Announcing Deeper API Security Test Coverage

When it comes to software testing in general, ensuring comprehensive coverage is key. But with security testing—especially API security—that coverage becomes even more critical, as attackers are counting on you to overlook a vulnerability. Advanced API Security Testing goes beyond the basics by ensuring every endpoint is thoroughly examined, all relevant test cases are executed, and realistic test data is used. This level of testing helps prevent false negatives, like getting blocked by an email validation check or missing flaws during complex flows like checkout scenarios with invalid payment information.

With StackHawk’s Deeper API Security Testing release, we’re giving you three amazing new sets of functionality that ensure your APIs are thoroughly tested and secure. From getting started quickly using existing test tools and resources, ensuring our scanner has valid test data for your use cases, to creating your own custom test scripts to cover the most specific of scenarios, we’re proud to announce these new capabilities:

• Custom Scan Discovery

• Custom Test Data for REST APIs

• Custom Test Scripts

I’m going to give you a quick overview of each new feature (because I’m a Product Manager and that’s what we do), but StackHawk is a devtool, so I will let the amazing developers who worked so hard on these powerful capabilities give you all the details in their own words. Make sure to click through to their blog posts as well!

Custom Scan Discovery – Why reinvent the wheel?

As a dev-first API security test tool, StackHawk has always recommended using OpenAPI definitions as the gold standard for guiding our scanner. But, we understand that not everyone has this level of documentation OR maybe you’ve just already invested in a test script tool that you’d like to reuse.

With Custom Scan Discovery, you can configure the scanner to use your existing Postman Collections, Cypress test scripts, or another test script via a curl command to get started scanning quickly and easily, no API specs required! We’ll even use existing test data from those scripts when we encounter data inputs. Learn more about Custom Scan Discovery and how to get started scanning your app from Sam in his blog post, Customized and Configurable Scan Discovery , or check out the StackHawk docs .

hawk:
 spider:
   maxDurationMinutes: 2 # maximum allowed time in minutes for spiders to crawl your application.
   base: true # the basic spider utility that looks at html source files and follows urls it finds. Enabled by default.
   ajax: false # a more complex spider operation that follows dynamic links and buttons in an application.

Custom Test Data for REST APIs – Hackers don’t stop at an email address input field and neither should your test

When you’re testing any applications, test cases require different test data. Sometimes you need valid data to move forward down a path, sometimes erroneous data, sometimes random data. Each might help you discover different error cases or potential vulnerabilities. And inputting incorrect data could stop your test altogether, leaving your app insufficiently tested.

With Custom Test Data for REST APIs, you are now in charge of the test data HawkScan uses. We’ll not only let you configure your test data, we’ll help you figure out where you need it, and give you a FAKER library when necessary. And as I mentioned above, if you’re using an existing test script with Custom Scan Discovery, we’ll go ahead and use that test data so you don’t have to configure two tools. Austin has all the details in his deep dive on Custom Test Data for Rest APIs , or go straight to the docs here .

 openApiConf:
    filePath: "/OpenApi_defn_query_parameters.yaml"
    fakerEnabled: true #default false
    includeAllMethods: false
    includedMethods:
      - POST
      - PUT
    customVariables:
      - field: book
        values:
          - "alpha"
          - "beta"
          - "charlie"
      - field: secret
        values:
          - "secret1"
          - "secret2"
          - "secret3"
      - field: book_title
        values:
          - "customBookTitle1"
          - "customBookTitle2"

Custom Test Scripts – Every app is its own special snowflake

StackHawk’s scanner is built on the well-known ZAP library for security vulnerabilities, so we’re already checking for a lot, but sometimes you need to cover a specific use case for your app or organization. Business logic, sensitive data, and privacy laws all require custom tests. Additionally, if you want to use existing custom tests from the ZAP library, you can add those to your StackHawk scans too.

Tenancy checks or Broken Function Level Auth are now within your grasp with just a little scripting. Dana even gives you an example in her blog, Scanning with Custom Test Scripts . After registering your scripts, they’ll be added to your scans and we’ll show you any alerts in the StackHawk platform alongside your other results. View details, triage, or assign alerts to devs for custom test alerts just like you would for any other vulnerabilities found by StackHawk. Check out the StackHawk docs for more details as well.

var RISK = 2 // 0: info, 1: low, 2: medium, 3: high
var TITLE = "Tenancy Check failed"
var DESCRIPTION = "User was able to access users not in their company"
var SOLUTION = "Enforce tenancy"
var REFERENCE = "https://personal.rhul.ac.uk/vsai/149/Multi-tenancy%20doc%20300614.pdf"
var OTHER = "see: https://www.cloudreach.com/en/blog/multi-tenant-security-in-the-cloud-what-you-need-to-know/"
var PLUGIN_ID = "" //Custom Plugin ID

function alert(as, msg, evidence) {
   as.newAlert()
       .setPluginId(PLUGIN_ID)
       .setRisk(RISK)
       .setName(TITLE)
       .setDescription(DESCRIPTION)
       .setEvidence(evidence)
       .setOtherInfo(OTHER)
       .setSolution(SOLUTION)
       .setReference(REFERENCE)
       .setMessage(msg)
       .raise();
}

“We’re far from the shallows now…”

Lady Gaga hasn’t confirmed yet, but our CISO Scott Gerlach and myself will be demoing and discussing Deeper API Security Testing in our webinar on 9/28.

Watch the recording here!

All this functionality is available now, so if you’re already a customer we hope you dive deeper into your API security testing right away!

Want to get started with StackHawk? We have an On Demand Demo and Free 14-day Enterprise trial available at www.stackhawk.com . Ready to talk to someone and see StackHawk in action, contact us [email protected].