Support
API Discovery

Getting Started with Zero Configuration API Discovery

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

This feature is available with Invicti API Security Standalone or Bundle

Zero configuration API discovery provides a fast and efficient method for finding and adding existing Swagger2 and OpenAPI3 specification files to your Invicti Enterprise API Inventory.

This document explains how our zero-config API discovery service works and how you can use it to build your API inventory by checking your existing cloud targets for APIs.

PREREQUISITES:

  • Access to API Discovery in Invicti Enterprise requires either an Account Administrator role or the View API Inventory permission added to a new or existing role.
  • API Discovery in Invicti Enterprise On-Premises prerequisites:

How does zero configuration API discovery work?

Zero configuration API discovery checks your existing cloud targets for open ports and accessible paths to identify and retrieve Swagger2 and OpenAPI3 specifications. It then validates the type and format of each specification file before adding them to your API Inventory in Invicti Enterprise.

How to build your API Inventory from existing targets

Follow the steps below to enable zero configuration discovery so it can begin checking your existing cloud targets for APIs and adding discovered API specs to your API Inventory.

  1. Log in to Invicti Enterprise.
  2. Select APIs > Sources from the left-side menu.

  1. Click Yes next to Allow Invicti to discover APIs from targets.

Zero configuration API discovery is now enabled and will immediately start checking your existing cloud targets for APIs. After the initial check, zero configuration discovery checks your cloud targets for new APIs every 48 hours.

What happens when APIs are discovered?

When any Swagger2 or OpenAPI3 specification files are identified and retrieved, these will appear on the API Inventory page in Invicti Enterprise. From the API Inventory, you can link each discovered API to a target, which will ensure the API is always scanned whenever the linked target is scanned by Invicti Enterprise. For instructions on how to do this, refer to our documentation on linking and unlinking discovered APIs to targets.

NOTE: If you later disable zero configuration API discovery, any APIs that have already been discovered will remain in your API Inventory. However, the API definitions will no longer be kept up-to-date.

Frequently Asked Questions

This section provides answers to some common questions about zero configuration API discovery in Invicti Enterprise.

Does it work independently from a scan?

Zero configuration discovery works independently from security scanning a target. It checks your cloud targets for open ports and paths where APIs may be located. It is not scanning for vulnerabilities.

Is it leveraging the agent to discover APIs?

Yes, zero configuration discovery uses the cloud agent to check your existing cloud targets.

Can I specify which targets are checked?

Zero configuration discovery checks all the cloud targets you have added to Invicti Enterprise. Currently, it is not possible to select specific targets when running zero configuration discovery.

Does it work with internal and external targets?

Targets that are leveraging cloud agents are checked.

Which ports and paths are checked?

Zero configuration API discovery checks ports: 80, 81, 443, 3000, 5000, 7000, 8000, 8008, 8080, 8081, 8083, 8088, 8090, 8181, 8443, and 8888.

For each open port, we check a large set of common paths where OpenAPI3 and Swagger2 API specs are typically located. For example, <targetURL>/api/v1/swagger.json.

How do I know which APIs were discovered by Invicti?

When API specifications are added to the API Inventory, each file is labeled with the source. APIs that have been identified and retrieved by zero configuration API discovery have the source label: Discovered by Invicti. 

What data is collected?

Zero-config API discovery only collects the endpoints for discovered OpenAPI3 and Swagger2 APIs, which are reported to the API Inventory. Invicti does not save any information about the request and response that identifies the APIs. The data is parsed and analyzed but not saved.  

Are APIs found during a security scan added to the API Inventory?

APIs that are detected during a security scan of a target are not added to the API Inventory. Only APIs discovered by zero configuration discovery or through one of the other API discovery sources will be added to the API Inventory.  

How often does it check my targets for new APIs?

After the initial check when you first enable zero configuration discovery, it checks your cloud targets for new APIs every 48 hours (provided you keep zero configuration discovery enabled).