When it comes to testing software in general, you want to make sure you have sufficient coverage. When it comes to security testing, that coverage becomes even more important because malicious players bank on you missing something. When you’re security testing your APIs you want to make sure you hit every path, cover every test case, and use the right test data so you don’t get blocked on an email check or during a checkout scenario with an invalid credit card number.
With StackHawk’s Deeper API Security Testing release, we’re giving you three amazing new sets of functionality that ensure your APIs are thoroughly tested and secure. From getting started quickly using existing test tools and resources, ensuring our scanner has valid test data for your use cases, to creating your own custom test scripts to cover the most specific of scenarios, we’re proud to announce these new capabilities:
Custom Scan Discovery
Custom Test Data for REST APIs
Custom Test Scripts
I’m going to give you a quick overview of each new feature (because I’m a Product Manager and that’s what we do), but StackHawk is a devtool, so I will let the amazing developers who worked so hard on these powerful capabilities give you all the details in their own words. Make sure to click through to their blog posts as well!
Custom Scan Discovery - Why reinvent the wheel?
As a dev-first API security test tool, StackHawk has always recommended using OpenAPI definitions as the gold standard for guiding our scanner. But, we understand that not everyone has this level of documentation OR maybe you’ve just already invested in a test script tool that you’d like to reuse.
With Custom Scan Discovery, you can configure the scanner to use your existing Postman Collections, Cypress test scripts, or another test script via a curl command to get started scanning quickly and easily, no API specs required! We’ll even use existing test data from those scripts when we encounter data inputs. Learn more about Custom Scan Discovery and how to get started scanning your app from Sam in his blog post, Customized and Configurable Scan Discovery, or check out the StackHawk docs.
hawk:
spider:
maxDurationMinutes: 2 # maximum allowed time in minutes for spiders to crawl your application.
base: true # the basic spider utility that looks at html source files and follows urls it finds. Enabled by default.
ajax: false # a more complex spider operation that follows dynamic links and buttons in an application.Custom Test Data for REST APIs - Hackers don’t stop at an email address input field and neither should your test
When you’re testing any applications, test cases require different test data. Sometimes you need valid data to move forward down a path, sometimes erroneous data, sometimes random data. Each might help you discover different error cases or potential vulnerabilities. And inputting incorrect data could stop your test altogether, leaving your app insufficiently tested.
With Custom Test Data for REST APIs, you are now in charge of the test data HawkScan uses. We’ll not only let you configure your test data, we’ll help you figure out where you need it, and give you a FAKER library when necessary. And as I mentioned above, if you’re using an existing test script with Custom Scan Discovery, we’ll go ahead and use that test data so you don’t have to configure two tools. Austin has all the details in his deep dive on Custom Test Data for Rest APIs, or go straight to the docs here.
openApiConf:
filePath: "/OpenApi_defn_query_parameters.yaml"
fakerEnabled: true #default false
includeAllMethods: false
includedMethods:
- POST
- PUT
customVariables:
- field: book
values:
- "alpha"
- "beta"
- "charlie"
- field: secret
values:
- "secret1"
- "secret2"
- "secret3"
- field: book_title
values:
- "customBookTitle1"
- "customBookTitle2"Custom Test Scripts - Every app is its own special snowflake
StackHawk’s scanner is built on the well-known ZAP library for security vulnerabilities, so we’re already checking for a lot, but sometimes you need to cover a specific use case for your app or organization. Business logic, sensitive data, and privacy laws all require custom tests. Additionally, if you want to use existing custom tests from the ZAP library, you can add those to your StackHawk scans too.
Tenancy checks or Broken Function Level Auth are now within your grasp with just a little scripting. Dana even gives you an example in her blog, Scanning with Custom Test Scripts. After registering your scripts, they’ll be added to your scans and we’ll show you any alerts in the StackHawk platform alongside your other results. View details, triage, or assign alerts to devs for custom test alerts just like you would for any other vulnerabilities found by StackHawk. Check out the StackHawk docs for more details as well.
var RISK = 2 // 0: info, 1: low, 2: medium, 3: high
var TITLE = "Tenancy Check failed"
var DESCRIPTION = "User was able to access users not in their company"
var SOLUTION = "Enforce tenancy"
var REFERENCE = "https://personal.rhul.ac.uk/vsai/149/Multi-tenancy%20doc%20300614.pdf"
var OTHER = "see: https://www.cloudreach.com/en/blog/multi-tenant-security-in-the-cloud-what-you-need-to-know/"
var PLUGIN_ID = "" //Custom Plugin ID
function alert(as, msg, evidence) {
as.newAlert()
.setPluginId(PLUGIN_ID)
.setRisk(RISK)
.setName(TITLE)
.setDescription(DESCRIPTION)
.setEvidence(evidence)
.setOtherInfo(OTHER)
.setSolution(SOLUTION)
.setReference(REFERENCE)
.setMessage(msg)
.raise();
}“We’re far from the shallows now…”
Lady Gaga hasn’t confirmed yet, but our CISO Scott Gerlach and myself will be demoing and discussing Deeper API Security Testing in our webinar on 9/28.
All this functionality is available now, so if you’re already a customer we hope you dive deeper into your API security testing right away!
Want to get started with StackHawk? We have an On Demand Demo and Free 14-day Enterprise trial available at www.stackhawk.com. Ready to talk to someone and see StackHawk in action, contact us sales@stackhawk.com.
