Can the AppCheck scanner scan SOAP and REST APIs?
Yes, the AppCheck scanner can test both
- SOAP APIs; and
- REST APIs
SOAP APIs typically receive and return XML format data
REST APIs typically use either JSON or HTML.
Accessing a website as a human is relatively "free-form" and flexible. However, because an API is used for computer to computer interaction, communication with it is more rigidly defined and an API will simply not understand or refuse to process requests that are not structured as expected. Therefore in order to scan an API effectively, it is important to know various elements about how the API expects to receive requests, such as:
- what paths the API uses;
- what methods [types of commands such as "create a user", or "delete a user"] it offers;
- what parameters/data structure the API requires for each method; and
- what authentication is needed to access it.
In order to define these things, APIs have specifications (a little like "instruction manuals") written in a type of language called a "Service Definition Language" or SDL.
- For SOAP APIs, the SDL used used is called "WSDL"; and
- For REST API it is a little different but the closest comparison is a "Swagger/OpenAPI Specification File".
For effective API scanning, we therefore look for the customer to provide us with this specification file for how the API works - a "WSDL" file for a SOAP API, and a "Swagger/OpenAPI Specification File" (typically) for a REST API.
For a general description of how API scanning works, see https://appcheck.zendesk.com/hc/en-us/articles/360002686558-How-does-AppCheck-s-scanning-of-APIs-work-