Web API scanning

HCL AppScan Enterprise is a scalable enterprise solution that allows organizations to manage their application security program for their web applications and web APIs. It features cutting edge methods and techniques to identify security vulnerabilities to help protect applications from the threat of cyber-attacks.

HCL AppScan Enterprise Dynamic Analysis engine, evaluates application security at runtime by attacking the application using techniques analogous to methodologies used by hackers. The result of the tests includes a rich set of data ranging from application inventory to detailed attack traffic which can be reproduced for validation and fix. This data can be examined and processed in the UI or exported in various formats for sharing in other tools.

To scan a web API, AppScan Enterprise must get the generated API traffic, and then use this data to perform tests in an automated way.

There are few ways to provide AppScan Enterprise with the data for API scanning:

  • Record traffic using AppScan Dynamic Analysis Client (ADAC)
    • Using Postman or SoapUI integration
    • Using any other external client
  • Record traffic using AppScan Traffic Recorder
  • Scan using a Postman Collection
The recorded traffic can be uploaded to AppScan Enterprise scan by using one of the following options:

For more information on the different methods used to capture and import traffic data, see Capturing and Importing Traffic Data.

When creating an API scan, if you have authentication to the site, it is recommended to provide a login sequence recording.

Login sequence recording can be done using the following ways similar to recording traffic: