AppCheck's API scanning consists of two primary phases: crawling (discovering URLs to scan) and attacking (probing for vulnerabilities on those URLS discovered during crawling)
In order to scan an API effectively, it is pretty important to know things such as:
- what paths the API uses;
- what methods [types of commands such as "create a user", or "delete a user"] it offers;
- what parameters/data structure the API requires for each method; and
- what authentication is needed to access it.etc.
Unlike human-interactive webpages, APIs are designed for computer interaction. APIs do not contain "hyperlinks" that can be used to build up a map of the API and list all of its URLS, as you would in a web application. It is therefore necessary to "seed" an API scan by providing it with a map describing the URLS available.
In order to define these things, APIs have "instruction manuals" written in a type of language called a "Service Definition Language" or SDL.
- For SOAP APIs, the SDL used is called "WSDL"; and
- For REST API it is a little different but the closest comparison is a "Swagger/OpenAPI Specification File".
(For a discussion of the differences between SOAP and REST APIs see https://appcheck.zendesk.com/hc/en-us/articles/360033469174-Can-the-AppCheck-scanner-scan-SOAP-and-REST-APIs-)
When the WSDL option is enabled under API Scanning, AppCheck will attempt to search for and parse WSDL files. Our WSDL parser will create SOAP targets according to the WSDL file and we will add attack payloads to parts of the SOAP message.
We will parse a Swagger/OpenAPI document and create targets from this, we will add payloads to targets with respect to the method type and specified parameters.
Attack Payload Phase
Once the API has been crawled, the attack phase proceeds much as with a regular web application scan. Essentially, there's no API-specific plugins in the attack phase, the scanner uses the same plugins as configured in the general web application config section as for non-API scans.
Setting up an API Scan
Once you understand the above you will probably wish to set up a scan yourself. To do this please see our guide: Setting Up An API Scan.