REST API Scanning
Aikido can scan your REST API endpoints to uncover critical endpoint vulnerabilities, such as SQL injection or path traversal. Aikido uses API fuzzing, which essentially includes spamming dangerous payloads to each field in your API.
NEVER do this setup on a production environment, always on staging to avoid potential downtime.
Main Use Cases
Critical Vulnerability Detection:
SQL injection
NoSQL injection
Path traversal
Shell injection
IDOR/BOLA: cross-tenant data leakage in SaaS apps
You can see all checks in the Aikido app here.
Setting up REST API Scanning
Step 1: Click Add Domain in the Domain Overview.
Step 2. Enter the domain name of your staging environment. Ensure this is the base URL for your REST APIs (e.g., https://example.io/api
)
Step 3: Set the Application Type to REST API to enable REST API Scanning
Step 3: Add your OpenAPI specification using one of these options:
Connect to Zen App (recommended): Integrate with Zen to automatically discover and update API endpoints for continuous scanning. More info about Zen can be found here. No manual work nor maintenance!
Manual Upload: Upload a Swagger file to define your API endpoints. You will be required to manually update and upload your swaggerfile each time new API endpoints are added to your application.
Step 4: Add authorization information to your API to make sure Aikido can access endpoints that require login. You can do this by clicking the triple dots action menu on the domain, and then 'Authenticate Domain'
This will trigger the modal where you can fill in the authentication details. Multiple authentication types are available: Login via Form and Custom Headers support