AppSpider Pro is capable of testing Swagger-enabled APIs which further automates the process of testing APIs within AppSpider by eliminating the need to capture traffic via a proxy prior to testing. Now, you can simply upload a Swagger file to AppSpider and then AppSpider leverages the Universal Translator to analyze the file and then discover vulnerabilities in the API. This should prove to be a significant time savings and enable your team to test more of your APIs than before.
Swagger, an open source solution, is one of the most popular API frameworks. It defines a standard interface to REST APIs that is agnostic to the programming language. A Swagger-enabled API enables both humans and computers to discover and understand the capabilities of the service. AppSpider parses the swagger document to generate function calls and create values for the expected parameters. The file is then saved as a TREC traffic recording file which then can be used by AppSpider to scan and attack the REST API. The Swagger Utility currently supports the Swagger 2.0 version saved in JSON.
The Swagger capability is accessible within the Tools section in AppSpider.
Once the “Swagger Utility” icon is clicked on a new UI window (see below) is opened with the tab titled “Swagger Utility”
Here you can click on the “open” icon which will open a file selection dialog box (see below) to allow the selection of which Swagger JSON files should be uploaded to AppSpider for scanning.
Once the Swagger JSON file has been selected and the open button is pressed the various API function calls are listed in the traffic viewer window (see below).
The “Edit API Parameters” button opens a UI (see below) which allows the editing of the various parameters. Once the needed edits are made simply close out the UI box and the updated parameter values will be propagated in the various request calls.
Upon completing any needed editing click on the save button to save the traffic recording file which can be added to a scan configuration for scanning by AppSpider.
Now you can create a new scan configuration where the traffic recording file that was created by the Swagger Utility can be loaded for scanning. When creating the scan configuration it is recommended that you include the base URL of the REST API in the URL list so that the same domain restrictions that apply to that will apply to the REST calls.
Once you get to the Recorded Traffic section of the scan configuration press on the Green Plus icon (+) to add the Traffic recording file created by the Swagger Utility.
If you would like to limit the scan to only the recorded traffic file then check the restrict scan box towards the top of the UI.
Once the remaining scan configuration is completed then click on the Save & Run button to kick off the scan.