Has anyone done scanning on REST API's using Qualys ? For ex.. I have a collection of API's from say Postman or a swagger.json file ( this may be a collection for generating token and then using that bearer token to call the other GET api's etc..)
I know that we could use WAS module to do website testing and its easy. But is there anything to deep dive and scan a collection of REST APIs ?
Saurabh
I think the best way to do so is via Man in middle tools like Burp Professional suite. And get the Burp scan to feed real time into Qualys to scan.
Has anyone got any other suggestions ?
Saurabh
WAS Module does have support for REST APIs but I have not tested this feature yet.
You may need to consult the updated documentation and post the results for the benefit of all.
David
Hello Saurabh, You can definitely use WAS to scan REST APIs.
Please refer to the following blog for additional information : https://blog.qualys.com/technology/2017/03/27/rest-api-testing-with-qualys-web-application-scanning#more-23687
The configuration is a little different from the scanning of your typical web sites.
You would need to capture the requests sent to the API end points using BURP proxy, save the requests and upload them to your Web Application Record. Please contact support so they can give you the exact steps required to set up the configuration to scan your API.
Here is a guide to configure your application:
Click the 'Upload Burp Log File' to select the files that you have saved on your Burp session.
When you launch you scan the scanner will execute the requests, crawl and test the API end points.
If you have tokens that are required, you can add them in header injection step.
Hope the above helps.
Yep.. I tried this yesterday and got it working.
So the steps I did to get it working was pretty simple.. listed below:
1. Configured Postman to use Burp-Proxy
2. Ran all the API collections I wanted to scan in Postman
3. In the Burp "history" tab saved the collection in an .xml format file.
4. Logged to Qualys account and ran added a new web app to scan. Uploaded the burp.xml file from step-3
5. Started the scan and finished.
Hello Saurabh, You can definitely use WAS to scan REST APIs.
Please refer to the following blog for additional information : https://blog.qualys.com/technology/2017/03/27/rest-api-testing-with-qualys-web-application-scanning#more-23687
The configuration is a little different from the scanning of your typical web sites.
You would need to capture the requests sent to the API end points using BURP proxy, save the requests and upload them to your Web Application Record. Please contact support so they can give you the exact steps required to set up the configuration to scan your API.
Here is a guide to configure your application:
Click the 'Upload Burp Log File' to select the files that you have saved on your Burp session.
When you launch you scan the scanner will execute the requests, crawl and test the API end points.
If you have tokens that are required, you can add them in header injection step.
Hope the above helps.