Scanning APIs Using an OpenAPI Schema
Speaker 1: Welcome to NexPloit. In this video, you will learn how to scan API endpoints directly using a predefined open API or swagger schema. NexPloit can parse an uploaded API schema to define the attack surface of the target and optimize the selected security tests for a scan to be successful. Please make sure that you’re using a valid schema which is configured in compliance with the standard specification. You can find more information about the supported versions and configuration requirements on our knowledge base. Let’s get started. Go to the next void application in the left pane, select the scans option and click new scan to create a basic scan with minimal settings. Use the default standard setup mode. Alternatively, you can configure extended parameters for a new scan in the advanced setup mode. In this video, we’re using the standard setup mode. From the Scan Targets Dropdown list Select API endpoints via schema. The open API specification is selected by default. To upload the schema, click the clip icon and select the required file from your storage. If the schema is configured incorrectly, no exploit, cannot accept the file and displays an error message. In this case, we recommend reading the troubleshooting section on our knowledge base to help you fix the problem quickly. If your schema has been uploaded successfully, but you want to edit it before running a scan, you can do that in the current new scan dialog. Go to the schema editor tab, make the required changes to the schema and then proceed with the scan settings. Note that some API endpoints might be unauthorized for a direct scan from the cloud. In this case, you will need to select a running repeater from the dropdown list. In the Scan details section, enter a name and select the project for the scan. That’s it. You’ve completed the setup. Now click start scan. You can monitor the scan process and check the results on the scans page. Thanks for watching and happy scanning with an exploit from all of us at NeuraLegion.