Overview of scanning APIs
Invicti Platform can scan Application Programming Interfaces (APIs). When most people think of web security, they think of testing websites and web applications. However, over 80% of web traffic is actually sent through web APIs. Invicti Platform is a web vulnerability solution for securing your APIs, web applications, websites, and more.
Scanning APIs with Invicti Platform
APIs and web applications use the same language and technologies, which means they're also prone to the same types of security risks and attacks, such as SQL injection attacks. Since APIs are discrete endpoints, scanners need to know how to find them to test their security. Invicti Platform offers API scanning through the import or linking of API specification files.
Specifically, you can use the Invicti Platform to identify vulnerabilities in your SOAP, REST, and GraphQL APIs. The scan results offer remedies to fix the identified vulnerabilities in the same way that you view scan results for your web applications and websites.
Scanning production APIs should be conducted with care. Some scanning methods may result in data deletion. it's recommended to:
- Carefully consider the permissions (authentication) you provide and which methods (PUT, POST, DELETE) are used.
- Manually exclude API operations (methods with endpoints) from the uploaded/linked file to prevent destroying or making undesirable changes to the production application.
Use internal URL references for API specifications
Invicti Platform supports adding API specifications via URLs that may not be immediately accessible from the cloud environment, such as URLs hosted on internal or private networks. This feature works with all supported API specification formats (OpenAPI/Swagger, GraphQL, RAML, WADL, WSDL).
How it works
Instead of downloading the API specification immediately when you save the URL, the system:
- Stores the URL as a reference only
- Resolves the specification at scan runtime via the agent
- Downloads the specification fresh with every scan
- Accesses the URL from the agent's network context (which may include internal networks)
Use cases
This feature is designed for scenarios where:
- API specifications are hosted on internal infrastructure not accessible from the cloud
- Specifications need to reflect the latest version at each scan
- You want to avoid exposing internal URLs to the cloud environment
Steps to add an internal URL for API specifications
- Select Inventory from the left side menu.
- Click the target for which you want to add the API specification URL.
- Click Edit.
- Under Scan configuration, choose General.
- Select Link from URL.
- Using the drop-down, specify the API type and enter the URL.
- Confirm this by clicking Link API specification.
At scan time, the agent is going to attempt to download the specification from the provided URL using its network access.
API specifications added via URL references aren't displayed in the API Hub.
Scanning authenticated APIs
Invicti Platform also supports scanning APIs that require authentication. The available authentication methods are all configured via the target settings page. These include authentication via API Key, Bearer Token, JWT Token, Basic Authentication, OAuth 2.0
Need help?
The Support team is ready to provide you with technical help. Go to Help Center