Setting up Astra’s Vulnerability Scanner for API testing involves a streamlined configuration process that allows the scanner to thoroughly assess your API endpoints. This guide will walk you through each step, from entering the base URL to uploading definition files, ensuring you set up the scanner effectively for your API's security assessment.
Access the Scanner Setup
To begin, navigate to the Targets page and click on the Setup Target button.
You will be directed to the target setup wizard, where you can update and configure the target.
Breakdown of each step
1. Get Started
Begin by providing fundamental details about your application:
Application Name: Enter the display name for your API. This helps you easily identify your API target in the dashboard.
Business Name: Provide your company’s name, which will be used for the penetration test certificate.
2. Base URL
Base URL: Enter the root URL of your API. This is the main endpoint from which all other API paths extend. Be sure to provide the correct protocol (
http://orhttps://) along with the full domain name. Setting the Base URL helps the scanner focus on your API’s root endpoint and its linked resources.
| Example: https://api.example.com/
3. Definition Files
In this step, you’ll need to upload the definition files for your API. These files are vital in helping the scanner understand the structure and behavior of your API, ensuring a thorough and comprehensive security test.
Postman Collection: Drag and drop your Postman Collection file into the provided field. This file will outline the specific requests, endpoints, and workflows your API uses.
Postman Environments: If applicable, upload your Postman Environment files. These files help configure the testing environment, whether it’s for development, staging, or production.
OpenAPI Document (Optional): You can also upload an OpenAPI specification file. This document provides a detailed map of your API’s endpoints, making the testing process even more precise and effective.
4. Additional Notes
Use this section to provide any extra information that might affect the scanning process, or our security engineers to focus on including:
Special authentication methods or tokens required for access.
Rate limiting or throttling details that might affect the number of requests.
Specific endpoints that should be prioritized or avoided during the scan.
Any known quirks or configurations unique to your API.
5. Complete Setup
After completing the above steps, review your entries and click Complete setup to finalize the API target configuration. Once saved, you can initiate the scan to begin testing your API for vulnerabilities.
| For any questions or assistance with the setup process, feel free to reach out to our support team by raising a ticket.