Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 24 additions & 24 deletions scan-fix-and-prevent/scan-with-snyk/snyk-api-web/README.md
Original file line number Diff line number Diff line change
@@ -1,34 +1,34 @@
# Snyk API & Web

Snyk API & Web is a cloud-based dynamic application security testing (DAST) solution that identifies security vulnerabilities in your running web applications and APIs. Snyk API & Web simulates real-world attacks against your deployed applications to discover security issues before attackers can exploit them.
Snyk API & Web is a cloud-based dynamic application security testing (DAST) solution that identifies security vulnerabilities in your running web applications and APIs. Snyk simulates real-world attacks against your deployed applications to discover security vulnerabilities before attackers can exploit them.

Modern applications expose complex attack surfaces through web interfaces and API endpoints. Security vulnerabilities in production applications can expose sensitive data, compromise user accounts, and damage the reputation of your organization. Traditional static analysis tools examine code at rest, but many vulnerabilities only appear when code executes in its runtime environment.
Modern applications expose complex attack surfaces through web interfaces and API endpoints. Security vulnerabilities in production applications can expose sensitive data, compromise user accounts, and damage the reputation of your company. Traditional static analysis tools examine code at rest, but many vulnerabilities only appear when code executes in its runtime environment.

Snyk API & Web tests your applications in their running state, finding runtime vulnerabilities such as SQL injection, cross-site scripting (XSS), authentication bypasses, and configuration weaknesses. By integrating DAST throughout the software development lifecycle (SDLC), you can catch and fix vulnerabilities before they reach production.
Snyk tests your applications in their running state, finding runtime vulnerabilities such as SQL injection, cross-site scripting (XSS), authentication bypasses, and configuration weaknesses. By integrating DAST throughout the software development lifecycle (SDLC), you can catch and fix vulnerabilities before they reach production.

## Scan web applications and APIs

Snyk API & Web supports two scanning approaches:
Snyk supports two scanning approaches:

* **Web applications**: The scanner crawls your application, discovers pages and functionality, interacts with forms and buttons, and performs comprehensive security tests across your entire web application.
* **APIs**: The scanner tests all endpoints defined in your API schema, ensuring complete coverage of your API surface.
* Web applications: the scanner crawls your application, discovers pages and functionality, interacts with forms and buttons, and performs comprehensive security tests across your entire web application.
* APIs: the scanner tests all endpoints defined in your API schema to ensure complete coverage of your API surface.

Configure authentication to scan protected areas accessible only to logged-in users. Snyk API & Web supports multiple authentication methods including login forms, login sequences, Basic Auth, API keys, and two-factor authentication (2FA).
Configure authentication to scan protected areas accessible only to logged-in users. Snyk supports multiple authentication methods, including login forms, login sequences, Basic Auth, API keys, and two-factor authentication (2FA).

## Test behind authentication

Snyk API & Web provides flexible authentication options to scan protected application areas:
Snyk provides flexible authentication options to scan protected application areas:

* **Login forms and sequences**: Automate login flows using form selectors or recorded browser interactions.
* **Two-factor authentication**: Support for TOTP-based 2FA (for example, Google Authenticator, Authy) and email/SMS-based OTP.
* **API authentication**: API keys, login endpoints, and token-based authentication.
* **Logout detection**: Automatically re-authenticate if your application logs out mid-scan.
* Login forms and sequences: automate login flows using form selectors or recorded browser interactions.
* Two-factor authentication: TOTP-based 2FA (for example, Google Authenticator, Authy) and email or SMS-based OTP.
* API authentication: API keys, login endpoints, and token-based authentication.
* Logout detection: re-authenticate automatically if your application logs out mid-scan.

Comprehensive authentication support ensures security coverage across your entire application, including administrative interfaces and user-specific functionality.

## Scan internal and private applications

For applications not accessible from the public internet, deploy the scanning agent in your private network. The agent creates a secure tunnel between Snyk cloud scanning infrastructure and your internal applications, enabling DAST for:
For applications not accessible from the public internet, deploy the scanning agent in your private network. The agent creates a secure tunnel between Snyk cloud scanning infrastructure and your internal applications to support DAST for:

* Development and staging environments on private networks
* Internal tools and administrative interfaces
Expand All @@ -38,22 +38,22 @@ The agent deploys as a Docker container or Kubernetes workload in your infrastru

## Integrate into your development workflow

Snyk API & Web provides multiple interfaces for integrating security testing into your workflow:
Snyk provides multiple interfaces for integrating security testing into your workflow:

* **Web UI**: Configure targets, review findings, and generate reports
* **REST API**: Programmatic access for custom integrations and automation
* **CLI**: Command-line interface for scripting and CI/CD pipelines
* **CI/CD integrations**: Native support for Jenkins, GitHub Actions, GitLab CI, and Azure DevOps
* Web UI: configure targets, review findings, and generate reports.
* REST API: programmatic access for custom integrations and automation.
* CLI: command-line interface for scripting and CI/CD pipelines.
* CI/CD integrations: native support for Jenkins, GitHub Actions, GitLab CI, and Azure DevOps.

Trigger scans automatically after deployments, fail builds based on vulnerability thresholds, and sync findings with Jira or other ticketing systems to streamline remediation across your development and security teams.

## Prioritize and fix vulnerabilities

Snyk API & Web detects and reports security vulnerabilities with detailed information including:
Snyk detects and reports security vulnerabilities with detailed information, including:

* **Severity ratings**: Automatically assigned based on vulnerability type, exploitability, impact, and scope, with CVSS scores to prioritize fixes.
* **Affected endpoints**: Specific URLs and API endpoints where vulnerabilities were found
* **Remediation guidance**: Detailed explanations and recommended fixes for each vulnerability type
* **Vulnerability evidence**: Evidence demonstrating how the vulnerability can be exploited
* Severity ratings: Snyk assigns these automatically based on vulnerability type, exploitability, impact, and scope, with CVSS scores to prioritize fixes.
* Affected endpoints: specific URLs and API endpoints where Snyk finds vulnerabilities.
* Remediation guidance: detailed explanations and recommended fixes for each vulnerability type.
* Vulnerability evidence: evidence demonstrating how an attacker can exploit the vulnerability.

Use customizable scan profiles to balance speed and coverage based on your needs, from lightning-fast SSL/TLS checks for CI/CD gates to comprehensive full scans for thorough security assessments.
Use customizable scan profiles to balance speed and coverage based on your needs, from fast SSL/TLS checks for CI/CD gates to comprehensive full scans for thorough security assessments.
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,20 @@ Additional requirements:

If your target requires requests to be encrypted, configure message level encryption in the Encryption tab.

1. In Snyk API & Web, navigate to the **Targets** page.
1. In Snyk, navigate to the **Targets** page.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would either remove "In Snyk" or specify where in the UI you are e.g. Homepage

2. Identify the target you want to configure and click the **gear** icon to access the target settings.
3. Click the **Encryption** tab and configure all fields:
* Upload a certificate with the server public key
* Upload a certificate with the client private key
* Enter the Key ID (KID) to be placed in the JWE header
* (Optional) Limit the set of URLs that should be encrypted
* (Optional) Limit the set of URLs to encrypt
4. Click **Save**.

<figure><img src="../../../../.gitbook/assets/configure-message-level-encryption-settings.png" alt="Encryption settings page showing certificate upload fields and configuration options"><figcaption></figcaption></figure>

## Verify encryption

After you save the configuration, encryption is enabled. The next time you run a scan against this target, Snyk API & Web automatically uses the configured encryption for all requests.
After you save the configuration, encryption is enabled. The next time you run a scan against this target, Snyk automatically uses the configured encryption for all requests.

{% hint style="info" %}
For your security, all sensitive fields (such as certificates and shared secrets) are obfuscated after they are saved and cannot be viewed or retrieved again.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@

Use Postman Collections to define API endpoints for scanning with Snyk API & Web.

This article describes how to configure Snyk API & Web to scan API endpoints using a Postman Collection. The configuration involves three main steps:
Configure Snyk API & Web to scan API endpoints using a Postman Collection. The configuration involves three main steps:

1. Prepare the Postman Collection
2. Configure an API target using the Postman Collection
3. Configure the API target with Postman environment variables

## Example scenario

This guide uses a Postman Collection example with the following requests:
This example uses a Postman Collection with the following requests:

* **Authenticate and obtain an authentication token** - requires a username and password in the request body.
* **Get a list of users** - requires the authentication token in the request header.
Expand All @@ -26,14 +26,14 @@ Prepare the Postman Collection to run the sequence of requests from start to end

* `username`: hard-coded value of the username to obtain the token.
* `password`: hard-coded value of the password to obtain the token.
* `user_id`: value to get user details by id. You can let the value as null, since it will be set by the script dynamically.
* `user_id`: value to get user details by ID. Leave the value as null because the script sets it dynamically.

<div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>The <code>username</code> and <code>password</code> variables should be set as <strong>Shared</strong>, so that the exported collection contains their hard-coded values. The <code>user_id</code> variable can be set as <strong>Unshared</strong>, since the value will be set dynamically by the script.</p></div>
2. Navigate to **Environments** to create the variable for storing the authentication token, and other variables that are set in Snyk AI & Web:
* `bearerToken`: variable to store the authentication token. You can let the value as null, since it will be set by the script dynamically.
* `baseUrl`: hard-coded value of the API url.
<div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>Set the <code>username</code> and <code>password</code> variables as <strong>Shared</strong>, so that the exported collection contains their hard-coded values. Set the <code>user_id</code> variable as <strong>Unshared</strong>, because the script sets the value dynamically.</p></div>
2. Navigate to **Environments** to create the variable for storing the authentication token, and other variables that you set in Snyk API & Web:
* `bearerToken`: variable to store the authentication token. Leave the value as null because the script sets it dynamically.
* `baseUrl`: hard-coded value of the API URL.

The configuration of your collection and environments variables, should be looking like the following example:
Your collection and environment variables look like the following example:

<figure><img src="../../../../.gitbook/assets/configure-postman-collection-targets-variables.png" alt="Collection and environment variables showing username, password, user_id, bearerToken and baseUrl variables"><figcaption></figcaption></figure>

