Support
Overview of Scanning APIs

Overview of Scanning APIs

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

Invicti Enterprise and Invicti Standard can scan web applications that use Application Programming Interfaces (API).

  • When most people think of web security, they think about testing websites and web applications. Over 80% of web traffic, however, is actually sent through web APIs.
  • In parallel to this traffic, malicious attackers have begun to target APIs. According to Salt Security's report, for example, its customers experienced an average of 12.22 million attack calls per month by June 2021.
  • These attacks are also expected to increase. Gartner’s report How to Build an Effective API Security Strategy predicted that APIs would become the number one attack vector in 2022.

Challenges to scanning APIs

Despite these warnings and the increasing trend to attack APIs, it remains, however, a challenge to secure them because of the following reasons:

  • There isn’t a clear standard to secure APIs in order to avoid vulnerabilities. To secure APIs, its unique logic needs to be understood.
  • APIs and web applications use the same language and technologies. This means APIs are also prone to the same types of security risks and attacks, for example, SQL injection attacks. However, as APIs are discrete endpoints and if the scanners do not know how to find these endpoints, the scanners cannot test APIs security.
  • Also, the fast pace of development means the constant evolution of APIs. So, this pace turns API security into a challenge.

As an advanced black-box security tool, Invicti products can scan websites, web applications, and web services, and identify security flaws. It can scan all types of web applications, regardless of the platform or the language with which they are built. So, Invicti can identify vulnerabilities in your APIs and offer remedies to fix them.

Scanning APIs with Invicti

You can use Invicti to identify vulnerabilities related to gRPC, SOAP, REST, and GraphQL API. Each topic is explained in their respective topics:

Using Postman or Fiddler? Invicti supports such tools to import your links for the security testing. For further information, see Importing Links and API Definitions and Importing links from supported tools.