Reference
Scan Parameters
Example
Here is an example of a ScanParams
object:
scan:
blacklist:
routes:
- path: "/a/path/to/blacklist"
method: GET
- path: "/another/path/to/blacklist"
method: POST
hotstart:
- |-
POST /register HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
{"my": "data"}
- |+
GET /users HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
profile: surface | marketing | cicd | default | deep | unrestricted
read_only: true | false
scalars:
SSET:
description: The Super Secret Example Token is internal to our company and should
never been exposed by any APIs.
examples:
- SSET-ABC12
names:
- SSET
- super_secret_example_token
- SuperSecretExampleToken
parents:
- String
patterns:
- SSET-[A-Z0-9]{5}
sensitivity: HIGH
detection: key_or_value_strict
entropy: 2
BlackListParams
Property | Type | Required | Description | Reference |
---|---|---|---|---|
routes | BlacklistRouteRule | False | BlacklistRouteRule | |
query | string | False | ||
mutation | string | False | ||
subscription | string | False | ||
objects | string | False |
BlacklistRouteRule
Property | Type | Required | Description | Reference |
---|---|---|---|---|
method | string | False | The method is an HTTP method (GET, POST, PUT, DELETE, etc.). | |
path | string | False | The path is a valid OpenAPI path. |
ScanParams
Property | Type | Required | Description | Reference |
---|---|---|---|---|
profile | ScanProfile | False | The scan profile | ScanProfile |
read_only | boolean | False | The choosen mode for the tested API. Default mode is read-write and suited to development environment. The read_only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage.. | |
hotstart | string | False | Raw queries to hotstart the API exploration. | |
blacklist | BlackListParams | False | The operations that will be skipped by security tests. See more in the dedicated documentation section.. | BlackListParams |
scalars | Dict[string, CustomScalarParams] | False | The user's defined scalars. | CustomScalarParams |
api_type | ApiType | False | ApiType | |
null_is_unauthenticated | boolean | False | In order to improve error inference, on some scans we want to be able to consider that a null aswerimplies that the request should have been authenticated | |
hotstart_only | boolean | False | If true, the scan will only perform the hotstart phase and stop after. | |
force_full_scan | boolean | False | Will perform a full scan, without listening your API health and timeout. It may degrade your results quality but will unsure that all your operations are checked. | |
frontend_scopes_regexes | string | False | The list of extra regexes to match the frontend scopes. | |
frontend_base_urls | Dict[string, integer] | False | A map of additional base URLs to scan with their respective depth. |
ScanProfile
surface
marketing
cicd
default
deep
unrestricted
Client Parameters
Example
Here is an example of a ClientParams
object:
client:
proxy:
type: escape | http | repeater
request_timeout: 5
requests_per_minute: 50 * 60
ClientParams
Property | Type | Required | Description | Reference |
---|---|---|---|---|
request_timeout | integer | False | The maximum timeout duration for each request (in seconds). See more in the dedicated documentation section. | |
requests_per_minute | integer | False | The maximum number of request per minute. Which will be used on a per second window. | |
proxy | RepeaterProxyType HTTPProxyType EscapeProxyType | False | The Proxy to use for the requests. See more in the Scan Internal APIs documentation section. |