In the world of application security, testing REST APIs for security flaws is important because APIs can have many of the same application-layer vulnerabilities as browser-based web applications. Examples are SQL injection, command injection, and remote code execution. With the recent release of Qualys Web Application Scanning (WAS), testing your REST APIs is easier than ever thanks to support for Swagger.
Swagger is a widely-adopted specification that allows for programmatically describing REST APIs. This is accomplished via a Swagger file, which may be in either JSON or YAML format. The Swagger file provides all the details about the APIs and how to invoke them. This includes information like the HTTP verbs to use (GET, POST, PUT, etc.), the URL paths, allowable parameters and types, authentication mechanisms, and so on.
You can think of a Swagger file as being analogous to a Web Services Description Language (WSDL) file for SOAP web services. Competing standards to Swagger exist (e.g., WADL, RAML), but Swagger was found to be the most prevalent within the Qualys WAS customer base.
How Swagger Helps with Scanning REST APIs
As of April 2020, Qualys WAS comes with support for both Swagger version 2.0 and OpenAPI version 3. If a Swagger or OpenAPI file is accessible to the scanning engine during the scan and is successfully parsed, the API endpoints will automatically be tested for common application security flaws. This simplifies and streamlines the process of scanning REST APIs compared to our original proxy capture and configuration approach.
The Swagger or OpenAPI (OAS) file is often made available by the development team when the API is deployed for QA/testing. This allows for security team to perform vulnerability scans seamlessly with less effort. Simply set the URL of the web application in WAS to be the location of the Swagger file, configure authentication if required, and launch a scan. Make sure the “host” and “basePath” values in the Swagger/OAS file match where the API is actually deployed. Please refer to API Testing with Swagger/OpenAPI for more details about how to set up your scan.
New informational QIDs have been added to WAS to go along with the support for Swagger:
QID 150195 – this provides information about the Swagger/OAS file that was found during the scan. The raw contents of the file are provided, as well as diagnostic information such as parsing errors or unsupported file formats.
QID 150197 – this lists the Swagger-defined API calls that were found in the Swagger/OAS file but not tested due to being excluded. This typically occurs if the API endpoints match a black list that was configured or if the API endpoints reside outside the scan’s crawl scope.
A point of clarification: You may be aware that the name “Swagger” as the specification name changed. Starting with version 3.0, the new name of the specification is “OpenAPI”. Qualys WAS supports both Swagger v2 and OpenAPI v3 as of April 2020.
Verify for Security Early & Often and Automate Scans in Your CI/CD Pipeline
According to the OWASP Proactive Controls v2, the most critical control for application developers is to verify for security early and often. This means performing security testing early in the software development life cycle. To help meet this important objective, DevSecOps teams using Qualys WAS will welcome the addition of Swagger-based REST API scanning.
Combined with the WAS plugin for Jenkins and now support for Swagger/OpenAPI, Qualys WAS provides an effective solution to automate security testing in continuous integration/continuous deployment (CI/CD) environments for both traditional web applications and REST APIs.
Leveraging Postman Collections
Finally, if your organization is using the Postman tool for functional testing of REST APIs, you may also be interested in Qualys WAS’ support for Postman Collections, which was released in October 2019.