API Discovery Overview
This feature is available with Invicti API Security Standalone or Bundle
API Discovery helps build an actual and complete inventory of an organization's internal and external API assets by discovering existing and new APIs. Once discovered, those API specification files can be plugged into Acunetix 360's DAST engine and scanned for vulnerabilities.
This document provides an overview of the API Discovery capability in Acunetix 360.
PREREQUISITES:
|
What is API Discovery?
API Discovery helps AppSec leaders and development teams identify, locate, manage, and keep track of their organization's APIs, including unknown APIs. This is achieved by building an API inventory with the help of fast and easy-to-use tools that also enable you to keep up to date with the latest versions of your APIs and discover new endpoints. When combined with Invicti's powerful web asset scanning capabilities, API Discovery helps you overcome the operational challenges of API security through a single platform.
How does API Discovery work?
Invicti takes a multi-faceted approach to API discovery by offering three methods that can be combined to identify and fetch API endpoints:
- Network API Discovery: The Invicti Network Traffic Analyzer observes the traffic on your network to identify and then reconstruct REST API calls into OpenAPI3 specifications.
- API Management Integration: Acunetix 360 integrates with API management systems to fetch and sync your known Swagger2 and OpenAPI3 specifications.
- Zero Configuration API Discovery: Scans your existing cloud targets for open ports and accessible paths to identify and retrieve Swagger2 and OpenAPI3 specifications.
Continue reading to learn more about each of these approaches to API discovery.
Network API Discovery
Network API Discovery helps you identify missing and undocumented (shadow) APIs by tapping into and analyzing your organization's available Kubernetes network interfaces. This is achieved by deploying the Invicti Network Traffic Analyzer (NTA) to your Kubernetes cluster. The NTA includes a tap plugin that identifies API-specific unencrypted web traffic, which are converted to telemetry messages and sent to the NTA for reconstruction into OpenAPI3 specs. Those reconstructed OpenAPI3 specs are then pushed to your API Inventory in Acunetix 360.
NOTE: The Invicti NTA needs to find at least three endpoints on the same host in order to reconstruct and push an Open API3 specification file to your API Inventory. |
To learn how to set up network API discovery, refer to Installing the Invicti Network Traffic Analyzer. For more information, refer to our Network Traffic Analyzer: Tap Plugin FAQs.
API Management Integration
Acunetix 360 integrates with Amazon API Gateway, Apigee API hub, Azure API Management, and MuleSoft Anypoint Exchange to retrieve and import your known Swagger2 and OpenAPI3 specifications to the API Inventory. Once set up, these integrations automatically sync every 24 hours, ensuring you always have your organization's latest API specs in your Acunetix 360 API Inventory.
For information on how to set up an API Management integration, refer to the following documentation:
- Integrating with Amazon API Gateway
- Integrating with Apigee API hub
- Integrating with Azure API Management
- Integrating MuleSoft Anypoint Exchange with Acunetix 360 (On-Demand)
- Integrating MuleSoft Anypoint Exchange with Acunetix 360 (On-Premises)
Zero Configuration Discovery
Using your existing cloud targets in Acunetix 360, zero configuration discovery builds your API inventory by identifying, validating, and retrieving APIs that are exposed over HTTP(S). This is the quickest way to onboard existing APIs into your Acunetix 360 API Inventory. Currently, zero configuration discovery only checks for Swagger2 and OpenAPI3 specifications. For more information, refer to our documentation: Getting Started with Zero Configuration API Discovery.
What is the API Inventory?
The API Inventory is the area within Acunetix 360 API Discovery that contains all your discovered and imported APIs. This is a list of all the API endpoints that can be scanned for vulnerabilities by linking the API specification files to an existing or newly created target.
On the API Inventory page you can view:
- API: The name/URL of each API.
- Source: How the API was discovered or imported (for example, via an integration, Invicti NTA, or zero-config crawling).
- Linked target: Whether the API is linked to a target for scanning capability.
- Scan profile: The selected scan profile for APIs that are linked to a target.
- Vulnerabilities: The overall vulnerability count for the API (after it has been scanned).
- Last Scanned: The date and time that the API was last scanned by Acunetix 360.
Each API listed in your API Inventory can be expanded to show the individual endpoints it contains and their vulnerability count. For more information about managing your API Inventory, refer to the following documentation: