Head to the Targets page > click '
+ Add Targets', then click the top box '
External IP / Domain':
In the first box, please enter the target you wish to scan and hit '
When you see it pop up on your targets list, click it:
You'll then be taken to the target's detail page, where you have the option to add an API schema, by clicking the
APIs tab, followed by the green
+ Add API Schema button:
From here you'll need to click the top box
👉 Use the first field to give your schema file a name (so you can identify it in the portal)
👉 The second section is for uploading your schema file (for now, we're only supporting
👉 The third field is where you add the Base URL – this defines the location of the API (or where the API "lives". It's important to note that the Base URL must match the target you're adding the schema to.
(For example, if the target is
api-test-rig.intruder.es you couldn't set
example.api-test-rig.intruder.es as the Base URL as that's a different target).
Once that's all done your target's detail page will look like this:
At this point, you have two options:
You can kick off an unauthenticated scan of the API schema and the target's infrastructure using the green
You can add authentication, so we can scan the APIs authenticated endpoints (for more comprehensive coverage).
Adding authentication to an API schema
If you choose to add an authentication, you'll need to
On the target's detail page, click
+ Add authentication:
2. Either select an existing authentication (if you've already added one for the web-app), or add a new one, by clicking the second button.
3. Once here, click the applicable authentication method and follow the prompts.
(🚨 Form-based authentication cannot be used for authenticated API scanning.)
Detailed guides for each of the authentication methods mentioned above can be found in this section of the Help Centre.
API scanning is available to users with an Application license. More information on our licensing can be found here.