Skip to content

Directing Your Scan: Blocklist & Hotstart

Gain finer control over how Escape interacts with your API by employing the Blocklist and Hotstart features.

Blocklist

Identify the operations that you would like Escape to skip during its security tests. By blocklisting certain operations, you can ensure these won't be evaluated during the scan.

GraphQL

The blocklist parameter is part of the global scan keys, referenced here.

scan:
  blocklist:
    mutation:
    - '**operationName**'
    objects:
    - '**objectName**'
    query:
    - '**queryName**'

REST

The blocklist parameter in REST is a list of paths and methods used to identify the routes to blocklist. The path is a valid OpenAPI path, and the method is an HTTP method (GET, POST, PUT, DELETE, etc.).

scan:
  blocklist:
    routes:
    - path: /a/path/to/blocklist
      method: GET
    - path: /another/path/to/blocklist
      method: POST

You can also blocklist routes using regexes on the path. If a fullmatch is found between the path and the regex, the route will be blocklisted.

scan:
  blocklist:
    routes:
    - path: /user/.*
      method: POST

Frontend

The blocklist parameter in frontend scan is a list of paths to identify the routes to blocklist. The path is a regex expression. If a fullmatch is found between the path and the regex, the route will be blocklisted. The path can include fragments, query params...

scan:
  blocklist:
    routes:
    - path: ^/user/.*#profile

The example above will match all the URLs starting with /user/ and ending with #profile.

Hotstart

Enhance the potency of your scans! By providing legitimate requests and extra URLs via the Hotstart feature, you arm Escape with deeper insights into your API and application's business logic. This enables Escape to operate with increased efficiency and precision.

The operations you provide should be listed under the hotstart key. You have the flexibility to provide multiple requests.

Frontend

For Frontend scans, you can guide the automatic crawling of your web application by simply providing a list of known URLs in your app, which speeds up the scanner discovery, and ensures crawling stability.

scan:
  hotstart:
    - https://example.com/account
    - https://example.com/account/friends
    - https://example.com/shop/search

GraphQL

In GraphQL, the hotstart key is a list of strings, each string representing a GraphQL query. The query can be as simple as a query with no parameters or as complex as a query with multiple parameters and nested objects.

scan:
  hotstart:
  - 'query { child(parentId: "b63f4020-45f6-4f33-9747-32ac8f270097" ) { id name birthdate
    }}'
  - 'query { bank(account: 1337) { id address }}'

REST

In REST, the hotstart is a list of HTTP documents to execute.

scan:
  hotstart:
  - 'POST /register HTTP/1.1

    Host: example.com

    Content-Type: application/json

    Content-Length: 194


    {"my": "data"}'
  - 'GET /users HTTP/1.1

    Host: example.com

    Content-Type: application/json

    Content-Length: 194


    '

To easily encode your raw request located in a req.txt file, execute the following Python command:

cat req.txt | python -c "import sys; print(''.join(sys.stdin).replace('\n', '\\\\n').replace('\\\\\"', '\\\\\\\\\"').replace('\"', '\\\\\"'))"