Zero configuration API discovery
Zero configuration API discovery provides a fast and efficient method for finding and adding existing APIs to your Invicti Platform API Inventory.
This document explains how the zero-config API discovery service works and how to use it to build an API inventory by selecting existing cloud targets for APIs.
Access to API Discovery in Invicti requires either an Account or System Administrator role, or a custom role with the API Discovery permission.
How zero configuration API discovery works
Zero configuration API discovery checks your existing cloud targets for open ports and accessible paths to identify and retrieve Swagger2 and OpenAPI3 specifications. It then validates the type and format of each specification file before adding them to your API Inventory in Invicti.
How to build your API inventory from existing targets
Follow the steps below to enable zero configuration discovery so it can begin checking your existing cloud targets for APIs and adding discovered API specs to your API Inventory.
- Select Discovery > API Sources from the left-side menu.
- Click Yes next to Allow Invicti to discover APIs from targets.
Zero configuration API discovery is now enabled and starts selecting existing cloud targets for APIs. After the initial selection, zero configuration discovery selects cloud targets for new APIs every 48 hours.
What happens when APIs are discovered?
When any Swagger2 or OpenAPI3 specification files are identified and retrieved, these appear on the API Inventory page in Invicti. From the API Inventory, each discovered API can be linked to a target, which ensures the API is always scanned whenever the linked target is scanned by Invicti.
For instructions on how to do this, refer to the documentation on linking and unlinking discovered APIs to targets.
If you later turn off zero configuration API discovery, any APIs that have already been discovered remain in the API Inventory. However, the API definitions are no longer kept up-to-date.
Frequently asked questions
Does it work independently from a scan?
Zero configuration discovery works independently from security scanning a target. It selects cloud targets for open ports and paths where APIs may be located. It is not scanning for vulnerabilities.
Is it leveraging the agent to discover APIs?
Yes, zero configuration discovery uses the cloud agent to select existing cloud targets.
Can you specify which targets are selected?
Zero configuration API discovery selects all the cloud targets you have added to Invicti. Currently, it is not possible to select specific targets when running zero configuration API discovery.
Does it work with internal and external targets?
Targets that are leveraging cloud agents are checked.
Which ports and paths are selected?
Zero configuration API discovery selects ports: 80, 81, 443, 3000, 5000, 7000, 8000, 8008, 8080, 8081, 8083, 8088, 8090, 8181, 8443, and 8888.
For each open port, the system selects a large set of common paths where OpenAPI3 and Swagger2 API specs are typically located. For example, <targetURL>/api/v1/swagger.json.
How can you identify which APIs were discovered by Invicti?
When API specifications are added to the API Inventory, each file is labeled with the source. APIs that have been identified and retrieved by zero configuration API discovery have the source label: discovered by Invicti.
What data is collected?
Zero-config API discovery only collects the endpoints for discovered OpenAPI3 and Swagger2 APIs, which are reported to the API Inventory. Invicti does not save any information about the request and response that identifies the APIs. The data is parsed and analyzed but not saved.
Are APIs found during a security scan added to the API Inventory?
APIs that are detected during a security scan of a target are not added to the API Inventory. Only APIs discovered by zero configuration discovery or through one of the other API discovery sources are added to the API Inventory.
How often does it select targets for new APIs?
After the initial selection when you first enable zero configuration discovery, it selects cloud targets for new APIs every 48 hours (provided you keep zero configuration discovery enabled).
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center