Test your APIs
Instantly detect Broken Authentication Endpoints ranked #2 in OWASP.
Scan APIs locally with APIsec™ CLI
APIsec's CLI helps you scan your APIs locally to find vulnerabilities
To download and run APIsec-cli, please run the following
git clone https://github.com/intesar/apisec-cli
java -jar apisec-cli.jar
II. Signup with APIsec™:
For the new users, you need to sign-up with APIsec. It creates a new tenant for you in the APIsec SaaS Platform.
Command: Signup –c <company name> -e <email>
apisec> signup -c mycompany -e email@example.com
It returns the login credentials, i.e., the user name and an auto generated password. Save these in a file called fx.properties at the location specified. Upon next execution, you’ll be automatically logged-in to your tenant.
Alternatively, you can keep the password with you, and when you execute the script next time you need to manually login using the below command.
Command: login –u <user email> -p <password>
apisec> login –u firstname.lastname@example.org -p DBhk20Al
III. Register APIs:
Register the API that you wish to scan by providing its publicly available Open API Spec URL i.e.,
swagger url for e.g., http://mycompany.com/application/v2/api-docs
Command: register –n <api name> -o <Open API Spec URL>
apisec> register –n orders -o http://mycompany.com/orders/v2/api-docs
APIsec parses the specs and generates the security playbooks for scanning. This might take a few seconds depending on the number of endpoints in the API.
If your application is hosted internally and the OAS Url is not available publicly, APIsec recommends you to upload the OAS file in json/yaml format to any public location like github and provide its direct url.
Note: You can register multiple APIs in the same tenant by repeating the above step.
Use ‘ls’ command to view the list of all the registered APIs with APIsec
IV. Scan the API:
To scan the API for vulnerabilities, use the scan command as below.
Command: scan –n < api name>
apisec> scan –n orders
It runs all the playbooks generated in the above step, which invokes the endpoints at the application hosted (the host url and the basepath provided in the OAS Specs).
If the application is hosted internally and no public IP is available, you need to scan using your local scanner. The steps to create a local scanner are available in the next section.
V. Create a local scanner:
If the application is hosted internally and no public IP is available, you need to deploy a local scanner to invoke.
Command: scanner create –n <scanner name>
apisec> scanner create –n MyLocalScanner
Command: scan –n <api name> -s <scanner name>
apisec> scan –n orders –s MyLocalScanner
This command returns the docker and kubernetes scripts to deploy the scanner. Run the docker or kubernetes script as per your environment setup on the same machine where the API is hosted or any other machine in the network which can access the APIs. The script It will deploy the scanner in that machine.
Use the below commands to view the list of all local scanners created in your tenant.
Command: scanner ls
apisec> scanner ls
Use the below commands to remove the local scanner in your tenant.
Command: scanner rm -n <scanner name>
apisec> scanner rm -n MyLocalScanner