Scanning authenticated APIs
Acunetix supports scanning APIs that require authentication. After importing a REST, SOAP, or GraphQL API specification file to a target, you can configure the target settings with the necessary authentication credentials. Once configured with an authentication method, the Acunetix scanner will use that information to access the imported or linked API file during the scan.
This document explains how to configure a target with different authentication methods for scanning authenticated APIs. The following authentication methods are supported: API Key, Bearer Token, JWT Token, Basic Authentication, and Oauth 2.0.
IMPORTANT: When adding authentication credentials for the scanner to use, ensure you provide an appropriate level of permissions/access for the environment you are testing (production, staging, development, dedicated security operations environment, etc.) and consider whether the access provided can cause damage to your application. Also, consider that you may need to run scans using different authentication credentials, for example, testing with an administrator key vs a general user. |
How to scan authenticated APIs
Follow the relevant instructions in this section according to the authentication method used by your API.
- Custom Headers: These instructions apply to authentication via API Key, Bearer Token, JWT Token, and Basic Authentication.
- OAuth 2.0: These instructions apply to authentication via OAuth 2.0.
Custom Headers
- Import or link your REST, SOAP, or GraphQL API specification to a target. For instructions, refer to the relevant documentation:
- Scanning REST APIs for vulnerabilities
- Scanning SOAP APIs for vulnerabilities
- Scanning GraphQL APIs for vulnerabilities
- Locate and expand the Advanced section on the Target Settings page.
- Click the toggle next to Custom Headers to expand the settings panel.
- In the Custom Headers field, enter the authentication mechanism using the table below as a guide for the format.
Authentication Method | Example Custom Header |
API Key | X-Auth: myapikey |
Bearer Token | Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 |
JWT Token | Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd WIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE 2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c |
Basic Authentication | Authorization: Basic YXBpdXNlcjpzZWN1cmVwYXNzd29yZA== |
- Click Save in the top-right corner of the Target Settings page. The target is now configured and ready to scan the imported or linked authenticated API.
- Click Scan to prepare a scan of the target.
- Select Full Scan as the Scan Profile. Complete the remaining scanning options according to your preference, then click Create Scan.
The Scan Details page loads and your scan begins according to the schedule you specified.
TIP:
|
Oauth 2.0
- Import or link your REST, SOAP, or GraphQL API specification to a target. For instructions, refer to the relevant documentation:
- Scanning REST APIs for vulnerabilities
- Scanning SOAP APIs for vulnerabilities
- Scanning GraphQL APIs for vulnerabilities
- On the Target Settings page, click the toggle next to Site Login to expand the settings panel.
- Select Use OAuth for this site. This will expose the configuration fields.
- Complete the necessary fields. For more information, refer to Configuring OAuth 2.0 authentication.
- Click Save in the top-right corner of the Target Settings page. The target is now configured and ready to scan the imported or linked authenticated API.
- Click Scan to prepare a scan of the target.
- Select Full Scan as the Scan Profile. Complete the remaining scanning options according to your preference, then click Create Scan.
The Scan Details page loads and your scan begins according to the schedule you specified.
TIP:
|