Support
API Discovery

API Discovery Overview

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

This feature is available with Invicti API Security Standalone or Bundle

API Discovery helps build an actual and complete inventory of an organization's internal and external API assets by discovering existing and new APIs. Once discovered, those API specification files can be plugged into Invicti's DAST engine and scanned for vulnerabilities.

 

This document provides an overview of the API Discovery capability in Invicti Enterprise.

PREREQUISITES:

  • Access to API Discovery in Invicti Enterprise requires either an Account Administrator role or the View API Inventory permission added to a new or existing role.
  • API Discovery in Invicti Enterprise On-Premises prerequisites:

What is API Discovery?

API Discovery helps AppSec leaders and development teams identify, locate, manage, and keep track of their organization's APIs, including unknown APIs. This is achieved by building an API inventory with the help of fast and easy-to-use tools that also enable you to keep up to date with the latest versions of your APIs and discover new endpoints. When combined with Invicti's powerful web asset scanning capabilities, API Discovery helps you overcome the operational challenges of API security through a single platform.

How does API Discovery work?

Invicti takes a multi-faceted approach to API discovery by offering three methods that can be combined to identify and fetch API endpoints:

  • Network API Discovery: The Invicti Network Traffic Analyzer observes the traffic on your network to identify and then reconstruct REST API calls into OpenAPI3 specifications.
  • API Management Integration: Invicti Enterprise integrates with API management systems to fetch and sync your known Swagger2 and OpenAPI3 specifications.
  • Zero Configuration API Discovery: Scans your existing cloud targets for open ports and accessible paths to identify and retrieve Swagger2 and OpenAPI3 specifications.

Continue reading to learn more about each of these approaches to API discovery.

Network API Discovery

Network API Discovery helps you identify missing and undocumented (shadow) APIs by tapping into and analyzing your organization's available Kubernetes network interfaces. This is achieved by deploying the Invicti Network Traffic Analyzer (NTA) to your Kubernetes cluster. The NTA includes a tap plugin that identifies API-specific unencrypted web traffic, which are converted to telemetry messages and sent to the NTA for reconstruction into OpenAPI3 specs. Those reconstructed OpenAPI3 specs are then pushed to your API Inventory in Invicti Enterprise.  

NOTE: The Invicti NTA needs to find at least three endpoints on the same host in order to reconstruct and push an Open API3 specification file to your API Inventory.

To learn how to set up network API discovery, refer to Installing the Invicti Network Traffic Analyzer. For more information, refer to our Network Traffic Analyzer: Tap Plugin FAQs.

API Management Integration

Invicti Enterprise integrates with Amazon API Gateway, Apigee API hub, Azure API Management, Kong Konnect, and MuleSoft Anypoint Exchange to retrieve and import your known Swagger2 and OpenAPI3 specifications to the API Inventory. Once set up, these integrations automatically sync every 24 hours, ensuring you always have your organization's latest API specs in your Invicti Enterprise API Inventory.  

For information on how to set up an API Management integration, refer to the following documentation:

Zero Configuration Discovery

Using your existing cloud targets in Invicti Enterprise, zero configuration discovery builds your API inventory by identifying, validating, and retrieving APIs that are exposed over HTTP(S). This is the quickest way to onboard existing APIs into your Invicti Enterprise API Inventory. Currently, zero configuration discovery only checks for Swagger2 and OpenAPI3 specifications. For more information, refer to our documentation: Getting Started with Zero Configuration API Discovery.

What is the API Inventory?

The API Inventory is the area within Invicti Enterprise API Discovery that contains all your discovered and imported APIs. This is a list of all the API endpoints that can be scanned for vulnerabilities by linking the API specification files to an existing or newly created target.

On the API Inventory page you can view:

  • API: The name/URL of each API.
  • Source: How the API was discovered or imported (for example, via an integration, Invicti NTA, or zero-config crawling).
  • Linked target: Whether the API is linked to a target for scanning capability.
  • Scan profile: The selected scan profile for APIs that are linked to a target.
  • Vulnerabilities: The overall vulnerability count for the API (after it has been scanned).
  • Last Scanned: The date and time that the API was last scanned by Invicti Enterprise.

Each API listed in your API Inventory can be expanded to show the individual endpoints it contains and their vulnerability count. For more information refer to the following documentation: