Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiDAST 23.3.a User Guide
    23.3.a
    24.3.a
    24.3.0
    24.2.0
    24.1.0
    23.4.0
    23.3.a
    23.3.0
    23.2.0
    23.1.a
    23.1.0

    API Crawling

    API Crawling

    FortiDAST allows crawling and scanning REST API endpoints for vulnerabilities considering them potential attack vectors. This feature crawls and scans REST APIs that are on the same domain/host as the target asset, however, sometimes the APIs are hosted on a different domain. In this case, FortiDAST enables crawling one other domain outside the scope of the target asset.

    Enable API crawling and scanning to configure the following parameters.

    • API Definition URL - Enter the API definition URL OR upload an API definition file. This file contains details such as API host servers, parameters required for API requests, expected responses, security scheme of the API endpoints and so on. This file is in JSON, YAML, or WADL format. FortiDAST crawler parses the API definitions to identify the paths for each API endpoint and the fuzzer modules scan them for vulnerabilities.
      If neither the API definition URL nor the API definition file is provided then FortiDAST auto-discovers API endpoints only if an API definition using any of these file names is discovered on the asset; openapi.json, openapi.yaml, swagger.json, or swagger.yaml.

    • API Crawling Scope - Specify the scope of crawling the REST APIs whether on the Same Host, Same Domain, or Other domain. In case the APIs are in a different domain, provide the following domain related information.
      • Domain Name
      • HTTP Authentication credentials
    • API Token URL - Specify API token to access some API endpoints in the following ways.
      • API Token Manually - Specify the API token header including the authentication key/token/cookie and other required information.
      • API Token URL - Select this option to obtain the authentication key from FortiDAST. Enter the API Token URL, the API Token Header, optionally enter the API Token Prefix and Request Body including the parameters and their values.
    Previous
    Next

    API Crawling

    API Crawling

    FortiDAST allows crawling and scanning REST API endpoints for vulnerabilities considering them potential attack vectors. This feature crawls and scans REST APIs that are on the same domain/host as the target asset, however, sometimes the APIs are hosted on a different domain. In this case, FortiDAST enables crawling one other domain outside the scope of the target asset.

    Enable API crawling and scanning to configure the following parameters.

    • API Definition URL - Enter the API definition URL OR upload an API definition file. This file contains details such as API host servers, parameters required for API requests, expected responses, security scheme of the API endpoints and so on. This file is in JSON, YAML, or WADL format. FortiDAST crawler parses the API definitions to identify the paths for each API endpoint and the fuzzer modules scan them for vulnerabilities.
      If neither the API definition URL nor the API definition file is provided then FortiDAST auto-discovers API endpoints only if an API definition using any of these file names is discovered on the asset; openapi.json, openapi.yaml, swagger.json, or swagger.yaml.

    • API Crawling Scope - Specify the scope of crawling the REST APIs whether on the Same Host, Same Domain, or Other domain. In case the APIs are in a different domain, provide the following domain related information.
      • Domain Name
      • HTTP Authentication credentials
    • API Token URL - Specify API token to access some API endpoints in the following ways.
      • API Token Manually - Specify the API token header including the authentication key/token/cookie and other required information.
      • API Token URL - Select this option to obtain the authentication key from FortiDAST. Enter the API Token URL, the API Token Header, optionally enter the API Token Prefix and Request Body including the parameters and their values.
    Previous
    Next