Has anyone done scanning on REST API's using Qualys ? For ex.. I have a collection of API's from say Postman or a swagger.json file ( this may be a collection for generating token and then using that bearer token to call the other GET api's etc..)
I know that we could use WAS module to do website testing and its easy. But is there anything to deep dive and scan a collection of REST APIs ?
Saurabh
Hello Saurabh, You can definitely use WAS to scan REST APIs.
Please refer to the following blog for additional information : https://blog.qualys.com/technology/2017/03/27/rest-api-testing-with-qualys-web-application-scanning#more-23687
The configuration is a little different from the scanning of your typical web sites.
You would need to capture the requests sent to the API end points using BURP proxy, save the requests and upload them to your Web Application Record. Please contact support so they can give you the exact steps required to set up the configuration to scan your API.
Here is a guide to configure your application:
Click the 'Upload Burp Log File' to select the files that you have saved on your Burp session.
When you launch you scan the scanner will execute the requests, crawl and test the API end points.
If you have tokens that are required, you can add them in header injection step.
Hope the above helps.