# REST API & Web App Scanning

Aikido can scan your REST API and Web App endpoints to uncover critical endpoint vulnerabilities, such as SQL injection or path traversal. Aikido uses API fuzzing, which essentially includes spamming dangerous payloads to each field in your API.

> NEVER do this setup on a production environment, always on staging to avoid potential downtime.

### Main Use Cases <a href="#main-use-cases" id="main-use-cases"></a>

**Critical Vulnerability Detection**:

* SQL injection
* NoSQL injection
* Path traversal
* Shell injection

You can see all checks in the [Aikido app here](https://app.aikido.dev/domains/checks?scanner=rest).

### Setting up REST API Scanning <a href="#setting-up-rest-api-scanning" id="setting-up-rest-api-scanning"></a>

**Step 1:** Click **Add Domain** in the [Domain Overview ](https://app.aikido.dev/domains)and **select REST API**

![Application type selection screen for security testing of different app architectures.](/files/RWCjm8EaDDWrbfO3rTIe)

**Step 2.** Enter the domain name of your **staging environment**. Ensure this is the base URL for your REST APIs (e.g., `https://example.io/api`)

![API domain name input field for application configuration.](/files/6vrtau84izSELn9Y7uin)

**Step 3:** Add your OpenAPI specification using one of these options:

* [**Connect to Zen App (recommended)**](/zen-firewall/getting-started-with-zen-firewall.md): Integrate with Zen to automatically discover and update API endpoints for continuous scanning. More info about Zen [can be found here](https://help.aikido.dev/section/zen-by-aikido/sgIt4HRxlrFr). No manual work or maintenance needed!
* [**Generate via Aikido AI (in beta)**](/dast-surface-monitoring/api-scanning/autogenerate-openapi-via-aikido-ai-code2swagger.md)**:** Using your codebase Aikido will generate an OpenAPI spec. No manual work is needed. Regular rescans keep everything current.
* **Fetch from URL:** Provide a URL that has the latest version of your OpenAPI spec. Aikido will fetch the spec before each scan.
* **Manual Upload**: Upload a OpenAPI file to define your API endpoints. You will be required to manually update and upload your spec each time new API endpoints are added or changed.

![Add or upload an OpenAPI spec to scan for security risks; staging use only.](/files/CKezzH5SXvcVDVO8LHbr)

**Step 4:** Add authorization information to your API to make sure Aikido can access endpoints that require login. You can do this by clicking the triple dots action menu on the domain, and then '**Authenticate Domain**'

![Domain action menu with options: Start scan, Edit, Authenticate, and Delete domain.](/files/XiuAcAZyfj2e26ExXyTJ)

This will trigger the modal where you can fill in the authentication details. Multiple authentication types are available: **Login via Form** and **Custom Headers** support

![Domain authentication setup form with input fields for API URL, email, and password.](/files/WFWDbXkPJAgruB7Qrgdi)

### Identifying Aikido traffic

All requests coming from Aikido REST and GraphQL scans will have:

* the `User-Agent` set to `aikido-scan-agent/1.0`
* the following header `aikido-api-test` set to value `1` in the request
* [will come from the IP's documented here](/dast-surface-monitoring/allowing-ip-addresses-for-dast-surface-monitoring.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.aikido.dev/dast-surface-monitoring/api-scanning/rest-api-scanning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.