API Discovery Overview
This feature is available with Invicti API Security Standalone or Bundle
API Discovery helps build an actual and complete inventory of an organization's internal and external API assets by discovering existing and new APIs. Once discovered, those API specification files can be plugged into Acunetix's DAST engine and scanned for vulnerabilities.
This document provides an overview of the API Discovery capability in Acunetix.
PREREQUISITES:
|
What is API Discovery?
API Discovery helps AppSec leaders and development teams identify, locate, manage, and keep track of their organization's APIs, including unknown APIs. This is achieved by building an API inventory with the help of fast and easy-to-use tools that also enable you to keep up to date with the latest versions of your APIs and discover new endpoints. When combined with Acunetix's powerful web asset scanning capabilities, API Discovery helps you overcome the operational challenges of API security through a single platform.
How does API Discovery work?
Acunetix takes a multi-faceted approach to API discovery by offering three methods that can be combined to identify and fetch API endpoints:
- Network API Discovery: The Invicti Network Traffic Analyzer observes the traffic on your network to identify and then reconstruct REST API calls into OpenAPI3 specifications.
- API Management Integration: Acunetix integrates with API management systems to fetch and sync your known Swagger2 and OpenAPI3 specifications.
- Zero Configuration API Discovery: Scans your existing cloud targets for open ports and accessible paths to identify and retrieve Swagger2 and OpenAPI3 specifications.
Continue reading to learn more about each of these approaches to API discovery.
Network API Discovery
Network API Discovery helps you identify missing and undocumented (shadow) APIs by tapping into and analyzing your organization's available Kubernetes network interfaces. This is achieved by deploying the Invicti Network Traffic Analyzer (NTA) to your Kubernetes cluster. The NTA includes a tap plugin that identifies API-specific unencrypted web traffic, which is converted to telemetry messages and sent to the NTA for reconstruction into OpenAPI3 specs. Those reconstructed OpenAPI3 specs are then pushed to your API Inventory in Acunetix.
NOTE: The Invicti NTA needs to find at least three endpoints on the same host in order to reconstruct and push an Open API3 specification file to your API Inventory. |
To learn how to set up network API discovery, refer to Installing the Invicti Network Traffic Analyzer. For more information, refer to our Network Traffic Analyzer: Tap Plugin FAQs.
API Management Integration
Acunetix integrates with Amazon API Gateway, Apigee API hub, Azure API Management, Kong Konnect, and MuleSoft Anypoint Exchange to retrieve and import your known Swagger2 and OpenAPI3 specifications to the API Inventory. Once set up, these integrations automatically sync every 24 hours, ensuring you always have your organization's latest API specs in your Acunetix API Inventory.
For information on how to set up an API Management integration, refer to the following documentation:
- Integrating with Amazon API Gateway
- Integrating with Apigee API hub
- Integrating with Azure API Management
- Integrating with Kong Konnect
- Integrating MuleSoft Anypoint Exchange with Acunetix Online
- Integrating MuleSoft Anypoint Exchange with Acunetix On-Premises
Zero Configuration Discovery
Using your existing cloud targets in Acunetix, zero configuration discovery builds your API inventory by identifying, validating, and retrieving APIs that are exposed over HTTP(S). This is the quickest way to onboard existing APIs into your Acunetix API Inventory. Currently, zero configuration discovery only checks for Swagger2 and OpenAPI3 specifications. For more information, refer to our documentation: Getting Started with Zero Configuration API Discovery.
What is the API Inventory?
The API Inventory is the area within Acunetix API Discovery that contains all your discovered and imported APIs. This is a list of all the API endpoints that can be scanned for vulnerabilities by linking the API specification files to an existing or newly created target.
On the API Inventory page you can view:
- API: The name/URL of each API.
- Source: How the API was discovered or imported (for example, via an integration, Invicti NTA, or zero-config crawling).
- Linked target: Whether the API is linked to a target for scanning capability.
- Vulnerabilities: The overall vulnerability count for the API (after it has been scanned).
- Last Scanned: The date and time that the API was last scanned by Acunetix.
Each API listed in your API Inventory can be expanded to show the individual endpoints it contains and their vulnerability count. For more information, refer to the following documentation: