Using the API Scan Wizard

You can use the API Scan Wizard to configure settings for an API scan or a Web service scan in the Fortify WebInspect user interface.

API Scans

For Swagger, OData, and Postman scans, Fortify WebInspect creates a macro from the REST API definition, and then performs an automated analysis. For GraphQL, gRPC, and SOAP scans, a more traditional scanning method is used.

Important! If you are configuring a Postman API scan, be sure that the prerequisite software is installed before proceeding. For more information about this and other aspects of using Postman collection files, including configuring dynamic authentication using dynamic tokens, see Scanning with a Postman Collection.

Web Service Scans

For a legacy Web service scan, Fortify WebInspect crawls the WSDL site and submits a value for each parameter in each operation it discovers. These values are extracted from a file that you must create using the Web Service Test Designer. Fortify WebInspect then audits the site by attacking each parameter in an attempt to detect vulnerabilities such as SQL injection.

See Auditing Web Services for more information on how a Web services vulnerability scan differs from other types of scan actions.

Recommendation

Fortify recommends that you run only one scan at a time. When using SQL Express, in particular, depending on the size of the site, conducting concurrent (or parallel) scans might result in high usage of RAM, CPU, and disk resources on the Fortify WebInspect host.

Getting Started with the API Scan Wizard

To begin configuring settings for an API scan or a Web service scan:

On the Fortify WebInspect Start Page, click Start an API Scan.

The API Scan Wizard opens.
Optionally, enter a name for the scan in the Scan Name box.

Tip: On any window presented by the API Scan Wizard, you can click Settings (at the bottom of the window) to modify the default settings or to load a settings file that you previously saved. Any changes that you make will apply to this scan only and will not be retained in the default settings file. To make and retain changes to default settings, click the Fortify WebInspect Edit menu, and then select Default Scan Settings.

What's Next?

Do one of the following:

To configure an API scan, proceed with Configuring an API Scan.
To configure a legacy Web services scan using a Web Service Definition Language (WSDL) file, proceed with Configuring a Web Service Scan Using a WSDL File.
To configure a legacy Web services scan using an existing Web Service Test Design (WSD) file, proceed with Configuring a Web Service Scan Using an Existing WSD File.

Configuring an API Scan

You can begin configuring settings for an API scan in the API Scan page of the API Scan Wizard.

To configure settings for an API scan:

Select API Scan.
In the API Type list, select the API type to be scanned. The options are:
- GraphQL
- gRPC
- OData
- Postman
- SOAP
- Swagger (also known as Open API)

Continue according to the following table.

For this API type... Do this...

For this API type...	Do this...
GraphQL gRPC OData Swagger	Do one of the following: In the API Definition/Config box, provide the URL to the API definition file, as shown in the following examples: `http://172.16.81.36/v1` `http://myapi/protos/client.proto` `http://myapi/graphql/` Click and import a configuration file or definition file. Tip: Alternatively, you can paste the full path to the file that is saved on your local machine. If you did not enter a name in the Scan Name box, the definition file is parsed and the URL is added to the Scan Name box.
Postman	Do one of the following: To import a workflow collection, click , select Workflow from the drop-down list, and then import the Postman collection file. To import an authentication collection, click , select Authentication from the drop-down list, and then import the Postman collection file. To import an environment file, click , select Environment from the drop-down list, and then import the Postman environment file. The file is added to the list of collection files. Repeat this Step to import additional collection files. Important! You can import only one authentication collection file and one environment file. You can import multiple workflow collection files.
SOAP	Do one of the following: In the API Definition/Config box, provide the URL to the API definition file, as shown in the following example: `http://172.16.81.36/web-services/infoService?wsdl` Click and import a configuration file or definition file. Tip: Alternatively, you can paste the full path to the file that is saved on your local machine. If you did not enter a name in the Scan Name box, the definition file is parsed and the URL is added to the Scan Name box. In the Version list, select a version to allow filtering of operations by the specific version. Options are as follows: Legacy – filters against the lowest supported version. Mixed – uses a combination of Legacy and Newest, depending on what is available. Newest – the default setting, filters against the latest version.

GraphQL

gRPC

OData

Swagger

Do one of the following:

In the API Definition/Config box, provide the URL to the API definition file, as shown in the following examples:

http://172.16.81.36/v1

http://myapi/protos/client.proto

http://myapi/graphql/
Click and import a configuration file or definition file.

Tip: Alternatively, you can paste the full path to the file that is saved on your local machine.

If you did not enter a name in the Scan Name box, the definition file is parsed and the URL is added to the Scan Name box.

Postman

Do one of the following:

To import a workflow collection, click , select Workflow from the drop-down list, and then import the Postman collection file.
To import an authentication collection, click , select Authentication from the drop-down list, and then import the Postman collection file.
To import an environment file, click , select Environment from the drop-down list, and then import the Postman environment file.

The file is added to the list of collection files. Repeat this Step to import additional collection files.

Important! You can import only one authentication collection file and one environment file. You can import multiple workflow collection files.

SOAP

Do one of the following:
- In the API Definition/Config box, provide the URL to the API definition file, as shown in the following example:
  
  http://172.16.81.36/web-services/infoService?wsdl
- Click and import a configuration file or definition file.
  
  Tip: Alternatively, you can paste the full path to the file that is saved on your local machine.
In the Version list, select a version to allow filtering of operations by the specific version. Options are as follows:
- Legacy – filters against the lowest supported version.
- Mixed – uses a combination of Legacy and Newest, depending on what is available.
- Newest – the default setting, filters against the latest version.

If you imported a definition file or a configuration file in which a scheme, host, or service path is specified, the API location is different from API definition location option is selected. Specify the following:
- In the API Scheme Type list, select a type. Options are HTTP, HTTPS, and HTTP and HTTPS.
- In the API Host box, type the URL or hostname.
- In the API Service Path box, type the directory path for the API service.
Note: The GraphQL service location is always the same as the definition location. For SOAP, if the query string "?wsdl" value is removed, then the SOAP service location may or may not be the same as the definition location. The gRPC service location is always different from the definition location.

Note: If the service path is not defined for a Swagger scan, then Fortify WebInspect will use the basePath that is defined in the Swagger definition contents. For Swagger scans, select API location is different from API definition location unless your service is explicitly run at the same location as the docs folder for Swagger. Optionally, you may choose to define a service path if it differs from the basePath.
Click Next and proceed with Configuring Authentication and Connectivity for API Scans.

Configuring a Web Service Scan Using a WSDL File

You can begin configuring settings for a legacy Web service scan using a Web Service Definition Language (WSDL) file in the API Scan page of the API Scan Wizard.

To configure settings using a WSDL file:

Select Configure a SOAP Web Service Scan.
Do one of the following:
- Enter or select the full path and name of a WSDL file.
- Click to open a standard file-selection dialog box, and then choose a WSDL file.
Note: You import the WSDL file at this point and later launch the Web Service Test Designer to configure a file containing values for each operation in the service.
Click Next and proceed with Configuring Authentication and Connectivity for API Scans.

Configuring a Web Service Scan Using an Existing WSD File

You can begin configuring settings for a legacy Web service scan using an existing Web Service Test Design (WSD) file in the API Scan page of the API Scan Wizard.

To configure settings using an existing WSD file:

Select Scan with Existing Design File.
Click to open a standard file-selection dialog box and choose a WSD file that you previously created using the Web Service Test Designer.

Note: The selected file contains values for each operation in the service.
Click Next and proceed with Configuring Authentication and Connectivity for API Scans.