HOME / SUPPORT / Which API description languages does Acunetix support?

Which API description languages does Acunetix support?

Most modern web applications use APIs to communicate with servers. This helps minimize the traffic between the client and the server, making applications run smoother in the browser.

In most cases, the UI is developed by a front-end developer in JavaScript, HTML, and CSS, while the back end is implemented by a back-end developer in languages such as .NET, PHP, JAVA, or Node.js. This essentially means that the skill sets required for the front end and the back end are often different and they are often built by different developers.

The back-end developer exposes the functionality of the web application using a number of API endpoints and they need to be communicated to the front-end developer. For smaller applications, this is often done using wikis or similar basic documentation techniques. In the case of larger web applications, API description languages are recommended and used often.

This document explains which API description languages are supported by Acunetix when scanning for vulnerabilities.

Understanding API endpoints

Since web applications that use APIs often have web vulnerabilities, Acunetix needs to fully understand the API endpoints to successfully assess them. This is done using three techniques:

  • During the scan, Acunetix automatically tries to use all the functionality of the web application and checks all the requests being generated by the front end to the back end. All API calls are collected and analyzed to identify potential attack vectors.
  • During the scan, Acunetix might stumble upon an API description language file, which provides information on the APIs used by the web application.
  • You can upload an API description language file to the target before scanning it. Acunetix will use it to assess the APIs.

NOTE:

Acunetix Premium offers an API Discovery service that helps to identify, locate, manage, and track the organization's APIs, including unknown APIs. For more information on it, refer to our API Discovery Overview document.

Description file formats accepted for upload

  • Text file with a list of URLs (.txt)
  • Fiddler session archives (.saz)
  • Swagger/OpenAPI files (.json, .yaml, or .yml)
  • RAML files (.raml)
  • Web Service Definition Files (.wsdl)
  • BURP saved files (.xml) and state files
  • Selenium (.html, .side)
  • Web Application Description Language (.wadl)
  • ASP.Net Web Forms Project Files (.csproj, .vbproj)
  • Paros log files (.session.data)
  • Postman Collections v2 (.json)
  • GraphQL files (.graphql, .json)
  • HTTP Archive files (.har)

Supported API description languages

When Acunetix uses an API description language file, it checks all the API endpoints documented in the file, even if they are not used within the web application. Acunetix supports the following API description language formats:

  • Web Application Description Language (WADL), often used to describe RESTful web services
  • Web Services Description Language (WSDL), often used to describe SOAP web services
  • OpenAPI (Swagger), often used to describe RESTful web services
  • RESTful API Modeling Language (RAML), often used to describe RESTful web services
  • GraphQL Schema Definition Language (SDL), used to define the schema and capabilities of GraphQL APIs

NOTE:

For more information on scanning APIs for vulnerabilities, refer to the scanning REST APIs, scanning SOAP APIs, and scanning GraphQL APIs documents.

 

« Back to the Acunetix Support Page