Most modern web applications use APIs to communicate with servers. This helps minimize the traffic between the client and the server, making applications run smoother in the browser.
In most cases, the UI is developed by a front end developer in JavaScript, HTML, and CSS, while the back end is implemented by a back end developer in languages such as .NET, PHP, JAVA, or Node.js. This essentially means that the skill sets required for the front end and the back end are often different and these sections of the application are often built by different developers.
The back end developer exposes the functionality of the web application using a number of API endpoints and these endpoints need to be communicated to the front end developer. For smaller applications, this is often done using wikis or similar rudimentary documentation techniques. In the case of larger web applications, API description languages are recommended and used often.
Since web applications that use APIs often have web vulnerabilities, Acunetix needs to fully understand the API endpoints in order to successfully assess them. This is done using three techniques:
- During the scan, Acunetix automatically tries to use all the functionality of the web application and checks all the requests being generated by the front end to the back end. All API calls are collected and analyzed to identify potential attack vectors.
- During the scan, Acunetix might stumble upon an API description language file, which provides information on the APIs used by the web application.
- You can upload an API description language file to the target before scanning it – Acunetix will use it to assess the APIs.
When Acunetix uses an API description language file, you can be certain that all the API endpoints documented in the file are checked, even if they are not used within the web application. Acunetix supports the following API description language formats:
- Web Application Description Language (WADL), often used to describe RESTful web services
- Web Services Description Language (WSDL), often used to describe SOAP web services
- OpenAPI (Swagger), often used to describe RESTful web services