Qualys WAS Introduces Swagger Support for REST API Security Testing

In the world of application security, testing REST APIs for security flaws is important because APIs can have many of the same application-layer vulnerabilities as browser-based web applications. Examples are SQL injection, command injection, and remote code execution. With the recent release of Qualys Web Application Scanning (WAS) 6.0, testing your REST APIs is easier than ever thanks to support for Swagger.

About Swagger

Swagger is a widely-adopted specification that allows for programmatically describing REST APIs. This is accomplished via a Swagger file, which may be in either JSON or YAML format. The Swagger file provides all the details about the APIs and how to invoke them. This includes information like the HTTP verbs to use (GET, POST, PUT, etc.), the URL paths, allowable parameters and types, authentication mechanisms, and so on.

You can think of a Swagger file as being analogous to a Web Services Description Language (WSDL) file for SOAP web services.  Competing standards to Swagger exist (e.g., WADL, RAML), but Swagger was found to be the most prevalent within the Qualys WAS customer base.

How Swagger Helps with Scanning REST APIs

Qualys WAS now comes with support for Swagger version 2.0 in JSON format. If a Swagger file conforming to this format is accessible to the scanning engine and successfully parsed at scan time, the API endpoints will automatically be tested for common application security flaws. This simplifies and streamlines the process of scanning REST APIs compared to the original proxy capture and configuration approach.

The Swagger file for an API can normally be provided by the developers.  This allows for security scans to be performed seamlessly with less effort. Simply set the URL of the web application in WAS to be the location of the Swagger file, configure authentication if required, and launch a vulnerability scan. Make sure the “host” and “basePath” values in the Swagger file match where the API is actually running.

New informational QIDs have been added to WAS to go along with this enhancement:

  • QID 150195 – this provides information about the Swagger file that was found during the scan. The raw contents of the file are provided, as well as diagnostic information such as parsing errors or unsupported file formats.

  • QID 150197 – this lists the Swagger-defined API calls that were found in the Swagger file but not tested due to being excluded. This typically occurs if the API endpoints match a black list that was configured or if the API endpoints reside outside the scan’s crawl scope.

Verify for Security Early & Often and Automate Scans in Your CI/CD Pipeline

According to the OWASP Proactive Controls v2, the most critical control for application developers is to verify for security early and often. This means performing security testing early in the software development life cycle. To help meet this important objective, DevSecOps teams using Qualys WAS will welcome the addition of Swagger-based REST API scanning. Combined with the WAS plugin for Jenkins, Qualys provides an effective solution to automate security testing in continuous integration/continuous deployment (CI/CD) environments for both traditional web applications and REST APIs.  Not using Jenkins?  You may instead want to use the WAS plugin for Bamboo or WAS plugin for TeamCity.

One last point of clarification: The name “Swagger” as the specification name has recently changed. The new name is “OpenAPI” and version 3 of the OpenAPI specification has already been published. Swagger version 2, which is widely used today, is the last version to use the name Swagger. Qualys WAS will add support for OpenAPI v3 as well.




3 responses to “Qualys WAS Introduces Swagger Support for REST API Security Testing”

  1. hi Dave,

    The announcement mentions “Simply configure the URL of the web application in WAS to be the Swagger file, “, however, currently the url for a web application ionly allows entering a url instead of uploading a file. How to make it accept a file? Thanks,

    • The web application URL in WAS needs to point to the Swagger file. When the scan starts, it will recognize that a Swagger file is at that URL and the scanner will begin to parse the file. The Swagger file can be hosted on the same server where the APIs are running or it can be hosted somewhere else. The important thing is that both the Swagger file and the API endpoints should be included in the crawl scope of the scan.

      • Hi,

        I`m trying to properly configure WAS to use Swagger api definition:
        1. I`ve pointed to the swagger api-docs json in a way:
        2. My authentication test is successful (and tested with manually configured links/crawler)

        – I have no issues with parsing Swagger file
        – I cant see any info in log that Swagger api definition was an input for my scan
        – My links from API definitions are not scanned at all

        I don`t know what to do and where is my mistake. Can you help me please?

Leave a Reply