Scanning Vulnerabilities

Scanning can be a good start to look for security misconfigurations. We should always pay attention to false negative and false positive. Also, a scan should never replace a manual examination of the API and its behaviors. A vulnerability scan should only be used to identify low hanging fruits and pointing where to focus further manual examination.

Scanning with Nikto

Nikto can highlight many security misconfigurations. We can scan an API using Nikto with the following command:

nikto -h http://crapi.apisec.ai

Scan with OWASP Zap

Automated Scan and Manual Explore

Automated scan

We can also scan the API with the OWASP ZAP automated scan. However, this will only scan the surface of the web application so a lot of security issues present under the surface can be missed.

Manual approach

We can use the integrated OWASP ZAP browser. While examining the different functionalities of the API, the OWASP engine can point out several types of vulnerabilities. The advantage of this method compared to the automated scan is that we can perform authenticated scanning and testing.

Manual Explore OWASP ZAP

We can set the Attack mode and the Active Scan to on to start an authenticated scanning.

Manual Exploration