Simplified API Scanning for WebInspect (NEW)


In an earlier version of WebInspect we
provided our WISwag tool which greatly simplified scanning APIs documented in
the open API or swagger spec. In WebInspect 19.2 we’ve integrated this
capability across the WebInspect user interface, across the WebInspect API, as well as the WebInspect command-line in today’s example we’ll show off this new
integration using the Swagger Petstore API example here you can see the user
facing API’s documentation. Over the next couple minutes I’ll show off this
improved integration by using this swagger JSON spec file to drive very
fast easy dynamic scanning of the pet store API from the WebInspect UI api
and the command line to get started click the basic scan
wizard click, the API scan option you’ll then pass in a swagger JSON spec file so
this is an open API 2.0 or 3.0 spec file well paste in the path to the JSON spec
file and we’ll click Next. WebInspect will parse the API definition that will
give us information about the surface area of the application that we then
want to scan for vulnerabilities use the Advanced Settings to pass in exclusions
or to do things like setting custom authentication headers with the API scan
now started you can see we’re beginning to uncover vulnerabilities
that’s because WebInspect parsed the API spec file which allow us to create
custom rules which define the API endpoints and parameters that we’re now
auditing. This new API scanning mode is not only available over the UI but it’s
also available over WebInspect’s own API taking a look at the WebInspect REST API
in 19.2 you’ll notice a new APIScanner endpoint the open API / start API scan
mode references our new swagger integration just as in the UI this
integration provides you with a simple way to start an API scan with nothing
more than a swagger JSON spec as well as providing the scan settings name and any
kind of authentication information in this example there’s no off required for
this API if it were we could pass on a bearer token here I’ll click try it now
to start the scan you can see I’ve been returned from the API with a scan ID the
scan ID can then be used to reference APIs to pull scan statistics or export
the scan but then in this example I’ll just open
this particular scan into UI so that you can see the scan that has run and
vulnerabilities that were taken finally we’ll show off this integration with the
WebInspect command line if you’re not familiar with the WebInspect command line, you can type WI space – question mark to get details on its usage or can consult
the help in this example we’ll type WI and then a
space dash U which refers to the URL or the path
to the JSON spec file – API will refer to whether this is a swaggerized or OData API and then we’ll provide a name to the scan when we hit enter the
command line will begin execution of the scan and you’ll get feedback including
the scan ID scan status and various bits of vulnerability information. To wrap up
keep in mind that the WISwag utility is still available in the WebInspect
install folder for more custom API scanning scenarios and take a look at
our WebInspect Postman integration video for even more advanced – API scanning
capabilities

Leave a Reply

Your email address will not be published. Required fields are marked *