Skip to content

API Attack Surface Management Setup

This article describes how to enable and configure API Attack Surface Management to discover your external hosts with their APIs, identify missing WAF/WAAP solutions, and mitigate API Leaks and other vulnerabilities.

Enabling

To use AASM, the Wallarm's API Attack Surface subscription plan should be active for your company. To activate, do one of the following:

  • If you do not have Wallarm account yet, get pricing information and activate AASM on the Wallarm's official site here.

    This activates the Core (freemium) version, and scanning of the used email's domain starts immediately. After activation, you can add additional domains to the scope.

    You can continue using the Core version for as long as you need, provided that Enterprise features are not necessary for your use. See differences of different versions here.

  • If you already have Wallarm account, contact sales@wallarm.com.

Adding domains and hosts

To configure API Attack Surface Management to detect hosts under your selected domains and search for security issues related to these hosts:

  1. In Wallarm Console, proceed to AASMAPI Attack SurfaceConfigureDomains and hosts.

  2. Add your domains to the scope and check the scanning status.

    For each newly added domain, Wallarm will immediately start scanning for data selected in Scan configuration. If necessary, you can stop scan in progress, this will erase all the results.

  3. For the added domains, hosts are detected automatically. If necessary, you can add more hosts manually: click Add host and paste hosts separated by comma, semicolon, space or new line.

  4. Click the domain to see details on its found and added hosts.

    AASM - configuring scope

Scan configuration

You can select which data related to your domains will be searched for and displayed by API Attack Surface Management.

For your convenience, Wallarm provides a set of predefined profiles for scan configuration. Try switching between profiles to understand their content.

AASM - scan configuration

Brief description of profiles:

Profile Description
Full Most complete scan that searches for all types of network services, fully checks WAAP coverage, searches for API leaks by all possible ways and has all vulnerability detection modules enabled.
Fast Quick scan for attack surface and basic issues allowing to exclude external API discovery, excluding public HTML/JS content from API leak search, and limiting vulnerability detection modules.
Vulnerabilities & API leaks Scan aimed at detecting security issues only.
Attack surface inventory Quickly identifies and maps the attack surface without searching for security issues.
API leaks - passive Searches for API leaks only with no interactions to your infrastructure.
Custom Enabled every time you make some adjustments to any other profile.

To configure scanning options:

  1. In Wallarm Console, proceed to AASMAPI Attack SurfaceConfigureScan configuration.

  2. Select the appropriate profile.

  3. If necessary manually adjust profile options. Note that some options cannot be excluded from specific profiles.

    Do not lose your modification while editing

    Remember that whatever changes you made in options, they will be lost if you click one of standard profiles again.

Auto rescan

When auto rescan is enabled, previously added domains are automatically re-scanned once every 7 days - new hosts are added automatically, previously listed but not found during re-scan are staying in the list.

To configure auto rescan:

  1. In Wallarm Console, proceed to AASMAPI Attack SurfaceConfigureScan configuration and enable the Auto rescan option.

  2. At the Domains and hosts tab, select domains to be included or excluded from auto rescan.

    Note that global option has priority - when disabled, nothing is auto re-scanned. The per-domain options allow excluding some domains from auto rescan.

AASM - configuring auto rescan

Manual rescan

You can start scanning for any domain manually at AASMAPI Attack SurfaceConfigureDomains and hosts by clicking the Scan now button.

If necessary, you can stop scan in progress, this will erase all the results.

Preventing from being blocked

If besides Wallarm, you use additional facilities (software or hardware) to automatically filter and block traffic, it is recommended that you configure an allowlist that includes the IP addresses for API Attack Surface Management.

This will allow Wallarm components, including API Attack Surface Management, to seamlessly scan your resources for vulnerabilities.

Scanning status

A brief information about when your domains were added to the scope and last scanned is presented at AASMAPI Attack SurfaceConfigureDomains and hosts.

AASM - configuring scope domains

Navigate back from configuration dialog to the main API Attack Surface screen, here you can see the Host scanning status summary, then switch to Scanning status tab to see a detailed history of all scans including:

  • Which domain was scanned (Target).

  • How scan was started - manually or automatically (Start-up option).

  • General number of hosts and new hosts found during this scan.

  • General number of security issues and new security issues found during this scan.

  • Scan status, its start and finish date/time.

AASM - detailed scanning status

Notifications

Email

You automatically receive notifications to your personal email (the one you use to log in) about discovered hosts and security issues, including:

  • Daily critical security issues (new only) - all critical security issues opened for the day, sent once a day with a detailed description of each issue and instructions on how to mitigate it.

  • Daily security issues (new only) - statistics for security issues opened for the day, sent once a day with information on how many issues of every risk level were found and general action items for mitigation.

  • Weekly AASM statistics - information about hosts, APIs, and statistics for security issues discovered for your configured domains within last week.

The notifications are enabled by default. You can unsubscribe at any moment and configure any additional emails to get all or some of these notifications in Wallarm Console → ConfigurationIntegrationsEmail and messengersPersonal email (you email) or Email report (extra emails) as described here.

Instant notification

You can configure instant notification for the new and re-opened security issues. Select all or only some risk levels that should trigger notification. Separate message will be sent for each security issue.

Example:

[Wallarm System] New security issue detected
Notification type: security_issue
New security issue was detected in your system.
ID: 106279
Title: Vulnerable version of Nginx: 1.14.2
Host: <HOST_WITH_ISSUE>
Path:
Port: 443
URL: <URL_WITH_ISSUE>
Method:
Discovered by: AASM
Parameter:
Type: Vulnerable component
Risk: Medium
More details: 
Client: <YOUR_COMPANY_NAME>
Cloud: US

You can configure instant notification for the security issues in Wallarm Console → ConfigurationIntegrations → YOUR_INTEGRATION as described in your integration documentation.