Overview of scanning APIs
Invicti Platform can scan Application Programming Interfaces (APIs). When most people think of web security, they think of testing websites and web applications. However, over 80% of web traffic is actually sent through web APIs. Invicti Platform is a web vulnerability solution for securing your APIs, web applications, websites, and more.
Scanning APIs with Invicti Platform
APIs and web applications use the same language and technologies, which means they are also prone to the same types of security risks and attacks, such as SQL injection attacks. Since APIs are discrete endpoints, scanners need to know how to find them to test their security. Invicti Platform offers API scanning through the import or linking of API specification files.
Specifically, you can use the Invicti Platform to identify vulnerabilities in your SOAP, REST, and GraphQL APIs. The scan results will offer remedies to fix the identified vulnerabilities in the same way that you view scan results for your web applications and websites.
Scanning APIs in production Scanning production APIs should be conducted with care. Some scanning methods may result in data deletion. We recommend you:
|
Scanning authenticated APIs
Invicti Platform also supports scanning APIs that require authentication. The available authentication methods are all configured via the target settings page. These include authentication via API Key, Bearer Token, JWT Token, Basic Authentication, and Oauth 2.0.