Configuring API Content and Filters

When configuring API scans, you can use the Content and Filters page of the API Scan Wizard to configure the preferred content type, as well as operations and parameter names and types to include or exclude during the scan. If you are conducting a Postman API scan, the scan wizard validates the collection file(s) that you previously selected and displays the Postman configuration settings in this page. You can review the settings and make adjustments as needed.

Viewing and Adjusting Postman Configuration Settings

Note: Postman Configuration settings are available only when conducting a Postman API scan.

Upon successful validation of the Postman collection file(s), a list of sessions contained in the collection file(s) appears in the Postman Configuration area. If authentication sessions are identified, they are preselected as Auth sessions. All other sessions are preselected as Audit sessions. Additionally, the type of authentication detected is listed as the Token Strategy with the options of None, Static, or Dynamic.

Note: Auth sessions will be used for authentication for the scan. Audit sessions will be audited in the scan.

Optionally, to adjust the settings:

  1. Select the Auth or Audit check box for a session to change its type as needed.

  2. Make changes to the Postman authentication settings as follows:

    • For Static authentication, enter a token in the Custom Header Token box.

    • For Dynamic authentication, do the following:

      • Select the Regex (Custom) option to the right of the Response Token box, and then enter a custom regular expression in the Response Token Name box.

      • Select the Regex (Custom) option to the right of the Request Token Name box, and then enter a custom regular expression in the Request Token Name box.

      • Clear the Use Auto Detect option to the right of the Logout Condition box, and then enter a new logout condition string in the Logout Condition box.

      For more information about dynamic authentication for Postman, see Manually Configuring Postman Login for Dynamic Tokens.

Important! If you make changes to the Postman authentication settings, they will not be validated unless you return to the API Scan page of the API Scan Wizard, and then click Next again.

Specifying the Preferred Content Type

The preferred content type setting specifies the preferred content type of the request payload. If the preferred content type is in the list of supported content types for an operation, then the generated request payload will be of that type. Otherwise, the first content type listed in an operation will be used. An example of preferred content type is application/json.

Important! The Preferred Content Type setting does not work with schema-based APIs, such as GraphQL, SOAP, gRPC, and Postman.

To specify the preferred type:

Defining Specific Operations to Include

The Include feature defines an allow list of operation IDs that should be included in the output.

To define a specific operation to include:

  1. Select Specific Operations.

  2. Select Include.

  3. Click Add.

    The Specify Operation dialog box opens.

  4. In the Operation box, type the operation ID.

  5. Click OK.

    The operation ID is added to the allow list.

Defining Specific Operations to Exclude

The Exclude feature defines a deny list of operation IDs that should be excluded from the output.

To define a specific operation to exclude:

  1. Select Specific Operations.

  2. Select Exclude.

  3. Click Add.

    The Specify Operation dialog box opens.

  4. In the Operation box, type the operation ID.

  5. Click OK.

    The operation ID is added to the deny list.

Editing Specific Operations

To edit a specific operation in the allow or deny list:

  1. Do one of the following:

    • To edit an operation in the allow list, select Include.

    • To edit an operation in the deny list, select Exclude.

  2. Select the operation ID you want to edit.

  3. Click Edit.

Removing Specific Operations

To remove a specific operation from the allow or deny list:

  1. Do one of the following:

    • To remove an operation in the allow list, select Include.

    • To remove an operation in the deny list, select Exclude.

  2. Select the operation ID you want to remove.

  3. Click Remove.

Defining Parameter Rules

Parameter rules define a default value to use for a parameter when the parameter name and type are encountered. You can also specify operations to determine whether a specific parameter rule should or should not apply to those operations.

Important! If you configure a parameter rule and then change the API definition type for which the parameter rule type becomes invalid, the invalid parameter rule type will be changed to Any, and a warning message will be displayed below the list.

To add a parameter rule:

  1. Select Parameter Rules.

  2. Click Add.

    The Parameter Rule dialog box opens.

  3. In the Parameter Rule Name box, type a name for the rule.

  4. In the Parameter Rule Type list, select a type. Available options depend on the API type and may include the following:

    • Any

    • Boolean

    • Date

    • File

    • Guid

    • Number

    • String

    For more information on the Parameter Rule Types and their equivalents based on API type, see Understanding Parameter Type Matches.

  5. Continue according to the following table:

    For this Rule Type... In the Parameter Rule Value box...
    Any Type any value.
    Boolean Type true or false.
    Date

    To enter a string value:

    • Type a date and time string using the following format:

      11/3/2022 11:00 AM

    To select a date and time using a calendar:

    1. Click the calendar icon ().

    2. Select a date and time.

    3. Click Close.
    File

    1. Click , and browse to locate the file to add to the scan settings.

    2. Click Open.

    Guid Enter a GUID.
    Number Enter a numerical value.
    String Type any value.

  6. For OData and Swagger (Open API) scans, in the Parameter Rule Location list, select a location where the parameter is found in the request. Options are:

    • Any

    • Body

    • Header

    • Path

    • Query

  7. Optionally, to specify operations to which this parameter rule should or should not apply, select Specific Operations and perform steps 2-5 of Defining Specific Operations to Include or Defining Specific Operations to Exclude.

  8. Optionally, select Inject Parameter to include the defined parameter in the request.

    Important! The Inject Parameter option does not work with schema-based APIs, such as SOAP, gRPC, and Postman. Those API types do not accept forced parameters. For GraphQL, Inject Parameter only works with the query operation if the property is in the query schema.

  9. Click OK.

    The rule is added to the Parameter Rules list.

Editing a Parameter Rule

To edit a rule in the Parameter Rules list:

Removing a Parameter Rule

To remove a rule from the Parameter Rules list:

What's Next?

To configure scan details, click Next and proceed with Configuring Scan Details for API and Web Service Scans.