API Scanning
      Back to home
      1. Knowledge base
      2. Getting started
      3. API Scanning

      How do I get started with API Scanning?

      The API scanning is a function within the web application scanner. It allows you to provide an API specification to the scan engine. The information is parsed while scanning, and every endpoint within the specification is tested for vulnerabilities. The API scanner finds vulnerabilities like OWASP API Top 10.

      1. Install a Scanner Appliance

      A Scanner Appliance is used for scanning within your environment, behind your firewall. You typically use our external/cloud scanners to scan publicly available web apps. You can skip this step if you are scanning publicly available web apps.

      Install a Scanner Appliance for local scanning:
      https://support.holmsecurity.com/knowledge/how-do-i-install-a-scanner-appliance-1

      2. Configure your web app asset

      If you are scanning a REST API, follow the steps here:
      https://support.holmsecurity.com/knowledge/how-do-i-set-up-a-rest-api-scan

      If you are scanning a SOAP API, follow the steps here:
      https://support.holmsecurity.com/knowledge/how-do-i-set-up-soap-api-scanning

      3. Schedule or run only once

      Schedule a scan based on the asset configuration or run a scan once. You must do this for each API specification you want to scan.
      https://support.holmsecurity.com/knowledge/how-do-i-schedule-a-scan-for-an-web-app

      Open API specification
      Notice that the Open API specification needs to be published and reachable from the internet or by the Scanner Appliance to be able to scan the API.