API DAST Parameters

Scan Parameters¶

Example¶

Here is an example of a ScanParams object:

scan:
  blocklist:
    routes:
    - path: "/a/path/to/blocklist"
      method: GET
    - path: "/another/path/to/blocklist"
      method: POST
  hotstart:
  - |-
    POST /register HTTP/1.1
    Host: example.com
    Content-Type: application/json
    Content-Length: 194

    {"my": "data"}
  - |+
    GET /users HTTP/1.1
    Host: example.com
    Content-Type: application/json
    Content-Length: 194

  profile: surface | marketing | cicd | default | deep | unrestricted
  read_only: true | false
  scalars:
    SSET:
      description: The Super Secret Example Token is internal to our company and should
        never been exposed by any APIs.
      examples:
      - SSET-ABC12
      names:
      - SSET
      - super_secret_example_token
      - SuperSecretExampleToken
      parents:
      - String
      patterns:
      - SSET-[A-Z0-9]{5}
      sensitivity: HIGH
      strategy: key_or_value_strict
      entropy: 2

BlockListParams¶

Property	Type	Default
`mutation`	`List[string]`	`null`
`objects`	`List[string]`	`null`
`query`	`List[string]`	`null`
`routes`	`List[`BlocklistRouteRule`]`	`null`
`subscription`	`List[string]`	`null`

BlocklistRouteRule¶

Property	Type	Default	Description
`method`	`string`	`null`	HTTP method to block or GraphQL operation name (GET, POST, query, mutation, ...).
`path`	`string`	`null`	The path to block (OpenAPI path or GraphQL operation name). It can be a regex to block multiple paths. Ex: `/user/.*`

CustomScalarParams¶

Property	Type	Default	Description
`description`	`string`		The description of the scalar.
`entropy`	`number`	`null`	The minimum shannon entropy of the matched value.
`examples`	`List[string]`	`null`	Sample values for the scalar (used in the explore phase as default values).
`ignored_names`	`List[string]`	`null`	Names to ignore for the scalar.
`ignored_patterns`	`List[string]`	`null`	Regex to ignore for the scalar.
`is_sourceable`	`boolean`	`true`	If true, the scalar is sourceable and reinjected during the Agentic Exploration of the API.
`names`	`List[string]`	`null`	Possible names for the scalar.
`parents`*	`List[`ScalarParent`]`		Root type the scalar is compatible with.
`patterns`	`List[string]`	`null`	Potential regex-friendly values for the scalar (utilized for the checks).
`raise_on_commit`	`boolean`	`false`	If true, the scalar will raise a commit issue.
`raise_on_exposure`	`boolean`	`false`	If true, the scalar will raise an exposure issue.
`raise_threshold`	`integer`		The raise threshold for the scalar.
`sensitivity`	ScalarSensitivity	`NONE`	Data sensitivity level. Allowed values are NONE, LOW, MEDIUM and HIGH.Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape.
`strategy`	MatchingStrategy	`key_or_value`	The detection strategy (`key_or_value` by default).

FrontendAPIURLSkipRule¶

Property	Type	Default	Description
`method`	FrontendAPIURLSkipRuleMethod	`null`	HTTP method to skip (GET, POST, ...).
`url_pattern`	`string`	`null`	The url pattern to skip (regex).