Expand Down Expand Up @@ -63,9 +63,9 @@ In this example, the request to obtain user details requires the user identifier
var jsonData = pm.response.json();
pm.collectionVariables.set('user_id', jsonData.results[0].id);
```
2. Then, navigate to the request that gets the user details and add the `user_id` variable as a parameter.
2. Navigate to the request that gets the user details and add the `user_id` variable as a parameter.

The request to get the user details, should be looking like the following example:
The request to get the user details looks like the following example:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The request to get the user details looks like the following example:
The following image shows an example of a request to get user details.


<figure><img src="../../../../.gitbook/assets/configure-postman-collection-targets-user-details.png" alt="User details request showing the variables in request and the authorization header configuration"><figcaption></figcaption></figure>

Expand All @@ -78,7 +78,7 @@ With all requests configured, run the collection to test it. If there are no iss
After the Postman Collection is prepared and exported, add an API target.

1. Navigate to **Targets** and click **Add**.
2. Complete the Add target form:
2. Complete the **Add target** form:
* **Name**: Enter a meaningful identifier for your target.
* **URL**: Enter the base URL for your API.
* **API Type**: Select **API**, then select **Postman Collection**.
Expand All @@ -88,10 +88,10 @@ After the Postman Collection is prepared and exported, add an API target.

## Configure Postman environment variables

In our example, we added two variables to **Environments**: `baseUrl` and `bearerToken`. Since the `baseUrl` was hard-coded in Postman, we also need to set its value in Snyk API & Web.
This example added two variables to **Environments**: `baseUrl` and `bearerToken`. Because the `baseUrl` was hard-coded in Postman, you must also set its value in Snyk.

{% hint style="info" %}
For security reasons you might want to set the `password` variable using the [credentials manager](../configure-authentication/manage-credentials.md). Variables added to **Environments** will take precedence to the variables added in the collection.
For security reasons, set the `password` variable using the [credentials manager](../configure-authentication/manage-credentials.md). Variables added to **Environments** take precedence over the variables added in the collection.
{% endhint %}

### Manual configuration
Expand All @@ -107,9 +107,9 @@ Configure environment variables manually in the user interface:
Alternatively, import environment variables using an automated script:

1. In Postman, export the Postman environment to a file.
2. Retrieve the Python script to import Postman environment variables into Snyk API & Web. This script can be found on the [Probely API Scripts GitHub page](https://github.com/Probely/API_Scripts/blob/master/import_postman_env.py).
2. Retrieve the Python script to import Postman environment variables into Snyk. Find this script on the [Probely API Scripts GitHub page](https://github.com/Probely/API_Scripts/blob/master/import_postman_env.py).
3. Run the Python script and enter the following values:
* **Target ID**: The Snyk API & Web identifier of the API target, which can be found in the URL of the API target. For example, the target ID in `https://plus.probely.app/targets/2yzxnYgwmqbd` is `2yzxnYgwmqbd`.
* **Target ID**: The Snyk identifier of the API target, which you find in the URL of the API target. For example, the target ID in `https://plus.probely.app/targets/2yzxnYgwmqbd` is `2yzxnYgwmqbd`.
* **Postman collection file**: The file exported from Postman containing the environment variables.
4. Navigate to the **Postman Environment Values** section of the API target to see the newly added environment variables.

Expand All @@ -118,5 +118,5 @@ Alternatively, import environment variables using an automated script:
After configuration is complete, the target is ready to scan. [Test your configuration](../test-target-configuration.md) and then run a scan to verify that all requests in the collection are tested.

{% hint style="success" %}
In this example, the auth request to set the `bearerToken` is the first in the list of the collection, therefore the scan will be able to properly run all the requests. For production scenarios, we recommend that you [configure Postman authentication](../configure-authentication/configure-postman-authentication.md) and enable the **API TARGET AUTHENTICATION** and **LOGOUT DETECTION** in Snyk API & Web.
In this example, the authentication request to set the `bearerToken` is the first in the list of the collection, so the scan can run all the requests. For production scenarios, Snyk recommends that you [configure Postman authentication](../configure-authentication/configure-postman-authentication.md) and enable **API TARGET AUTHENTICATION** and **LOGOUT DETECTION** in Snyk.
{% endhint %}
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,12 @@ Change the RAML file extension from `.raml` to `.yaml`.
After you have the file with the new extension, create the target as an OpenAPI target:

1. Navigate to **Targets** and click **Add**.
2. Complete the Add target form:
2. Complete the **Add target** form:
- **Name**: Enter a meaningful identifier for your target
- **URL**: Enter the base URL for your API
- **API Type**: Select **API**, then select **OpenAPI**
- **OpenAPI schema upload**: Select this option
- **File**: Choose the RAML file with the `.yaml` extension
3. Click **Add**.

Snyk API & Web performs all necessary conversions, creates the target, and you can scan your RAML API.
Snyk performs all necessary conversions and creates the target, and you can then scan your RAML API.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sentence is a bit of a mouthful. I would amend to "Snyk performs all necessary conversions, creates the target, then enables you to scan your RAML API."

Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Additional requirements:

If your target requires requests to be signed, configure the signature in the target Signature settings.

1. In Snyk API & Web, navigate to the **Targets** page.
1. In Snyk, navigate to the **Targets** page.
2. Identify the target you want to configure and click the **gear** icon to access the target settings.
3. Click the **Signature** tab and identify the **SIGNATURE** module.
4. Select the **Signature** you want to use and complete the form accordingly.
Expand All @@ -28,7 +28,7 @@ If your target requires requests to be signed, configure the signature in the ta

## Verify signed requests

After you save the configuration, signed requests are enabled. The next time you run a scan against this target, Snyk API & Web automatically uses the configured signature.
After you save the configuration, signed requests are enabled. The next time you run a scan against this target, Snyk automatically uses the configured signature.

{% hint style="info" %}
For your security, all sensitive fields (such as certificates and shared secrets) are obfuscated after they are saved and cannot be viewed or retrieved again.
Expand Down
Loading
Loading