How to create an API scan using ADAC

You can scan a web API using ADAC from AppScan Enterprise where you can create and run a DAST scan. Scanning web API requires some manual input by the user, to show AppScan Enterprise how to use the API. This can be done by using the Manual Explore section, where you can record traffic using an external client like Postman, SOAP UI or any other external client, or, import a previously recorded traffic file.

About this task

The basic steps to create an API scan using ADAC is discussed.

Procedure

  1. In AppScan Enterprise, from the Scans view, navigate to the folder where you want to create the scan and click Create.
  2. In the Create Folder Item page, select Job using template and select a scan template.
    A scan template is a predefined scan configuration. You can load the regular scan template, a predefined template, or a template that you previously saved. You can later adjust the configuration as required for the current scan. For more information, see Creating a scan based on a template using AppScan Standard scan properties.
    When you create a scan job using a template, it launches ADAC.
  3. In ADAC complete the following steps to configure your scan job:
    1. Define the starting URL
    2. Record login sequence
      If you have previously recorded the login sequence, use the Import option to use the recorded file instead of recording.
    3. Record traffic using an external client
      You can also import a previously recorded API traffic file. For more information, see Capturing and Importing Traffic Data.
    4. Configure platform authentication
    5. Configure the job properties
    6. When complete click Create Job and exit from ADAC
      The scan job is created in AppScan Enterprise under your scans in the Scans view.
  4. From the Scans view, select the scan and click Run.
    AppScan initiates the scan that consists of: Explore stage where it crawls through your web API based on the traffic you uploaded and creates tests, and Test stage where AppScan tests your web API, based on the responses it received during the Explore stage, to reveal vulnerabilities and assess their severity.

What to do next

When scan results are ready, you can view the reports on the Results tab. Reports display information about your web API and provide the functionality to navigate to more details. You can review the results to evaluate the security status of your web API. You may also want to:
  • Explore additional links
  • Review Remediation Tasks
  • Print Reports
  • Review the scan results, modify the scan configuration, and scan again