To start with ArmourZero's API Scan, simply add a API that you intend to find any possible weaknesses and vulnerabilities.
Step 1: Add an API
1. Go to left menu and select "API" under VULNERABILITY SCANNER section and click "Add API".
Notes: Depending on your subscription plan, you can add more than 1 API.
2. You have the option to add new API using specification URL or via uploading a file.
Using API Specification URL
Using Upload File
Notes: Supported file types: OpenAPI (JSON/YAML), Swagger, WSDL, SOAP specification.
3. All of the specification will be read to understand your API structure, endpoints, request formats, and authentication requirements. Click on the "Confirm" once you confirmed.
Step 2: Endpoint Extraction
1. The scanner automatically parses the specification and identifies all available endpoints.
2. You can easily review and select which endpoints to include in the scan.
3. Go to left menu and select "API" under VULNERABILITY SCANNER section and click "Add API". Click on the API ID or the three dots action icon on the API ID, select "Configure Endpoints to Scan".
Sample of endpoint's configuration
4. You can choose specific endpoints to scan, giving you full control over what to be scanned.
Notes: Exclude logout, signout, or destructive endpoints to avoid breaking sessions or causing unintended actions.
Step 3: Configure Authentication
1. Go to left menu and select "API" under VULNERABILITY SCANNER section and click "Add API". Click on the API ID or the three dots action icon on the API ID, select "API Config Details".
2. Click on the "Edit".
3. Provide credentials for the supported authentication methods: Basic Auth, API Key, Bearer/JWT, or NONE authentication for public endpoints.
4. ArmourZero's API Scan uses these credentials to simulate legitimate access when scanning the endpoints.
Notes: Ensures security tests are realistic without causing disruptions.