Ctrlk
Changelog NotificationsAPIAikido login

REST API & Web App Scanning

Aikido can scan your REST API and Web App endpoints to uncover critical endpoint vulnerabilities, such as SQL injection or path traversal. Aikido uses API fuzzing, which essentially includes spamming dangerous payloads to each field in your API.

NEVER do this setup on a production environment, always on staging to avoid potential downtime.

Main Use Cases

Critical Vulnerability Detection:

  • SQL injection

  • NoSQL injection

  • Path traversal

  • Shell injection

You can see all checks in the Aikido app here.

Setting up REST API Scanning

Step 1: Click Add Domain in the Domain Overview and select REST API

Application type selection screen for security testing of different app architectures.

Step 2. Enter the domain name of your staging environment. Ensure this is the base URL for your REST APIs (e.g., https://example.io/api)

API domain name input field for application configuration.

Step 3: Add your OpenAPI specification using one of these options:

  • Connect to Zen App (recommended): Integrate with Zen to automatically discover and update API endpoints for continuous scanning. More info about Zen can be found here. No manual work or maintenance needed!

  • Generate via Aikido AI (in beta): Using your codebase Aikido will generate an OpenAPI spec. No manual work is needed. Regular rescans keep everything current.

  • Fetch from URL: Provide a URL that has the latest version of your OpenAPI spec. Aikido will fetch the spec before each scan.

  • Manual Upload: Upload a OpenAPI file to define your API endpoints. You will be required to manually update and upload your spec each time new API endpoints are added or changed.

Add or upload an OpenAPI spec to scan for security risks; staging use only.

Step 4: Add authorization information to your API to make sure Aikido can access endpoints that require login. You can do this by clicking the triple dots action menu on the domain, and then 'Authenticate Domain'

Domain action menu with options: Start scan, Edit, Authenticate, and Delete domain.

This will trigger the modal where you can fill in the authentication details. Multiple authentication types are available: Login via Form and Custom Headers support

Domain authentication setup form with input fields for API URL, email, and password.

Identifying Aikido traffic

All requests coming from Aikido REST and GraphQL scans will have:

Last updated

Was this helpful?