Skip to content

Directing Your Scan: Blocklist & Hotstart

Gain finer control over how Escape interacts with your API by employing the Blocklist and Hotstart features.

Blocklist

Identify the operations that you would like Escape to skip during its security tests. By blocklisting certain operations, you can ensure these won't be evaluated during the scan.

GraphQL

The blacklist parameter is part of the global scan keys, referenced here.

scan:
  blacklist:
    mutation:
    - '**operationName**'
    objects:
    - '**objectName**'
    query:
    - '**queryName**'

REST

The blacklist parameter in REST is a list of paths and methods used to identify the routes to blocklist. The path is a valid OpenAPI path, and the method is an HTTP method (GET, POST, PUT, DELETE, etc.).

scan:
  blacklist:
    routes:
    - path: /a/path/to/blacklist
      method: GET
    - path: /another/path/to/blacklist
      method: POST

You can also blocklist routes using regexes on the path. If a fullmatch is found between the path and the regex, the route will be blocklisted.

scan:
  blacklist:
    routes:
    - path: /user/.*
      method: POST

Hotstart

Enhance the potency of your scans! By providing legitimate requests via the Hotstart feature, you arm Escape with deeper insights into your application's business logic. This enables Escape to operate with increased efficiency and precision.

The operations you provide should be listed under the hotstart key. You have the flexibility to provide multiple requests.

GraphQL

In GraphQL, the hotstart key is a list of strings, each string representing a GraphQL query. The query can be as simple as a query with no parameters or as complex as a query with multiple parameters and nested objects.

scan:
  hotstart:
  - 'query { child(parentId: "b63f4020-45f6-4f33-9747-32ac8f270097" ) { id name birthdate
    }}'
  - 'query { bank(account: 1337) { id address }}'

REST

In REST, the hotstart is a list of HTTP documents to execute.

scan:
  hotstart:
  - 'POST /register HTTP/1.1

    Host: example.com

    Content-Type: application/json

    Content-Length: 194


    {"my": "data"}'
  - 'GET /users HTTP/1.1

    Host: example.com

    Content-Type: application/json

    Content-Length: 194


    '

To easily encode your raw request located in a req.txt file, execute the following Python command:

cat req.txt | python -c "import sys; print(''.join(sys.stdin).replace('\n', '\\\\n').replace('\\\\\"', '\\\\\\\\\"').replace('\"', '\\\\\"'))"