Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Feature Walkthroughs / 2 Apr 2020
GitLab / Feature Walkthroughs / 2 Apr 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: DAST REST API Scans

Description

A brief introduction to a DAST API scan, and a demonstration of how to configure DAST to scan your API.

A

Hi I'm cam and engineer in the secure section today, I'd like to show you how to configure a dust restful api scan a challenge with the restful api is, is they cannot be spotted like normal websites? This makes it hard for tools like dust to understand the attack surface of a website. A dust api scan solves this challenge by using an open api specification when the scan runs, the specification is imported and passed.

A

The urls contained in the specification are used to bootstrap the scan to demonstrate a working example, I've written a simple REST API you can see it has an obvious vulnerability. There is a credit card number returned in the response.

A

The open API specification for the REST API is as follows. You can see it. It defines a host as well as all of the endpoints that the API exposes that supports open, API versions, 2 and 3, and compiles the file as JSON or yeah more formats to configure a dest scan. First, we need to let us know the URL, where the specification is hosted using the dust' api specification variable as the host important specifications are often hard-coded.

A

We want to override it to point it to the host port, where the API is actually deployed, so we use the dust a bi host override finally to get dust to authenticate with the rest api. We direct us to add an authorization header to all requests.

A

You will note in this configuration that we do not need to specify the dust web site environment. Variable dust will infer the target from the urls contained inside the api specification.

A

If we then trigger a new pipeline with this configuration.

A

You can see the dust scan starting to execute and you can see in the log file that says number of imported URLs, six, which is correct in this case.

A

And then, if we navigate to the security dashboard and look at the vulnerabilities, we can see it's found at PII vulnerability, because there's been a credit card number found. Hooray.