Getting Started
API Scan
Modern applications rely heavily on APIs, and scanning them for vulnerabilities like broken authentication, insecure endpoints, injection attacks and data exposure risks is essential for maintaining a strong security posture.
With ZeroThreat, you can run both unauthenticated and authenticated API scans to ensure complete coverage of your API surface.
How API Scans Work in ZeroThreat
Running an API scan typically involves the following stages:
- Create a Target: Define your API’s base URL and select API Scan as the scan type.
- Build a Collection: Import your API definitions (Swagger, OpenAPI, Postman, or HAR) into ZeroThreat.
- Configure Authentication (if needed): For protected APIs, set up an API Authentication Configuration.
- Run the Scan: Choose between Unauthenticated or Authenticated scan modes, based on your target and collection setup.
ZeroThreat uses your API Collection as the source for endpoint discovery and scanning.
For APIs with authentication, ZeroThreat handles login, cookies and token capture for protected endpoints.
Quick Overview of Key Concepts and terms
| Feature | Description |
|---|---|
| Collections | Your source of API definitions. Required for all API scans. |
| Unauthenticated Scans | Test publicly accessible API endpoints. |
| Authenticated Scans | Configure login flows or headers to scan private endpoints. |
| Custom Payloads | Provide sample request bodies for endpoints with missing definitions. |
| Dynamic Token Mapping | Automatically extract tokens from login responses for use in subsequent requests. |
Jump Right In
Select the guide you want to explore next: