Skip to content

API Testing Hotstart

Scan efficiency and precision can be enhanced through the Hotstart feature, which provides the scanner with legitimate requests and supplementary URLs. This additional context enables deeper analysis of API endpoints and business logic, resulting in more comprehensive security testing.

Operations to be executed at scan initialization are defined under the hotstart configuration key. Multiple requests can be specified to establish necessary application state.

GraphQL Hotstart

For GraphQL applications, only the GraphQL document is required to declare operations that will be executed at the beginning of the scan.

graphql_api_dast:
  hotstart:
  - 'query { child(parentId: "b63f4020-45f6-4f33-9747-32ac8f270097" ) { id name birthdate } }'
  - 'query { bank(account: 1337) { id address } }'

REST Hotstart

For REST applications, the hotstart is configured as a list of curl commands to be executed sequentially.

rest_api_dast:
  hotstart:
  - 'curl https://example.com/users'
  - 'curl https://example.com/users -H "Authorization: Bearer <token>" -X POST -d "{\"name\": \"John\"}"'