API DAST Parameters
Scan Parameters¶
Example¶
Here is an example of a ScanParams object:
scan:
blocklist:
routes:
- path: "/a/path/to/blocklist"
method: GET
- path: "/another/path/to/blocklist"
method: POST
hotstart:
- |-
POST /register HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
{"my": "data"}
- |+
GET /users HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
profile: surface | marketing | cicd | default | deep | unrestricted
read_only: true | false
scalars:
SSET:
description: The Super Secret Example Token is internal to our company and should
never been exposed by any APIs.
examples:
- SSET-ABC12
names:
- SSET
- super_secret_example_token
- SuperSecretExampleToken
parents:
- String
patterns:
- SSET-[A-Z0-9]{5}
sensitivity: HIGH
strategy: key_or_value_strict
entropy: 2
BlockListParams¶
| Property | Type | Default | Description |
|---|---|---|---|
mutation | List[string] | null | |
objects | List[string] | null | |
query | List[string] | null | |
routes | List[BlocklistRouteRule] | null | |
subscription | List[string] | null |
BlocklistRouteRule¶
| Property | Type | Default | Description |
|---|---|---|---|
method | string | null | HTTP method to block or GraphQL operation name (GET, POST, query, mutation, ...). |
path | string | null | The path to block (OpenAPI path or GraphQL operation name). It can be a regex to block multiple paths. Ex: /user/.* |
CustomScalarParams¶
| Property | Type | Default | Description |
|---|---|---|---|
description | string | The description of the scalar. | |
entropy | number | null | The minimum shannon entropy of the matched value. |
examples | List[string] | null | Sample values for the scalar (used in the explore phase as default values). |
ignored_names | List[string] | null | Names to ignore for the scalar. |
ignored_patterns | List[string] | null | Regex to ignore for the scalar. |
is_sourceable | boolean | true | If true, the scalar is sourceable and reinjected during the Agentic Exploration of the API. |
names | List[string] | null | Possible names for the scalar. |
parents* | List[ScalarParent] | Root type the scalar is compatible with. | |
patterns | List[string] | null | Potential regex-friendly values for the scalar (utilized for the checks). |
raise_on_commit | boolean | false | If true, the scalar will raise a commit issue. |
raise_on_exposure | boolean | false | If true, the scalar will raise an exposure issue. |
raise_threshold | integer | The raise threshold for the scalar. | |
sensitivity | ScalarSensitivity | NONE | Data sensitivity level. Allowed values are NONE, LOW, MEDIUM and HIGH.Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape. |
strategy | MatchingStrategy | key_or_value | The detection strategy (key_or_value by default). |
ScanParams¶
| Property | Type | Default | Description |
|---|---|---|---|
api_type | ApiType | null | |
blocklist | BlockListParams | null | The operations that will be skipped by security tests. See more in the dedicated documentation section.. |
force_full_scan | boolean | null | Will perform a full scan, without listening your API health and timeout. It may degrade your results quality but will unsure that all your operations are checked. |
frontend_blocklisted_element_selectors | List[string] | null | The list of element selectors to block interactions with during the frontend scan. Things like logouts, lock buttons, help, chat, etc. |
frontend_crawling_only | boolean | If true, only frontend crawling will be performed, while still doing security checks on API traffic (see frontend_send_api_traffic_to_checks to disable this). | |
frontend_escape_user_header | boolean | false | If true, the frontend scan will add the x-escape-user header to the requests. |
frontend_in_scope_domains | List[string] | null | Used by API traffic extraction during frontend scans. Includes the frontend domain by default. If not set, the organization domains will be automatically added to cover wider API traffic. Set it to "self" to allow the current frontend domain only. |
frontend_integrated_authentication | boolean | If true, frontend scans will directly authenticate via the engine. Recommended for Frontend scans. This can help with complex authentication that does not rely purely on cookies, local/session storage, and the context cannot be copied. | |
frontend_max_fragments_visits | integer | null | The maximum number of visits to a page with the same fragment. |
frontend_max_parameter_occurence | integer | null | The maximum number of occurrences of a parameter in a URL. |
frontend_max_query_params_visits | integer | null | The maximum number of visits to a page with the same query parameters. |
frontend_parallel_workers | integer | 3 | The number of parallel workers to use for frontend scans. Maximum is 5, default is 3. Recommended to lower this if you encounter stability issues. |
frontend_prefetch_sitemap | boolean | true | If true, the frontend scan will prefetch any available sitemaps (robots.txt, sitemap.xml, etc) and use them as a seed for the crawler. |
frontend_send_api_traffic_to_checks | boolean | true | If true, the frontend scan will send API traffic to security checks. |
frontend_single_page_worker | boolean | If true, frontend scans will be performed in a single page worker. | |
frontend_use_persistence | boolean | true | If true, the frontend scan will use persistence to load discovered URLs from previous scans, to enhance crawling stability. |
frontend_user_agent | string | null | The user agent to use for frontend scans. |
hotstart | List[string] | null | Depending on your scan type (Frontend or API): List of URLs to visit, or raw queries (GraphQL, cURL, or raw HTTP) to hotstart the API exploration. |
hotstart_only | boolean | null | If true, the scan will only perform the hotstart phase and stop after. |
max_duration | integer | null | The maximum time in minutes that the scan will run for before stopping. Defaults to 2 hours for frontend scans. |
null_is_unauthenticated | boolean | null | In order to improve error inference, on some scans we want to be able to consider that a null aswerimplies that the request should have been authenticated |
profile | ScanProfile | default | The scan profile |
read_only | boolean | null | The choosen mode for the tested API. Default mode is read-write and suited to development environment. The read_only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage.. |
scalars | Dict[CustomScalarParams] | null | The user's defined scalars. |
ApiType¶
| Value |
|---|
API_TYPE_GRAPHQL |
API_TYPE_REST |
MatchingStrategy¶
| Value |
|---|
key |
key_strict |
value |
value_strict |
key_or_value |
key_or_value_strict |
key_strict_or_value |
key_and_value_strict |
ScalarParent¶
| Value |
|---|
String |
Int |
Float |
Boolean |
ScalarSensitivity¶
| Value |
|---|
NONE |
LOW |
MEDIUM |
HIGH |
ScanProfile¶
| Value |
|---|
surface |
marketing |
cicd |
default |
deep |
unrestricted |
Client Parameters¶
Example¶
Here is an example of a ClientParams object:
ClientParams¶
| Property | Type | Default | Description |
|---|---|---|---|
discret_mode | boolean | null | |
max_requests | integer | null | |
proxy_id | string | null | |
request_timeout | integer | null | The maximum timeout duration for each request (in seconds). See more in the dedicated documentation section. |
requests_per_minute | integer | null | The maximum number of request per minute. Which will be used on a per second window. |
user_agent | string | null | |
x_tracing_header | string | null |