Hello security folks, today we shall use HCL APPSCAN to find security risk in REST API. Advantage of APPSCAN is it can performed credential based scan to API.
For demonstration, I am using API published at for testing purpose. https://demo.testfire.net/swagger/index.html
Come on lets get hands dirty!!
We shall begin with APPSCAN.
Open APPSCAN, select Scan Webservices. Configure port to listen HTTP traffic.
Configure Login Management to utilize power of APPSCAN.
Lets configure Postman to send HTTP traffic to APPSCAN. Go to File > Settings > Proxy. Add custom proxy configuration on localhost on port 8080.
We have successfully transferred traffic to APPSCAN on localhost port 8080.
Here we perform login sequence of API. You may get URL and credentials of API like these here.
Imported all these details in Postman to get authorization token.
Similarly we shall send 1 more request to verify if user session is active or not. Update authorization token in request manually.
Hurrey we are login to service. I see account information.
APPSCAN has recorded these API request sequence.
I can now test if these sequence is working properly.
Finish the configuration of APPSCAN. Now APPSCAN is listening to API traffic. Once all API has been called, scan the service.
After a moment, Scan result shows that application is reflecting back XSS payload. In HTML application this payload will be executed.
Conclusion:
We can use power of APPSCAN to find Security issues in API.
We can configure Login sequence in APPSCAN to perform credential based scan of service.
