Scan REST APIs¶
w3af
can be used to identify and exploit vulnerabilities in REST APIs.
The scanner supports extracting endpoints and parameters from REST APIs
documented using the Open API specification ,
this means that w3af
will be able to scan these APIs in a completely
automated way.
When the REST API is not documented using the Open API specification, the user
will have to use spider_man
to feed the HTTP requests associated with the
REST API calls into the framework.
Scanning REST APIs with an Open API¶
The crawl.open_api
plugin can be used to identify the location of the
Open API specification document (usually openapi.json
in the API root directory)
and parse it.
After parsing the endpoints, headers and parameters the plugin sends this
information to w3af
’s core, where the audit plugin can be used to
identify vulnerabilities.
Using this plugin to scan REST APIs is easy, but here are some tips:
- If you know the Open API specification document URL, include it in
w3af
’s target URLs, this will make sure that the API is found and scanned.- If you have credentials, provide them in
query_string_auth
orheader_auth
, this information will be added to all HTTP requests associated with the REST API.
Enabling this plugin even when you don’t know if the REST API is documented using the Open API specification is also a good idea, since the plugin will find the document and create an informational finding to make sure it is manually reviewed.
Feeding HTTP requests into w3af¶
When the REST API is not documented using the Open API specification, the only
way for w3af
to find all endpoints and parameters is for the user to manually
feed this information into the framework.
This process can be used for any REST API, just follow these steps to feed the
HTTP requests into w3af
:
- Start
spider_man
using the steps outlined inAdvanced use cases
- Configure the REST API client to send HTTP requests through
127.0.0.1:44444
- Run the REST API client
- Stop the
spider_man
proxy usingcurl -X GET http://127.7.7.7/spider_man?terminate --proxy http://127.0.0.1:44444
Note
Since these REST APIs can not be crawled w3af
will only audit the HTTP
requests captured by the proxy. The steps where the user teaches w3af
about all the API endpoints and parameters is key to the success
of the security audit.