General
      Back to home
      1. Knowledge base
      2. API Security
      3. General

      How do I set up Input Parsers?

      We expanded support to include parsing exported outputs from significant vendors and standard formats.
      Our scanner can now automatically verify all site paths to determine if any match the supported formats.
      It parses the response and extracts all requests and responses if a match is found. 

      Supported methods

      • Postman
      • Fiddler
      • Burp Suite
      • HAR (HTTP Archive)
      • RAML (RESTful API Modeling Language)

      Note!

      In addition to these formats, we provide comprehensive support for GraphQL, SOAP, and OpenAPI.

      Usage example

      Consider a scenario where the target is:

      SOAP API

      http://www.webservicex.net/CurrencyConvertor.asmx?WSDL is the specification URL.

      1. Login to Security Center.
      2. Go to Asset Manager> Web App
      3. Go to the web app asset > Edit > Application details.
      4. Add the link to the Explicit URLs to crawl
      5. Done!

      Note!

      ?WSDL extension is not needed. It will appended internally

      Fiddler

      http://www.webservicex.net/api-specs.saz is the specification URL.

      1. Login to Security Center.
      2. Go to Asset Manager> Web App
      3. Go to the web app asset > Edit > Application details.
      4. Add the link to the Explicit URLs to crawl
      5. Done!

      NOTE!

      The fiddler file should have a .saz extension

      Postman API 

      http://www.webservicex.net/postman-specs.json is the specification URL.

      1. Login to Security Center.
      2. Go to Asset Manager> Web App
      3. Go to the web app asset > Edit > Application details.
      4. Add the link to the Explicit URLs to crawl
      5. Done!

      HAR

      http://www.webservicex.net/session.har is the specification URL.

      1. Login to Security Center.
      2. Go to Asset Manager> Web App
      3. Go to the web app asset > Edit > Application details.
      4. Add the link to the Explicit URLs to crawl
      5. Done!

      NOTE!

      The .har extension is optional.

      RAML

      http://www.webservicex.net/specs.raml is the specification URL.

      1. Login to Security Center.
      2. Go to Asset Manager> Web App
      3. Go to the web app asset > Edit > Application details.
      4. Add the link to the Explicit URLs to crawl
      5. Done!



      Note!
      The .raml extension is optional. Currently, we only support parsing for RAML v0.8

      Burp Suite 

      http://www.webservicex.net/burp-urls.json is the specification URL.

      1. Login to Security Center.
      2. Go to Asset Manager> Web App
      3. Go to the web app asset > Edit > Application details.
      4. Add the link to the Explicit URLs to crawl
      5. Done!

      OpenAPI

      http://example.com/api/openapi.json is the specification URL 

      1. Login to Security Center.
      2. Go to Asset Manager> Web App
      3. Go to the web app asset > Edit > Application details.
      4. Add the link to the Explicit URLs to crawl
      5. Done!

      GraphQL 

      GraphQL introspection path is almost static. Introspection should be enabled and based on the
      Library, our internal logic will automatically crawl for those paths and try the following queries to
      confirm if Introspection is enabled and proceed with parsing all queries.
      {"query": "query { __typename }"}

      {"query": "query { __schema { queryType { name } } }"}

      Manual configuration

      It is essential to manually add the corresponding HID to the scan profile. The HIDs for various
      formats are as follows:

      • RAML: HID-3-1-10240
      • HAR: HID-3-1-10239
      • Burp Suite: HID-3-1-10238
      • Fiddler: HID-3-1-10237
      • Postman: HID-3-1-10236

      Check this knowledge-base article to see how to include an HID in the scan profile:
      https://support.holmsecurity.com/knowledge/how-do-i-include-or-exclude-a-specific-vulnerability-in-a-scan