Skip to content

Directing Your Scan: Blocklist & Hotstart

Gain finer control over how Escape interacts with your API by employing the Blocklist and Hotstart features.

Blocklist

Identify the operations that you would like Escape to skip during its security tests. By blocklisting certain operations, you can ensure these won't be evaluated during the scan.

Adding blocklist to GraphQL DAST

The blocklist parameter is part of the GraphQL scan configuration.

graphql_api_dast:
  blocklist:
    mutation:
    - '**operationName**'
    query:
    - '**queryName**'

Cf. GraphQL reference for more information.

Adding blocklist to REST DAST

The blocklist parameter in REST is a list of paths and methods used to identify the routes to blocklist. The path is a valid OpenAPI path, and the method is an HTTP method (GET, POST, PUT, DELETE, etc.).

rest_api_dast:
  blocklist:
    routes:
    - path: /a/path/to/blocklist
      method: GET
    - path: /another/path/to/blocklist
      method: POST

You can also blocklist routes using regexes on the path. If a fullmatch is found between the path and the regex, the route will be blocklisted.

rest_api_dast:
  blocklist:
    routes:
    - path: /user/.*
      method: POST

Cf. REST reference for more information.

Adding blocklist to Frontend DAST

In the frontend DAST, you can use the blocklist_patterns parameter to blocklist URLs using regexes. The path is a regex expression. If a fullmatch is found between the path and the regex, the route will be blocklisted. The path can include fragments, query params...

The example below will match all the URLs starting with /user/ and ending with #profile.

frontend_dast:
  blocklist_patterns:
    - ^/user/.*#profile

Cf. Frontend reference for more information.

Hotstart

Enhance the potency of your scans! By providing legitimate requests and extra URLs via the Hotstart feature, you arm Escape with deeper insights into your API and application's business logic. This enables Escape to operate with increased efficiency and precision.

The operations you provide should be listed under the hotstart key. You have the flexibility to provide multiple requests.

Adding hotstart to Frontend DAST

For Frontend scans, you can guide the automatic crawling of your web application by simply providing a list of known URLs in your app, which speeds up the scanner discovery, and ensures crawling stability.

frontend_dast:
  hotstart:
    - https://example.com/account
    - https://example.com/account/friends
    - https://example.com/shop/search

Adding hotstart to GraphQL DAST

In GraphQL, only the GraphQL document is required to declare operations to run at the beginning of the scan.

graphql_api_dast:
  hotstart:
  - 'query { child(parentId: "b63f4020-45f6-4f33-9747-32ac8f270097" ) { id name birthdate } }'
  - 'query { bank(account: 1337) { id address } }'

Adding hotstart to REST DAST

In REST, the hotstart is a list of curl commands to execute.

rest_api_dast:
  hotstart:
  - 'curl https://example.com/users'
  - 'curl https://example.com/users -H "Authorization: Bearer <token>" -X POST -d "{\"name\": \"John\"}"'