Skip to content

Introduction

ASM scanners are used to identify assets to add to the Escape Platform.

Alongside discovery, the ASM scanners will also execute surface scanning on the assets to provide a glance of the asset risks.

Example

Here is an example configuration:

---
exploration_scope:
- dev.escape.tech
- staging.escape.tech
inference:
  null_is_unauthenticated: true
  scalars:
    my_custom_scalar:
      description: API keys internal to my organization. Should not be commited or
        exposed to internet.
      examples:
      - org_ABCDEFGHIJKLMNOPABCDEFGHIJKLMNOP
      ignored_names: []
      ignored_pattern: null
      is_sourceable: true
      names:
      - org_key
      - organization_key
      parents: []
      pattern: ^org_[A-Z]{32}$
      raise_on_commit: true
      raise_on_exposure: true
      sensitivity: HIGH
      strategy: key_or_value
network:
  cancel_unhealthy_scan_after: 120
  custom_headers:
    my-header:
    - value1
    - value2
    x-scanned-by:
    - escape.tech
  escape_user: true
  ff_frontend_next_sender: false
  ff_next_sender: true
  request_timeout_s: 2
  requests_per_second: 1000
port_scanning:
  ports:
  - 80
  - 443
  - 22
  - 8080
service_discovery:
  base_urls_delimiters:
  - ^.*/api/v1/
  - ^.*/api/v2/
  base_urls_wordlist:
  - https://api.example.com
  blocklisted_domains: []
  endpoints_wordlist: []
  graphql_endpoints_wordlist: []
  user_agents: []
subdomain_enumeration:
  blocklist:
  - ^.*\.example\.org$

Configuration reference

Fields

CustomScalarConfig

description

Type : string

The description of the scalar.

examples

Type : List[string]*

Sample values for the scalar (used in the explore phase as default values).

ignored_names

Type : List[string]*

Names to ignore for the scalar.

ignored_pattern

Type : string

Regex to ignore for the scalar.

is_sourceable

Type : boolean

Use this scalar in the Agentic Exploration of the API.

If true, the scalar will be reinjected during the Agentic Exploration of the API.

names

Type : List[string]*

Possible names for the scalar.

parents

Type : List[ScalarParent]*

Root type the scalar is compatible with.

pattern

Type : string

Potential regex-friendly values to match the scalar value.

raise_on_commit

Type : boolean

Mark this scalar as non-commitable.

If escape find this scalar in a git repository, an issue will be raised.

raise_on_exposure

Type : boolean

Mark this scalar as non-exposable.

If escape find this scalar in any HTTP requests, an issue will be raised.

sensitivity

Type : ScalarSensitivity

Data sensitivity level.

Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape.

strategy

Type : MatchingStrategy

The detection strategy.

InferenceConfig

Inference configures how escape will detect secrets exposed by the API or in files.

The inference is also used to reinject IDs in the DAST scanners.

null_is_unauthenticated

Type : boolean

Consider empty API responses as unauthenticated.

To improve error inference, if your API always returns a response but without data when the user is unauthenticated, set this to true.

scalars

Type : Dict[CustomScalarConfig]

The user's defined scalars.

NetworkConfig

cancel_unhealthy_scan_after

Type : integer

The maximum time in seconds to wait for the scan to be healthy before canceling it.

custom_headers

Type : Dict[string, List[string]]

Custom headers to add to the requests.

escape_user

Type : boolean

Add the X-Escape-User header to the requests.

ff_frontend_next_sender

Type : boolean

Feature flag to enable the new sender in the frontend DAST.

ff_next_sender

Type : boolean

Feature flag to enable the new sender.

request_timeout_s

Type : integer

The maximum timeout duration for each request (in seconds).

requests_per_second

Type : integer

The maximum number of request per second.

PortScannerConfig

Configuration for the port scanner.

ports

Type : List[integer]*

List of ports to scan. If empty, most common ports will be scanned.

ServiceDiscoveryConfig

Configuration for the service discovery.

base_urls_delimiters

Type : List[string]*

List of delimiters to use to split the crawled URLs into services.

If you want to customize how Escape splits crawled URLs into services, you can use this list.

This is a list of regexes we will be matched against the crawled URLs using a regex match. Then the smallest right part of the match will be used as the endpoint, and the left part as the service.

Example:

base_urls_delimiters:
  - '^.*/api/v1/'
  - '^.*/api/v2/'
  # others delimiters ...

base_urls_wordlist

Type : List[string]*

Wordlist of base URLs to try to discover services on.

blocklisted_domains

Type : List[string]*

List of regexes to filter out domains from service discovery.

If you don't want Escape to explore a specific domain, you can skip it here.

Example:

blocklisted_domains:
  - "auth\.example\.com" # Skip one domain
  - ".*\.example\.com" # Skip all domains
  - "auth" # Greedy match: will skip if "auth" is contained in the string

endpoints_wordlist

Type : List[string]*

Wordlist of endpoints to try to discover services on.

graphql_endpoints_wordlist

Type : List[string]*

Wordlist of GraphQL endpoints to try to discover services on.

If you want to customize how Escape discovers GraphQL services, define a wordlist of endpoints to try. By default, Escape will try most common GraphQL endpoints. If multiples endpoints matches, Escape will retain the first one.

Example:

graphql_endpoints_wordlist:
  - '/graphql'
  - '/api/graphql'
  - '/v1/graphql'
  - '/appsync'
  # others endpoints to test ...

user_agents

Type : List[string]*

List of user agents to use for the service discovery.

The user agent with the best HTTP status will be used.

Example:

user_agents:
  - 'curl/8.6.0'
  - 'python-requests/2.31.0'

SubdomainEnumerationConfig

blocklist

Type : List[string]*

List of regexes to filter out subdomains from enumeration.

If a subdomain matches one of the regexes, it will not be enumerated.

Example:

blocklist:
  - "^example\.com$" # Skip one domain
  - "^.*\.example\.org$" # Skip all domains
  - "auth" # Greedy match: will skip if "auth" is contained in the string

Enums

MatchingStrategy

Value
key
key_strict
value
value_strict
key_or_value
key_or_value_strict
key_strict_or_value
key_and_value_strict

ScalarParent

Value
String
Int
Float
Boolean

ScalarSensitivity

Value
NONE
LOW
MEDIUM
HIGH