Enable API scan

ArmourZero's API Scan is an AI-powered penetration assessment tool that helps developers and security professionals to detect and find weaknesses and vulnerabilities in Application Programming Interface or commonly known as API.

The API Scan feature allows users to scan APIs for potential security vulnerabilities using a specification-based approach. Users can provide API specifications via URL or upload a file, and the system will automatically parse and identify endpoints to scan. This feature is designed to work with both RESTful APIs and SOAP APIs, supporting authentication mechanisms commonly used in APIs.

ArmourZero's API Scan is designed for users who:

• Build and control their own APIs

  • Ideal for companies with internal applications or services.

  • You have access to API specifications (OpenAPI, Swagger, WSDL) and credentials.

• Use APIs in a controlled environment

  • Scanning should be done in a test or sandbox environment to avoid impacting production.

• Want to proactively check for security issues

  • You want to find vulnerabilities in your APIs before they affect your users or systems.

The type of APIs supported:

• REST APIs

  • The most common type of API in modern apps.

  • Works over the web using standard HTTP requests (like GET or POST).

  • Example: Your web or mobile app asking a server for user profiles, orders, or messages.

• OpenAPI / Swagger

  • A standard format for describing REST APIs.

  • Makes it easy for our scanner to automatically understand your API and scan it.

• SOAP APIs

  • An older style of API using structured XML messages.

  • Often found in enterprise or legacy systems.

  • Example: A bank’s internal system processing transactions between different servers.

• Authentication Methods

  • Basic Auth

  • API Key

  • Bearer / JWT

  • None

The scanned results of all possible vulnerabilities detected will then be compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels. Each of these possible vulnerability detected will then be mapped into OWASP Top 10 API Security Risks (2023) compliance which is the latest standard awareness document for developers and API security. It represents a broad consensus about the most critical security risks to API. 

There are 5 categories of CWE and CVE vulnerabilities' severity levels.

1. Critical
2. High
3. Medium
4. Low
5. Information

Add API and configure its endpoints to start with ArmourZero's API Scan immediately, find all possible vulnerabilities faster than attackers.

To start with ArmourZero's API Scan, simply add a API that you intend to find any possible weaknesses and vulnerabilities.

Step 1: Add an API

1. Go to left menu and select "API" under VULNERABILITY SCANNER section and click "Add API".

Notes: Depending on your subscription plan, you can add more than 1 API.

2. You have the option to add new API using specification URL or via uploading a file.

Using API Specification URL

Using Upload File

Notes: Supported file types: OpenAPI (JSON/YAML), Swagger, WSDL, SOAP specification.

3. All of the specification will be read to understand your API structure, endpoints, request formats, and authentication requirements. Click on the "Confirm" once you confirmed. 

Step 2: Endpoint Extraction

1. The scanner automatically parses the specification and identifies all available endpoints.

2. You can easily review and select which endpoints to include in the scan.

3. Go to left menu and select "API" under VULNERABILITY SCANNER section and click "Add API". Click on the API ID or the three dots action icon   on the API ID, select "Configure Endpoints to Scan". 

Sample of endpoint's configuration

4. You can choose specific endpoints to scan, giving you full control over what to be scanned.

Notes: Exclude logout, signout, or destructive endpoints to avoid breaking sessions or causing unintended actions.

Step 3: Configure Authentication

1. Go to left menu and select "API" under VULNERABILITY SCANNER section and click "Add API". Click on the API ID or the three dots action icon   on the API ID, select "API Config Details". 

2. Click on the "Edit".

3. Provide credentials for the supported authentication methods: Basic Auth, API Key, Bearer/JWT, or NONE authentication for public endpoints.

4. ArmourZero's API Scan uses these credentials to simulate legitimate access when scanning the endpoints.

Notes: Ensures security tests are realistic without causing disruptions.

Once the API was successfully added and configured, you can trigger ArmourZero's API Scan to scan and find weaknesses and vulnerabilities on the API and it's endpoints. Depending on your subscribed plan, you can trigger multiple scans at the same time. However the time to complete the scan depending on the size of API and it's endpoints.

You must first add API and configure its endpoints before scan is activated.

Trigger API scan

1. Go to left menu and select "API" under VULNERABILITY SCANNER section. All successful added API will be listed here.

2. Click on the three dots action icon on the domain you intend to scan.

3. Select Scan Now, the scan will start immediately.

Notes:

Depending on your plan, you can add more than 1 API to scan at the same time.

The time to complete the scan depending on the size of API and its endpoints. You can view the scanned results once the scan is completed.

As this scan is a penetration assessment tool, simulating real-time attack to find weaknesses and vulnerabilities, each scan have to trigger on-demand.

You can easily view ArmourZero's API Scan scanned results after you have triggered the scan. Reminder that as this scan is a penetration assessment tool, simulating real-time attack to find weaknesses and vulnerabilities, each scan have to trigger manually. All scan results will be listed in Latest Overall Scan Reports.

Step 1: Select the API

1. Go to left menu and select "API" under VULNERABILITY SCANNER section and click "Add API". Click on the API ID or the three dots action icon   on the API ID, select "View Scan Details". 

Step 2: View details of vulnerabilities detected 

All scanned results of all possible vulnerabilities detected will be automatically compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels.

Each of these possible vulnerability detected will then be mapped into OWASP Top 10 API Security Risks (2023) compliance which is the latest standard awareness document for developers and API security. It represents a broad consensus about the most critical security risks to API. 

1. A Latest Overall Scan Report of API Scan will be auto generate for you after each scan.

2. You can also see past scanned reports under "Scan History" button to compare the previous results and current results. This is very useful if you have make correction or remediation on your API and its endpoint; or simply to compare with the latest possible vulnerabilities found.

The scan report will be summarised into 5 categories of CWE and CVE vulnerabilities' severity levels; Critical , High , Medium , Low and Information.

All scanned results of all possible vulnerabilities detected will be automatically compared with industry Common Weakness Enumeration (CWE) and Common Vulnerability and Exposures (CVE) to determine the vulnerabilities' severity levels.

Each of these possible vulnerability detected will then be mapped into OWASP Top 10 API Security Risks (2023) compliance which is the latest standard awareness document for developers and API security.

You can easily view your latest API's compliances based on this each scanned results.

3. You can refer to the details of the scanned result per endpoints.

4. Simply click the details of the endpoint to view the vulnerabilities detected.

Step 3: Mitigate vulnerabilities

1. Click on "Mitigation & Task Assignment". Here you can sort the list based on severity that you intend to focus on.

2. Select and open the vulnerability detected, click  to view the details of vulnerability and how you and your team can mitigate it with AI-remediation suggestions. Also you can assign the mitigation task across team members and follow the mitigation status. 

There are 2 main parts of mitigation:

Part 1 : Informations

• Vulnerability's type and information - to list in details information the found vulnerability.

• Vulnerability related instances - which instances of your endpoint that causing the vulnerability.

Part 2 : AI Assistance

• AI Assistance False Positive Detector - to check with AI's analysis in real-time to ensure the detected vulnerability won't mistakenly identified as a threat or risk.
• Task management - to assign the task across team members to fix and track the mitigation progress and status.

• AI Assistance Remediation Suggestion - AI's analysis in real-time and recommend remediation against the vulnerabilities.

Notes:

Each vulnerability detected or found have it own characteristic, type, severity and risk to you and company. That's why each vulnerability have it's own remediation to work on.