API DAST Reference
Scan Parameters
Example
Here is an example of a ScanParams object:
scan:
blacklist:
routes:
- path: "/a/path/to/blacklist"
method: GET
- path: "/another/path/to/blacklist"
method: POST
hotstart:
- |-
POST /register HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
{"my": "data"}
- |+
GET /users HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
profile: surface | marketing | cicd | default | deep | unrestricted
read_only: true | false
scalars:
SSET:
description: The Super Secret Example Token is internal to our company and should
never been exposed by any APIs.
examples:
- SSET-ABC12
names:
- SSET
- super_secret_example_token
- SuperSecretExampleToken
parents:
- String
patterns:
- SSET-[A-Z0-9]{5}
sensitivity: HIGH
detection: key_or_value_strict
entropy: 2
BlackListParams
| Property | Type | Required | Description | Reference |
| routes | BlacklistRouteRule | False | | BlacklistRouteRule |
| query | string | False | | |
| mutation | string | False | | |
| subscription | string | False | | |
| objects | string | False | | |
BlacklistRouteRule
| Property | Type | Required | Description | Reference |
| method | string | False | The method is an HTTP method (GET, POST, PUT, DELETE, etc.). | |
| path | string | False | The path is a valid OpenAPI path. | |
CustomScalarParams
| Property | Type | Required | Description | Reference |
| description | string | True | The description of the scalar. | |
| examples | string | False | Sample values for the scalar (used in the explore phase as default values). | |
| names | string | False | Possible names for the scalar. | |
| parents | string | False | default type the scalar is compatible with. | |
| patterns | string | False | Potential regex-friendly values for the scalar (utilized for the checks). | |
| sensitivity | ScalarSensitivity | False | Data sensitivity level. Allowed values are NONE, LOW, MEDIUM and HIGH.Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape. | ScalarSensitivity |
| strategy | MatchingStrategy | False | The detection strategy (key_or_value by default). | MatchingStrategy |
| entropy | number | False | The minimum shannon entropy of the matched value. | |
ScanParams
| Property | Type | Required | Description | Reference |
| profile | ScanProfile | False | The scan profile | ScanProfile |
| read_only | boolean | False | The choosen mode for the tested API. Default mode is read-write and suited to development environment. The read_only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage.. | |
| hotstart | string | False | Raw queries to hotstart the API exploration. | |
| blacklist | BlackListParams | False | The operations that will be skipped by security tests. See more in the dedicated documentation section.. | BlackListParams |
| scalars | Dict[string, CustomScalarParams] | False | The user's defined scalars. | CustomScalarParams |
| api_type | ApiType | False | | ApiType |
| null_is_unauthenticated | boolean | False | In order to improve error inference, on some scans we want to be able to consider that a null aswerimplies that the request should have been authenticated | |
| hotstart_only | boolean | False | If true, the scan will only perform the hotstart phase and stop after. | |
| force_full_scan | boolean | False | Will perform a full scan, without listening your API health and timeout. It may degrade your results quality but will unsure that all your operations are checked. | |
| frontend_scopes_regexes | string | False | The list of extra regexes to match the frontend scopes. | |
| frontend_base_urls | Dict[string, integer] | False | A map of additional base URLs to scan with their respective depth. | |
ApiType
API_TYPE_GRAPHQLAPI_TYPE_REST
MatchingStrategy
keykey_strictvaluevalue_strictkey_or_valuekey_or_value_strictkey_strict_or_valuekey_and_value_strict
ScalarSensitivity
ScanProfile
surfacemarketingcicddefaultdeepunrestricted
Client Parameters
Example
Here is an example of a ClientParams object:
client:
proxy:
type: escape | http | repeater
request_timeout: 5
requests_per_minute: 50 * 60
ClientParams
| Property | Type | Required | Description | Reference |
| request_timeout | integer | False | The maximum timeout duration for each request (in seconds). See more in the dedicated documentation section. | |
| requests_per_minute | integer | False | The maximum number of request per minute. Which will be used on a per second window. | |