Reference
Scan Parameters
Example
Here is an example of a ScanParams object:
scan:
blacklist:
routes:
- path: "/a/path/to/blacklist"
method: GET
- path: "/another/path/to/blacklist"
method: POST
hotstart:
- |-
POST /register HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
{"my": "data"}
- |+
GET /users HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194
profile: surface | marketing | cicd | default | deep | unrestricted
read_only: true | false
scalars:
SSET:
description: The Super Secret Example Token is internal to our company and should
never been exposed by any APIs.
examples:
- SSET-ABC12
names:
- SSET
- super_secret_example_token
- SuperSecretExampleToken
parents:
- String
patterns:
- SSET-[A-Z0-9]{5}
sensitivity: HIGH
detection: key_or_value_strict
entropy: 2
BlackListParams
| Property | Type | Required | Description | Reference |
|---|---|---|---|---|
| routes | BlacklistRouteRule | False | BlacklistRouteRule | |
| query | string | False | ||
| mutation | string | False | ||
| subscription | string | False | ||
| objects | string | False |
BlacklistRouteRule
| Property | Type | Required | Description | Reference |
|---|---|---|---|---|
| method | string | False | The method is an HTTP method (GET, POST, PUT, DELETE, etc.). | |
| path | string | False | The path is a valid OpenAPI path. |
ScanParams
| Property | Type | Required | Description | Reference |
|---|---|---|---|---|
| profile | ScanProfile | False | The scan profile | ScanProfile |
| read_only | boolean | False | The choosen mode for the tested API. Default mode is read-write and suited to development environment. The read_only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage.. | |
| hotstart | string | False | Raw queries to hotstart the API exploration. | |
| blacklist | BlackListParams | False | The operations that will be skipped by security tests. See more in the dedicated documentation section.. | BlackListParams |
| scalars | Dict[string, CustomScalarParams] | False | The user's defined scalars. | CustomScalarParams |
| api_type | ApiType | False | ApiType | |
| null_is_unauthenticated | boolean | False | In order to improve error inference, on some scans we want to be able to consider that a null aswerimplies that the request should have been authenticated | |
| hotstart_only | boolean | False | If true, the scan will only perform the hotstart phase and stop after. | |
| force_full_scan | boolean | False | Will perform a full scan, without listening your API health and timeout. It may degrade your results quality but will unsure that all your operations are checked. |
ScanProfile
surfacemarketingcicddefaultdeepunrestricted
Client Parameters
Example
Here is an example of a ClientParams object:
client:
proxy:
type: escape | http | repeater
request_timeout: 5
requests_per_minute: 50 * 60
ClientParams
| Property | Type | Required | Description | Reference |
|---|---|---|---|---|
| request_timeout | integer | False | The maximum timeout duration for each request (in seconds). See more in the dedicated documentation section. | |
| requests_per_minute | integer | False | The maximum number of request per minute. Which will be used on a per second window. | |
| proxy | RepeaterProxyType HTTPProxyType EscapeProxyType | False | The Proxy to use for the requests. See more in the Scan Internal APIs documentation section. |