ScanParams¶

Property	Type	Default	Description
`api_type`	ApiType	`null`
`blocklist`	BlockListParams	`null`	The operations that will be skipped by security tests. See more in the dedicated documentation section..
`do_not_fuzz_params`	`List[string]`	`null`	List of parameter names that must be left untouched by fuzzers and security checks.
`force_full_scan`	`boolean`	`null`	Will perform a full scan, without listening your API health and timeout. It may degrade your results quality but will unsure that all your operations are checked.
`frontend_allowed_url_patterns`	`List[string]`	`null`	The list of URL patterns to allow for the frontend scan crawling.This is a list of regexes that will be used to filter the page URLs that are allowed to be visited.If not set, all URLs will be allowed, as long as their domain exactly matches one of the frontend_in_scope_domains.For example, if frontend_in_scope_domains is ["app.escape.tech"], test.app.escape.tech and escape.tech will not be allowed.
`frontend_blocklisted_element_selectors`	`List[string]`	`null`	The list of element selectors to block interactions with during the frontend scan. Things like logouts, lock buttons, help, chat, etc.
`frontend_crawling_only`	`boolean`		If true, only frontend crawling will be performed, while still doing security checks on API traffic (see frontend_send_api_traffic_to_checks to disable this).
`frontend_escape_user_header`	`boolean`	`false`	If true, the frontend scan will add the x-escape-user header to the requests.
`frontend_in_scope_domains`	`List[string]`	`null`	Used by API traffic extraction during frontend scans. Includes the frontend domain by default. If not set, the organization domains will be automatically added to cover wider API traffic. Set it to "self" only to allow the current frontend domain only.
`frontend_integrated_authentication`	`boolean`		If true, frontend scans will directly authenticate via the engine. Recommended for Frontend scans. This can help with complex authentication that does not rely purely on cookies, local/session storage, and the context cannot be copied.
`frontend_max_fragments_visits`	`integer`	`null`	The maximum number of visits to a page with the same fragment.
`frontend_max_parameter_occurence`	`integer`	`null`	The maximum number of occurrences of a parameter in a URL.
`frontend_max_query_params_visits`	`integer`	`null`	The maximum number of visits to a page with the same query parameters.
`frontend_parallel_workers`	`integer`	`3`	The number of parallel workers to use for frontend scans. Maximum is 5, default is 3. Recommended to lower this if you encounter stability issues.
`frontend_prefetch_sitemap`	`boolean`	`false`	If true, the frontend scan will prefetch any available sitemaps (robots.txt, sitemap.xml, etc) and use them as a seed for the crawler.
`frontend_security_checks_enabled`	`List[`FrontendSecurityChecksTypes`]`	`[ALL]`	The list of security checks to enable for the frontend scan. You can mix and match depending on your needs (speed, coverage, etc).- API checks: will check the API traffic for security issues, just like API DAST scans, using your web application's traffic without a specification. You can further restrict which APIs are checked by using frontend_in_scope_domains.- Active page checks: security checks on inputs, url parameters, etc... by fuzzing them.- Passive page checks: security checks on the DOM, and browser storage.- Network checks: security checks based more on all requests and responses, including loaded javascript and other resources.By default, all checks are enabled.
`frontend_single_page_worker`	`boolean`		If true, frontend scans will be performed in a single page worker.
`frontend_skipped_api_checks_url_patterns`	`List[`FrontendAPIURLSkipRule`]`	`null`	More granular than frontend_in_scope_domains, this list of regexes and methods will be used to filter the API traffic URLs that are not allowed to be scanned.This is useful to skip API traffic extraction for specific URLs, for example if you have a sensitive auth api.
`frontend_use_persistence`	`boolean`	`true`	If true, the frontend scan will use persistence to load discovered URLs from previous scans, to enhance crawling stability.
`frontend_user_agent`	`string`	`null`	The user agent to use for frontend scans.
`hotstart`	`List[string]`	`null`	Depending on your scan type (Frontend or API): List of URLs to visit, or raw queries (GraphQL, cURL, or raw HTTP) to hotstart the API exploration.
`hotstart_only`	`boolean`	`null`	If true, the scan will only perform the hotstart phase and stop after.
`max_duration`	`integer`	`null`	The maximum time in minutes that the scan will run for before stopping. Defaults to 2 hours for frontend scans.
`null_is_unauthenticated`	`boolean`	`null`	In order to improve error inference, on some scans we want to be able to consider that a null aswerimplies that the request should have been authenticated
`profile`	ScanProfile	`default`	The scan profile
`read_only`	`boolean`	`null`	The choosen mode for the tested API. Default mode is read-write and suited to development environment. The read_only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage.
`scalars`	`Dict[`CustomScalarParams`]`	`null`	The user's defined scalars.

ApiType¶

Value
`API_TYPE_GRAPHQL`
`API_TYPE_REST`

FrontendAPIURLSkipRuleMethod¶

Value
`GET`
`POST`
`PUT`
`DELETE`
`PATCH`
`OPTIONS`
`HEAD`

FrontendSecurityChecksTypes¶

Value
`ALL`
`NONE`
`API_CHECKS`
`ACTIVE_PAGE_CHECKS`
`PASSIVE_PAGE_CHECKS`
`NETWORK_CHECKS`

MatchingStrategy¶

Value
`key`
`key_strict`
`value`
`value_strict`
`key_or_value`
`key_or_value_strict`
`key_strict_or_value`
`key_and_value_strict`

ScalarParent¶

Value
`String`
`Int`
`Float`
`Boolean`

ScalarSensitivity¶

Value
`NONE`
`LOW`
`MEDIUM`
`HIGH`

ScanProfile¶

Value
`surface`
`marketing`
`cicd`
`default`
`deep`
`unrestricted`

Client Parameters¶

Example¶

Here is an example of a ClientParams object:

client:
  proxy:
    type: escape | http | repeater
  request_timeout: 5
  requests_per_minute: 3000

ClientParams¶

Property	Type	Default	Description
`discret_mode`	`boolean`	`null`
`max_requests`	`integer`	`null`
`proxy_id`	`string`	`null`
`request_timeout`	`integer`	`null`	The maximum timeout duration for each request (in seconds). See more in the dedicated documentation section.
`requests_per_minute`	`integer`	`null`	The maximum number of request per minute. Which will be used on a per second window.
`user_agent`	`string`	`null`
`x_tracing_header`	`string`	`null`