Detect Misconfigurations and Vulnerabilities Along the API Lifecycle
42Crunch Conformance Scan is a dynamic runtime testing of your API to ensure that the implementation behind your API matches the contract set out in the OpenAPI / Swagger definition of the API, especially when it's hammered with bad requests.
42Crunch Conformance Scan Overview
42Crunch Conformance Scan is a dynamic runtime testing of your API to ensure that the implementation behind your API matches the contract set out in the OpenAPI / Swagger definition of the API, especially when it is hammered with bad requests. Unlike the audit which performs static analysis of the OpenAPI / Swagger definitions, Conformance Scan is dynamic testing and variable by nature. To better simulate real API traffic and more reliably test the API's behavior, the requests and parameter values that Conformance Scan generates are random, as is the order in which the requests are sent to the API.
The Conformance Scan validates that APIs handle gracefully unexpected requests and reject those requests according to the OpenAPI / Swagger definition. The scan report flags responses which are unknown (for example a HTTP 500 error occurring), of the wrong type (HTML instead of JSON) or not matching the JSON schemas described in the OpenAPI Specification.
Traffic sent to the API allows to detect a number of vulnerabilities triggered by the usage of:
- Wrong verbs (invoking the API with GET or HEAD) when it expects PUT
- Wrong paths
- Wrong content-type
- Wrong data format (integer instead of string for example)
- Outside of API constraints (large strings, numbers or arrays)
- Data Injection
Using the conformance scan, you can detect early in the API lifecycle potential OWASP API Security Top 10 issues such as data leakage, overflows, mass assignment, broken authentication or security misconfigurations.
Conformance Scan Report
Conformance Scan produces a scan report that provides actionable information on how well your API conforms to its API definition. The report summarizes what was scanned and how the scan went.
Clicking an issue provides further details on it, such as the attack that the scan performed, the URL the scan called, and the response time of the API, or the size and content type of the response.
To make it easier to reproduce the issues, the report also provides the cURL requests the scan used to detect each issue.
Are you protected from the OWASP API Security Top 10?
As a result of the growing threat landscape and increasing usage of APIs, the OWASP API Security Top 10 Project was launched to help companies address security vulnerabilities specific to APIs.
Learn more about the OWASP API Security Top 10 and how 42Crunch can help.
Want to learn more? Here are some resources to help you out!