Table of Contents

API Security Audit

Rama Sadhu Updated by Rama Sadhu

Introduction 

Indusface WAS helps to test the APIs for identifying vulnerabilities. The scan process involves inspecting requests and identifying vulnerabilities and potential errors in the APIs. This helps API functionality and user experience. Also, customers can self-onboard the APIs and perform scans.

 

How to Register for API Scanning? 

  1. Sign-up for Indusface WAS API Scanning
  2. Select a plan that fulfills your requirements and click Proceed
  3. Enter the URL in the respective field and click Proceed
  4. Provide your valid email address in the respective field to send verification link. (or) 
If email verification is not possible, click “Verify through other method”. 
  1. Click on the Modify button to change the URL. 
  2. Go to the provided email inbox to check the verification link. Click on the received link to verify. 
  3. Once email verification is completed successfully, you’ll be redirected to a new page to perform API scanning. 

Run API Scan

  1. Upload the postman file. 
  2. Click Test Now
A sample API file is provided to understand the structure of JSON file. 
The maximum postman file limit is 10MB. 
  1. Once the file is uploaded successfully, you’ll be redirected to a new page that contains the basic information of the postman file and required inputs to initiate the scan. 
  2. For Trail plan users, only 5 APIs can be scannable. 
  3. For Advance plan customers, either they can scan specific endpoints or all endpoints available in the postman file.

Parameter 

Description 

Scan Target Domain 

This field displays the onboarded domain name. 

Testing Status 

The green line indicates that  

Scannable API 

This field shows the number of APIs scannable from the uploaded postman file. 

APIs to Fix 

The number of APIs needs to be fixed, and customers resolve these APIs. 

Display 

Customer can show all the APIs from the postman file or select by first 10APIs or 25 APIs. 

Name 

API/ Endpoint name is displayed here. 

Method 

HTTP method used for CRUD actions. 

URL 

Endpoint or URL provides web address. 

Status Code 

Status codes are three-digit numbers that indicate the response of HTTP request. 

2XX- Success Responses 

3XX- Redirection Responses 

4XX- Client Error Responses 

5XX-Server Error Responses 

Parameter 

Parameters are added in HTTP request for customizing or modifying the request body. 

Once the user clicks on the Start Scan, user’ll be navigated to API Security Dashboard.  

API Security Dashboard 

Web Applications: 

Click on the drop-down menu to either select any one website or all sites. 

API Security Dashboard contains scan details, host details, list of URLs, Top threats, and so on. 

Scan Details 
  1. Scan Completed – The total number of scans successfully completed. 
  2. Scan Running – The total number of scans in progress.  
  3. Total API Hosts onboarded- The total number of hosts/ domain URLs onboarded. 
  4. Total vulnerabilities found- All the vulnerabilities found during the scans. 
  5. Total endpoints scanned- All the endpoints scanned.  
API Host Details 
  1. API Host Name – Domain Name or Site Name is displayed. 
  2. Total Endpoints- Count of Endpoints displayed. 
  3. Severity- The total number of CHM (Critical, High, Medium) vulnerabilities found during the scan. 
  4. Last Scan- Recent scan date. 
  5. Scan Status- Scan status such as completed, or scan error is displayed after completion of scan. 
  6. Action- Action field lets the customer to upload a different JSON / Postman file, select endpoints and initiate a new scan.
Add API Host: 

Click on the Add API Host button to onboard website for API Scan. Click here for the onboarding process. 

Discovered API Hosts 

The list of API resources discovered is displayed in this table.  

The action field in the table helps customers with email verification, onboard the discovered API host, or mark false positive. 

  1. Onboard discovered API Host – Click Add Website to add API host and for the onboarding process click here
  2. If any API Host is discovered incorrectly or identified as false positive, click false positive icon. After customer confirmation, API host is marked as False positive.

Most Affected Endpoints - This table displays the most affected endpoints with their host names and count of vulnerabilities.

 List of URls- This table shows the total list of URLs along with their scan status.

API Catalog 

This section explains the details of onboarded API hosts and their details, also scanned APIs details. 

Parameter 

Description 

Host Name 

The onboarded API Host name is displayed here. Also, each endpoint scanned, and the API request HTTP method also added. 

Status Code 

This field shows the HTTP response code. 

Vulnerabilities 

This field shows the total count of CHM vulnerabilities found during the scan. 

Scanned On 

API Scan date is displayed here. 

 Top Threats Identified During the Last Scan- This table shows the list of vulnerabilities with details like vulnerability title, severity, count, and the count of impacted sites.

Aging Summary- This table shows the number of CHM (Critical, High, Medium) vulnerabilities identified during the last 30 days, last 90 days, and last 180 days.

Threats Identified During Last Successful Scan- The pie chart displays the number of vulnerabilities identified in the last scan by severity.

OWASP Summary- This plot shows the data of number of vulnerabilities found and their OWASP category details and vulnerability title.

Vulnerability Trend for Past Weeks- This plot shows the data for vulnerabilities found in the three weeks based on their severity.

How did we do?

Application Audit[AA]

Contact

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.