Package: Invicti AppSec Core (on-demand)
Introduction to API discovery
Invicti AppSec Core's API discovery helps AppSec teams identify, locate, manage, and keep track of their organization's APIs - including unknown and undocumented ones.
This document explains what API discovery is, how the different discovery methods work, and how discovered APIs flow into the API catalog for scanning.
What is API discovery?
API discovery builds an up-to-date catalog of your organization's internal and external API assets. Once APIs are discovered, their specification files can be scanned for vulnerabilities using Invicti's DAST engine.
Organizations often have more APIs than they're aware of - shadow APIs, legacy endpoints, and third-party-hosted services that aren't tracked in any central inventory. API discovery automates the process of surfacing these assets so your security team can review and scan them.
How API discovery works
Invicti AppSec Core takes a multi-method approach to API discovery. You can use one or more of the following methods simultaneously:
Network API discovery
The Invicti Network Traffic Analyzer (NTA) observes traffic on your network to identify and reconstruct REST API calls into OpenAPI 3 specifications. It taps into your network interfaces (Kubernetes, Docker, Linux, or via proxy gateways such as Kong, NGINX, F5, or Cloudflare Worker) and sends reconstructed specifications to your API catalog automatically.
The NTA needs to find at least three endpoints on the same host to reconstruct and push an OpenAPI 3 specification to your API catalog.
For setup instructions, see the API sources documentation.
API management integration
Invicti AppSec Core integrates with leading API management platforms - including Amazon API Gateway, Apigee API Hub, Azure API Management, Kong Konnect, and MuleSoft Anypoint Exchange - to automatically retrieve and import your organization's Swagger 2.0 and OpenAPI 3.0 specifications. Once configured, these integrations sync every 24 hours.
For setup instructions, see the API sources documentation.
Zero-configuration discovery
Using your existing targets in Invicti AppSec Core, zero-configuration discovery builds your API catalog by identifying, validating, and retrieving APIs exposed over HTTP or HTTPS. This is the quickest way to onboard existing APIs - no additional configuration required beyond having targets set up.
Sensorless API discovery
Sensorless API discovery automatically discovers and processes API specifications during DAST scans, without requiring any additional sensors or agents. During a scan, it detects specification files during crawling, analyzes HTTP responses, and reconstructs API specifications from observed traffic. Invicti AppSec Core automatically uploads all discovered specifications to API discovery.
The API catalog
The API catalog is the destination for APIs that have been linked to a target. APIs in discovery haven't yet been assigned to a target - once you link an API specification to an existing or new target, it moves from API discovery to the API catalog and becomes available for vulnerability scanning.
API discovery and the API catalog are complementary views. API discovery shows APIs awaiting target assignment. The API catalog shows APIs already linked to targets and ready for scanning.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center