Support
Introduction

API types and specification formats

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

Invicti Enterprise offers API discovery and vulnerability testing on a single platform. API discovery is part of Invicti's API Security product that helps companies proactively address API-related risks by utilizing the Invicti DAST scanner to scan known and discovered API specs for vulnerabilities.

This document provides information about the API types and specification formats that Invicti Enterprise can discover and scan. 

NOTE: API Discovery is available with Invicti API Security Standalone or Bundle.

API Discovery

Invicti Enterprise can discover the following API types and specification formats:

  • REST APIs: OpenAPI3 and Swagger2 (the Mulesoft Anypoint Exchange integration can also discover RAML files)

After discovering your OpenAPI3 and Swagger2 specification files, you can easily link them to existing or new targets in Invicti Enterprise so they will be scanned for vulnerabilities the next time the linked target is scanned. For more information about API discovery and how it works in Invicti Enterprise, refer to API Discovery Overview.

API Scanning

Invicti Enterprise can scan the following API types and specification formats:

  • REST APIs: OpenAPI3, Swagger2, RAML, WADL, Postman collection, and WordPress REST API
  • SOAP: WSDL
  • GraphQL: .graphql
  • gRPC: protobuf

To scan any of these API files for vulnerabilities, you need to upload the file in the scan settings or link the URL if the file is hosted. For more information about API scanning, refer to Overview of Scanning APIs.

NOTE: Development work on Invicti API Security is ongoing to increase the API discovery and scanning capabilities with more API types and specification formats.