Reference
Scan Parameters
Example
Here is an example of a ScanParams object:
scan:
blacklist:
routes:
- path: "/a/path/to/blacklist"
method: GET
- path: "/another/path/to/blacklist"
method: POST
hotstart:
- |-
POST /register HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
{"my": "data"}
- |+
GET /users HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
profile: surface | cicd | default | deep | unrestricted
read_only: true | false
scalars:
SSET:
description: The Super Secret Example Token is internal to our company and should
never been exposed by any APIs.
examples:
- SSET-ABC12
names:
- SSET
- super_secret_example_token
- SuperSecretExampleToken
parents:
- String
patterns:
- SSET-[A-Z0-9]{5}
sensitivity: HIGH
detection: key_or_value_strict
entropy: 2
BlackListParams
| Property | Type | Required | Description | Reference |
|---|---|---|---|---|
| routes | BlacklistRouteRule | False | BlacklistRouteRule | |
| query | string | False | ||
| mutation | string | False | ||
| subscription | string | False | ||
| objects | string | False |
BlacklistRouteRule
| Property | Type | Required | Description | Reference |
|---|---|---|---|---|
| method | string | False | The method is an HTTP method (GET, POST, PUT, DELETE, etc.). | |
| path | string | False | The path is a valid OpenAPI path. |
ScanParams
| Property | Type | Required | Description | Reference |
|---|---|---|---|---|
| profile | ScanProfile | False | The scan profile | ScanProfile |
| read_only | boolean | False | The choosen mode for the tested API. Default mode is read-write and suited to development environment. The read_only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage.. | |
| hotstart | string | False | Raw queries to hotstart the API exploration. | |
| whitelist | string | False | Whitelisted raw queries to explore the API. | |
| blacklist | BlackListParams | False | The operations that will be skipped by security tests. See more in the dedicated documentation section.. | BlackListParams |
| scalars | Dict[string, CustomScalarParams] | False | The user's defined scalars. | CustomScalarParams |
ScanProfile
surfacecicddefaultdeepunrestricted
Client Parameters
Example
Here is an example of a ClientParams object:
client:
concurrent_connection: 64
concurrent_tasks: 8
proxy:
type: escape | http | repeater
request_timeout: 5
requests_per_minute: 50 * 60
ClientParams
| Property | Type | Required | Description | Reference |
|---|---|---|---|---|
| request_timeout | integer | False | The maximum timeout duration for each request (in seconds). See more in the dedicated documentation section. | |
| concurrent_connection | integer | False | The maximum size of the connections pool. | |
| concurrent_tasks | integer | False | The maximum number of parallel tasks. | |
| requests_per_minute | integer | False | The maximum number of request per minute. Which will be used on a per second window. | |
| proxy | RepeaterProxyType HTTPProxyType EscapeProxyType | False | The Proxy to use for the requests. See more in the Scan Internal APIs documentation section. |