This feature is available with Invicti API Security Standalone or Bundle.
Zero Configuration API Discovery
Zero Configuration API Discovery provides a fast and efficient method for finding and adding existing Swagger2 and OpenAPI3 specification files to your Invicti Enterprise API Inventory.
This document explains how the zero-config API Discovery service works and how you can use it to build your API inventory by checking your existing cloud targets for APIs.
- Access to API Discovery in Invicti Enterprise requires either an Account Administrator role or the View API Inventory permission added to a new or existing role.
- API Discovery in Invicti Enterprise on-premises prerequisites:
- Installation of the ApiHubService file. For more information, refer to Installing Invicti API Security on-premises.
- An authentication verifier agent. For authentication verifier installation instructions, refer to Installing Authentication Verifier Agents.
How does Zero Configuration API Discovery work?
Zero Configuration API Discovery checks your existing cloud targets for open ports and accessible paths to identify and retrieve Swagger2 and OpenAPI3 specifications. It then validates the type and format of each specification file before adding them to your API Inventory in Invicti Enterprise.
How to build your API Inventory from existing targets
Follow the following steps to enable Zero Configuration Discovery so it can begin checking your existing cloud targets for APIs and adding discovered API specs to your API Inventory.
- Select APIs > Sources from the left-side menu.
- Click Yes next to Allow Invicti to discover APIs from targets.
Zero Configuration API Discovery is now enabled and immediately starts checking your existing cloud targets for APIs. After the initial check, zero configuration discovery checks your cloud targets for new APIs every 48 hours.
What happens when APIs are discovered?
When any Swagger2 or OpenAPI3 specification files are identified and retrieved, these appear on the API Inventory page in Invicti Enterprise. From the API Inventory, you can link each discovered API to a target, which ensures the API is always scanned whenever the linked target is scanned by Invicti Enterprise. For instructions on how to do this, refer to the documentation on linking and unlinking discovered APIs to targets.
If you later turn off Zero Configuration API Discovery, any APIs that have already been discovered remain in your API Inventory. However, the API definitions are no longer be kept up-to-date.
Frequently asked questions
This section provides answers to some common questions about Zero Configuration API Discovery in Invicti Enterprise.
Does it work independently from a scan?
Zero Configuration Discovery works independently from security scanning a target. It checks your cloud targets for open ports and paths where APIs may be located. It's not scanning for vulnerabilities.
Is it leveraging the agent to discover APIs?
Yes, Zero Configuration Discovery uses the cloud agent to check your existing cloud targets.
Can you specify which targets are checked?
Zero Configuration Discovery checks all the cloud targets added to Invicti Enterprise. It's not possible to select specific targets when running Zero Configuration Discovery.
Does it work with internal and external targets?
Targets that are leveraging cloud agents are checked.
Which ports and paths are checked?
Zero Configuration API Discovery checks ports: 80, 81, 443, 3000, 5000, 7000, 8000, 8008, 8080, 8081, 8083, 8088, 8090, 8181, 8443, and 8888.
For each open port, a large set of common paths where OpenAPI3 and Swagger2 API specs are typically located is checked. For example, <targetURL>/api/v1/swagger.json.
How to know which APIs were discovered by Invicti?
When API specifications are added to the API Inventory, each file is labeled with the source. APIs that have been identified and retrieved by Zero Configuration API Discovery have the source label: Discovered by Invicti.
What data is collected?
Zero-config API Discovery only collects the endpoints for discovered OpenAPI3 and Swagger2 APIs, which are reported to the API Inventory. Invicti doesn't save any information about the request and response that identifies the APIs. The data is parsed and analyzed but not saved.
Are APIs found during a security scan added to the API Inventory?
APIs that are detected during a security scan of a target aren't added to the API Inventory. Only APIs discovered by Zero Configuration Discovery or through one of the other API Discovery sources are added to the API Inventory.
How often does it check targets for new APIs?
After the initial check when you first enable Zero Configuration Discovery, it checks your cloud targets for new APIs every 48 hours (provided you keep Zero Configuration Discovery enabled).
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center