Skip to main content

REST API Scanning

Aikido can scan your REST API endpoints to uncover critical endpoint vulnerabilities, such as SQL injection or path traversal. Aikido uses API fuzzing, which essentially includes spamming dangerous payloads to each field in your API.

NEVER do this setup on a production environment, always on staging to avoid potential downtime.

Main Use Cases

Critical Vulnerability Detection:

  • SQL injection

  • NoSQL injection

  • Path traversal

  • Shell injection

  • IDOR/BOLA: cross-tenant data leakage in SaaS apps

You can see all checks in the Aikido app here.

Setting up REST API Scanning

Step 1: Click Add Domain in the Domain Overview.

Step 2. Enter the domain name of your staging environment. Ensure this is the base URL for your REST APIs (e.g., https://example.io/api)

Step 3: Set the Application Type to REST API to enable REST API Scanning

Step 3: Add your OpenAPI specification using one of these options:

  • Connect to Zen App (recommended): Integrate with Zen to automatically discover and update API endpoints for continuous scanning. More info about Zen can be found here. No manual work nor maintenance!

  • Manual Upload: Upload a Swagger file to define your API endpoints. You will be required to manually update and upload your swaggerfile each time new API endpoints are added to your application.

Step 4: Add authorization information to your API to make sure Aikido can access endpoints that require login. You can do this by clicking the triple dots action menu on the domain, and then 'Authenticate Domain'

This will trigger the modal where you can fill in the authentication details. Multiple authentication types are available: Login via Form and Custom Headers support