In the world of application security, testing REST APIs for security flaws is important because APIs can have many of the same application-layer vulnerabilities as browser-based web applications. Examples are SQL injection, command injection, and remote code execution. With the recent release of Qualys Web Application Scanning (WAS) 6.0, testing your REST APIs is easier than ever thanks to support for Swagger.
Swagger is a widely-adopted specification that allows for programmatically describing REST APIs. This is accomplished via a Swagger file, which may be in either JSON or YAML format. The Swagger file provides all the details about the APIs and how to invoke them. This includes information like the HTTP verbs to use (GET, POST, PUT, etc.), the URL paths, allowable parameters and types, authentication mechanisms, and so on.
You can think of a Swagger file as being analogous to a Web Services Description Language (WSDL) file for SOAP web services. Competing standards to Swagger exist (e.g., WADL, RAML), but Swagger was found to be the most prevalent within the Qualys WAS customer base.
How Swagger Helps with Scanning REST APIs
Qualys WAS 6.0 comes with support for Swagger version 2.0 in JSON format. If a Swagger file conforming to this format is accessible to the scanning engine and successfully parsed at scan time, the APIs will automatically be tested for common application security flaws. This simplifies and streamlines the process of scanning REST APIs compared to the original proxy capture and configuration approach.
If a Swagger file is available or can be provided by the API developers, scanning can be performed seamlessly with less effort. Simply set the URL of the web application in WAS to be the location of the Swagger file, configure authentication if required, and launch a vulnerability scan. Make sure the “host” and “basePath” values in the Swagger file match where the API is actually running.
New informational QIDs have been added to WAS to go along with this enhancement:
QID 150195 – this provides information about the Swagger file that was found during the scan. The raw contents of the file are provided, as well as diagnostic information such as parsing errors or unsupported file formats.
QID 150197 – this lists the Swagger-defined API calls that were found in the Swagger file but not tested due to being excluded. This typically occurs if the API endpoints match a black list that was configured or if the API endpoints reside outside the scan’s crawl scope.
Verify for Security Early and Often
According to the OWASP Proactive Controls, the most critical control for application developers is to verify for security early and often. This means performing security testing early in the development life cycle. To help meet this important objective, DevSecOps teams using Qualys WAS will welcome the addition of Swagger-based REST API scanning. Combined with the recently-released Jenkins plugin for WAS, Qualys provides a effective solution for automating web application security in continuous integration/continuous deployment (CI/CD) environments for both traditional web applications and for REST APIs.
One last point of clarification: The name “Swagger” as the specification name will be changing. The new name is “OpenAPI” and version 3 of the OpenAPI specification has already been published. Swagger version 2, which is widely used today, is the last version to use the name Swagger. Qualys WAS will eventually add support for OpenAPI v3 as well.