Clarification on API support

sshastry · October 18, 2022, 4:22pm

My scanning target is a network switch with a VM hosting an application. Neither the switch or the application instance supports a web server. Our focus is with the application.

The application does support Swagger OpenAPI specifications for REST interfaces.

My question:

Can we scan our target using the OpenAPI specifications? If so, how do we import the API definitions?
Is it possible to insert the token in the header request?

bricks · October 21, 2022, 6:31am

Out scanner is not a web application scanner. Scanning a web application is bit different. While you could technically implement scanning an OpenAPI in a nasl based VT I don’t think it has been done yet.

cfi · October 21, 2022, 7:01am

To add to this:

The scope of the scanner (or better the NASL scripts) is currently to find “known vulnerabilities in known software” (e.g. defined by CVEs, vendor advisories about vulnerabilities and similar).

Detection of “unknown” / not published vulnerabilities in unknown software (e.g. a custom API) is currently outside of the scope.

Taking the recent CVE-2022-40684 (Fortinet authentication bypass in the REST API of the products) as an example:

The CVE-2022-40684 flaw is detected because there is a VT covering / actively checking exactly this flaw in the REST API
Running the scanner against the same REST API won’t detect any additional currently unknown flaws in the REST API (e.g. missing authentication on a critical function, …)

For Nr. 2 a dedicated web application security scanner (WASS) and (depending on the flaw) additional manual work / evaluation is required.