Scanning REST APIs for vulnerabilities

Acunetix can scan REST APIs. This document explains how to import a REST API specification file to a target and scan for vulnerabilities in your REST APIs. Alternatively, you can link to a hosted location containing your REST API definitions and scan that location for vulnerabilities. For information about REST, refer to the section at the end of this document.

NOTE: The processes described in this document are different from the 'Link Target' option available with Invicti API Security Standalone or Bundle. To scan REST APIs from your API Inventory in Acunetix, refer to Linking and unlinking discovered APIs to targets.

IMPORTANT: Scanning APIs in production

Scanning production APIs should be conducted with care. Some scanning methods may result in data deletion. We recommend you:

Carefully consider the permissions (authentication) you provide and which methods (PUT, POST, DELETE) are used.
Manually exclude API operations (methods with endpoints) from the uploaded/linked file to prevent destroying or making undesirable changes to the production application.

How to scan a REST API for vulnerabilities

To scan a REST API for vulnerabilities with Acunetix, you must provide the scanner with access to the API definitions. There are two ways to do this:

Option 1: Import from a file

This method involves uploading an OpenAPI3, Swagger2, RAML, WADL, or Postman collection specification file to a target.

Option 2: Link to a URL

This method adds a link to the target's URL, pointing to the location of the API definitions (for example, target.com/api/swagger.json).

Once you start a scan of that target, Acunetix will parse the imported specification file or access the linked URL and add the necessary REST requests to the scanner. The following sections outline each method and provide instructions for starting a scan of your REST APIs.

Option 1: Importing from a file

Importing a specification file to a target means that whenever your REST API is updated, you will need to replace the imported specification file to ensure you are scanning the latest version of your REST API.

How to import a specification file to a target and start a scan

Ensure your REST API specification file is accessible for upload on the machine where you are accessing Acunetix.

The following file formats are supported: .json, .yaml, .yml, .raml, and .wadl.

Select the target address to which you will import the specification file. The Target Settings page will open.

Scroll down to the Import Files / API Definitions section and click the upload icon in the Choose File field.

Locate and select your REST API specification file, then click Open.

The file will upload automatically and will be listed in the Import Files / API Definitions section of the Target Settings.

TIP: If you want to scan only the imported specification file and not all the other paths belonging to the target, enable the checkbox next to Restrict scans to import files and click Save before starting the scan.

The specification file is now imported to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan. For instructions, refer to Scanning authenticated APIs.

Click Scan to prepare a scan of the target, including the imported specification file.

Select Full Scan as the Scan Profile. Complete the remaining scanning options according to your preference, then click Create Scan.

The Scan Details page loads and your scan begins according to the schedule you specified.

TIP:

When the scan is complete, check the Vulnerabilities tab on the Scan Details page for information about detected vulnerabilities in your REST API, which will be marked with an API tag next to the severity label.
Filter the list by Target type > API only to limit the displayed results to vulnerabilities identified in your REST API.
For more information about viewing scan results and vulnerabilities, refer to the following documentation:

Option 2: Linking to a URL

Linking a URL to a target means you are adding the URL of the hosted location where your REST API definitions are held. This allows Acunetix to always scan the latest version of your REST API without the need to provide a new specification file each time your API is updated.

IMPORTANT: Linked URLs are accessed by the engine. This means the engine or internal agent (if using one for the target) needs to have access to any linked URLs.

How to link a URL to a target and start a scan

Select the target address to which you will link the URL of your API definitions. The Target Settings page will open.

Scroll down to the Import Files / API Definitions section and click Link From URL.

Enter the URL where your REST API definitions are hosted, then select Link API definition.

The URL will immediately be listed in the Import Files / API Definitions section of the Target Settings.

TIP: If you want to scan only the linked API definition and not all the other paths belonging to the target, enable the checkbox next to Restrict scans to import files and click Save before starting the scan.

The URL is now linked to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan. For instructions, refer to Scanning authenticated APIs.

Click Scan to prepare a scan of the target, including the linked API definition.

Select Full Scan as the Scan Profile. Complete the remaining scanning options according to your preference, then click Create Scan.

The Scan Details page loads and your scan begins according to the schedule you specified.

TIP:

When the scan is complete, check the Vulnerabilities tab on the Scan Details page for information about detected vulnerabilities in your REST API, which will be marked with an API tag next to the severity label.
Filter the list by Target type > API only to limit the displayed results to vulnerabilities identified in your REST API.
For more information about viewing scan results and vulnerabilities, refer to the following documentation:

About REST

REST (Representational State Transfer) is an architectural style that can be used to communicate with web services. REST has a lot in common with protocols such as SOAP. It is used as a communication mechanism between two applications, or between an application and an online service. Many mobile web applications communicate with a REST API at the backend in order to communicate with the online service.

Differences between a Web Service and a REST API

Many web services rely on complex communication mechanisms such as SOAP, RPC and CORBA. REST uses the standard HTTP methods for all four CRUD (Create, Read, Update, Delete) operations.

Commonly used HTTP methods (verbs) in REST APIs

This table lists the commonly used HTTP methods in REST.

Method	Description
POST	Create a resource
GET	Retrieve a resource
PUT	Change the state of a resource or update it
DELETE	Remove or delete a resource

The challenges of scanning REST APIs

Unlike RPC and others, REST can be easily consumed and understood by users because of its simple structure. For example, many REST-based web services can provide a response in JSON or XML format. But this same benefit is what makes it very difficult for an automated web vulnerability scanner to crawl and attack.

Lack of standards for REST

There is no consistent standard for REST API, as there is for WSDL and other similar protocols. Most RESTful web services have their own documentation, useful for developers but useless to automated web vulnerability scanners.

A number of projects aim to standardize the REST API:

Using parameters in URLs

Another challenge automated scanners encounter when scanning RESTful web services for vulnerabilities is that REST APIs use parameters in URLs.

For example, in the HTTP GET request below, 123 is a parameter and not a directory in the web application:

GET http://www.example.com/rest-api/products/123/

« Back to the Acunetix Support Page