API Crawling
FortiDAST allows crawling and scanning REST API endpoints for vulnerabilities considering them potential attack vectors. This feature crawls and scans REST APIs that are on the same domain/host as the target asset, however, sometimes the APIs are hosted on a different domain. In this case, FortiDAST enables crawling one other domain outside the scope of the target asset.
Enable API crawling and scanning to configure the following parameters.
-
API Definition URL - Enter the API definition URL OR upload an API definition file. This file contains details such as API host servers, parameters required for API requests, expected responses, security scheme of the API endpoints and so on. This file is in JSON, YAML, or WADL format. FortiDAST crawler parses the API definitions to identify the paths for each API endpoint and the fuzzer modules scan them for vulnerabilities.
If neither the API definition URL nor the API definition file is provided then FortiDAST auto-discovers API endpoints only if an API definition using any of these file names is discovered on the asset; openapi.json, openapi.yaml, swagger.json, or swagger.yaml.Note: Crawling and scanning API endpoints requires a Swagger/OpenAPI (json/yaml) file to be present. If this file is missing, only links and href elements will be scanned.
- API Crawling Scope - Specify the scope of crawling the REST APIs whether on the Same Host, Same Domain, or Other domain. In case the APIs are in a different domain, provide the following domain related information.
- Domain Name
- HTTP Authentication credentials
- API Token URL - Specify API token to access some API endpoints in the following ways.
- API Token Manually - Specify the API token header including the authentication key/token/cookie and other required information.
- API Token URL - Select this option to obtain the authentication key from FortiDAST. Enter the API Token URL, the API Token Header, optionally enter the API Token Prefix and Request Body including the parameters and their values.