Our web app scans don't seem to be scanning/fuzzing our APIs and I'm looking to setup a separate scan just for the APIs (WSDLs). Is there a way to do this without selecting a web app to scan?
WAS does fuzz SOAP requests. Most likely you are not seeing the tests launched because we did not detect your WSDL. Can you check if we report your WSDL link in QID 150009 and QID 150087? If you do not see your WSDL link in 150009, 150087 will not be reported. You can work around this by defining your WSDL link as an explicit URI and that should help with identifying your WSDL and fuzzing the corresponding SOAP requests. In case you are able to use the work around and successfully fuzz your API, please do send us your application details since organically not detecting the WSDL is an issue and we would like to address it.
In order to scan the API alone, please define the WSDL as an explicit URI, enable the QIDs that are specific to SOAP testing and launch a vulnerability scan.
If you need further information, please send us your application details via support and we will provide further assistance.
I don't see any records of QID 15009 and 150087 in WAS. I can understand explicitly defining the WSDLs so the scanner can pick them up, but my issue is having to scan an entire website when I only want to scan about 20 WSDL URLs. I already scan the application that uses the WSDLs so I don't want to have to rescan the entire website when I only need to scan/fuzz the WSDLs. Is there a way to setup WAS to ONLY scan the specified URLs and not an entire web app?
Adding explicit URI, , setting the link limit to the total number of API links, and making sure you enable all the corresponding QIDs (that would ensure the fuzzing of the API) should help scan only the SOAP related URI. If you don't enable the QIDs you won't see them reported in scan. 150009 should be reported for all scans(discovery and vulnerability). In general all IG QIDs should be enabled. They do not take much scan time. If you want to tailor scans, you can do that withe VULN QIDs. Please contact support for details on what QIDs need to be enabled in order for specific tests to be launched.
Retrieving data ...