API DAST Parameters

Scan Parameters¶

Example¶

Here is an example of a ScanParams object:

scan:
  blocklist:
    routes:
    - path: "/a/path/to/blocklist"
      method: GET
    - path: "/another/path/to/blocklist"
      method: POST
  hotstart:
  - |-
    POST /register HTTP/1.1
    Host: example.com
    Content-Type: application/json
    Content-Length: 194

    {"my": "data"}
  - |+
    GET /users HTTP/1.1
    Host: example.com
    Content-Type: application/json
    Content-Length: 194

  profile: surface | marketing | cicd | default | deep | unrestricted
  read_only: true | false
  scalars:
    SSET:
      description: The Super Secret Example Token is internal to our company and should
        never been exposed by any APIs.
      examples:
      - SSET-ABC12
      names:
      - SSET
      - super_secret_example_token
      - SuperSecretExampleToken
      parents:
      - String
      patterns:
      - SSET-[A-Z0-9]{5}
      sensitivity: HIGH
      strategy: key_or_value_strict
      entropy: 2

BlockListParams¶

Property	Type	Default
`mutation`	`List[string]`	`null`
`objects`	`List[string]`	`null`
`query`	`List[string]`	`null`
`routes`	`List[`BlocklistRouteRule`]`	`null`
`subscription`	`List[string]`	`null`

BlocklistRouteRule¶

Property	Type	Default	Description
`method`	`string`	`null`	HTTP method to block or GraphQL operation name (GET, POST, query, mutation, ...).
`path`	`string`	`null`	The path to block (OpenAPI path or GraphQL operation name). It can be a regex to block multiple paths. Ex: `/user/.*`

CustomScalarParams¶

Property	Type	Default	Description
`description`	`string`		The description of the scalar.
`entropy`	`number`	`null`	The minimum shannon entropy of the matched value.
`examples`	`List[string]`	`null`	Sample values for the scalar (used in the explore phase as default values).
`ignored_names`	`List[string]`	`null`	Names to ignore for the scalar.
`ignored_patterns`	`List[string]`	`null`	Regex to ignore for the scalar.
`names`	`List[string]`	`null`	Possible names for the scalar.
`parents`*	`List[`ScalarParent`]`		Root type the scalar is compatible with.
`patterns`	`List[string]`	`null`	Potential regex-friendly values for the scalar (utilized for the checks).
`sensitivity`*	ScalarSensitivity		Data sensitivity level. Allowed values are NONE, LOW, MEDIUM and HIGH.Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape.
`strategy`*	MatchingStrategy		The detection strategy (`key_or_value` by default).

ScanParams¶

Property	Type	Default	Description
`api_type`	ApiType	`null`
`blocklist`	BlockListParams	`null`	The operations that will be skipped by security tests. See more in the dedicated documentation section..
`force_full_scan`	`boolean`	`null`	Will perform a full scan, without listening your API health and timeout. It may degrade your results quality but will unsure that all your operations are checked.
`frontend_crawling_only`	`boolean`		If true, only frontend crawling will be performed, while still doing security checks on API traffic.
`frontend_escape_user_header`	`boolean`	`false`	If true, the frontend scan will add the x-escape-user header to the requests.
`frontend_in_scope_domains`	`List[string]`	`null`	The list of domains allowed for network analysis during frontend scans. Includes organization domains by default.
`frontend_integrated_authentication`	`boolean`		If true, frontend scans will directly authenticate via the engine.
`frontend_parallel_workers`	`integer`	`5`	The number of parallel workers to use for frontend scans. Maximum and default is 5. Recommended to lower this if you encounter stability issues.
`frontend_single_page_worker`	`boolean`		If true, frontend scans will be performed in a single page worker.
`frontend_use_persistence`	`boolean`	`true`	If true, the frontend scan will use persistence to load discovered URLs from previous scans, to enhance crawling stability.
`frontend_user_agent`	`string`	`null`	The user agent to use for frontend scans.
`hotstart`	`List[string]`	`null`	Depending on your scan type (Frontend or API): List of URLs to visit, or raw queries (GraphQL, cURL, or raw HTTP) to hotstart the API exploration.
`hotstart_only`	`boolean`	`null`	If true, the scan will only perform the hotstart phase and stop after.
`max_duration`	`integer`	`null`	The maximum time in minutes that the scan will run for before stopping. Defaults to 30 minutes for frontend scans.
`null_is_unauthenticated`	`boolean`	`null`	In order to improve error inference, on some scans we want to be able to consider that a null aswerimplies that the request should have been authenticated
`profile`	ScanProfile	`default`	The scan profile
`read_only`	`boolean`	`null`	The choosen mode for the tested API. Default mode is read-write and suited to development environment. The read_only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage..
`scalars`	`Dict[`CustomScalarParams`]`	`null`	The user's defined scalars.

ApiType¶

Value
`API_TYPE_GRAPHQL`
`API_TYPE_REST`

MatchingStrategy¶

Value
`key`
`key_strict`
`value`
`value_strict`
`key_or_value`
`key_or_value_strict`
`key_strict_or_value`
`key_and_value_strict`

ScalarParent¶

Value
`String`
`Int`
`Float`
`Boolean`

ScalarSensitivity¶

Value
`NONE`
`LOW`
`MEDIUM`
`HIGH`

ScanProfile¶

Value
`surface`
`marketing`
`cicd`
`default`
`deep`
`unrestricted`

Client Parameters¶

Example¶

Here is an example of a ClientParams object:

client:
  proxy:
    type: escape | http | repeater
  request_timeout: 5
  requests_per_minute: 3000

ClientParams¶

Property	Type	Default	Description
`discret_mode`	`boolean`	`null`
`max_requests`	`integer`	`null`
`proxy_id`	`string`	`null`
`request_timeout`	`integer`	`null`	The maximum timeout duration for each request (in seconds). See more in the dedicated documentation section.
`requests_per_minute`	`integer`	`null`	The maximum number of request per minute. Which will be used on a per second window.
`user_agent`	`string`	`null`
`x_tracing_header`	`string`	`null`