Overview

Overview of scanning APIs

This document is for:

Invicti Platform

Invicti Platform can scan Application Programming Interfaces (APIs). When most people think of web security, they think of testing websites and web applications. However, over 80% of web traffic is actually sent through web APIs. Invicti Platform is a web vulnerability solution for securing your APIs, web applications, websites, and more.

Scanning APIs with Invicti Platform

APIs and web applications use the same language and technologies, which means they are also prone to the same types of security risks and attacks, such as SQL injection attacks. Since APIs are discrete endpoints, scanners need to know how to find them to test their security. Invicti Platform offers API scanning through the import or linking of API specification files.

Specifically, you can use the Invicti Platform to identify vulnerabilities in your SOAP, REST, and GraphQL APIs. The scan results will offer remedies to fix the identified vulnerabilities in the same way that you view scan results for your web applications and websites.

Scanning APIs in production

Scanning production APIs should be conducted with care. Some scanning methods may result in data deletion. We recommend you:

Carefully consider the permissions (authentication) you provide and which methods (PUT, POST, DELETE) are used.
Manually exclude API operations (methods with endpoints) from the uploaded/linked file to prevent destroying or making undesirable changes to the production application.

Scanning authenticated APIs

Invicti Platform also supports scanning APIs that require authentication. The available authentication methods are all configured via the target settings page. These include authentication via API Key, Bearer Token, JWT Token, Basic Authentication, and Oauth 2.0.