
- Record traffic using AppScan’s Proxy Server
- Upload traffic using ADAC
- Use REST API to create a scan and upload traffic
- Create an API scan using AppScan Standard and then upload the file in AppScan Enterprise for scanning. See Recording with an external client and Importing manual explore data from AppScan Standard.
For more information on the different methods used to capture and import traffic data, see Capturing and Importing Traffic Data.
When creating an API scan, if you have authentication to the site, it is recommended to provide a login sequence recording.