انتقل إلى المحتوى

API Test Patrol (Early Access)

Wallarm's API Test Patrol is designed to perform dynamic security testing of your applications and APIs to identify a wide range of vulnerabilities - including those outlined in both the OWASP Top 10 and the OWASP API Security Top 10 - through comprehensive, automated tests.

API Test Patrol capabilities:

  • Deep, dynamic analysis of API endpoints.

  • Detection of vulnerabilities in the application or API itself, as well as security misconfigurations in the underlying infrastructure or environment.

  • Visualization of found issues in the Wallarm Console's Security Issues section.

  • Lightweight execution via Docker container.

API Test Patrol - test runs

Wallarm's API Test Patrol is currently an early access feature under development - you can go through the currently available features.

How it works

Use API Test Patrol by fulfilling the following steps:

  1. Create test policy: specify the target application, provide its OpenAPI specification, base URL, and select the tests to run.

  2. Copy Docker command: find your test policy on the Test policies tab, click it, and copy the provided Docker command.

  3. Run and monitor: start the agent with the command. Track progress and view results on the Test runs tab.

API Test Patrol - how it works

Test types

API Test Patrol uses two types of tests to detect security issues:

  • Environment misconfiguration tests check for vulnerabilities and misconfigurations in the environment or infrastructure the application and APIs run on (not the API logic). Examples:

    • Exposed source code, backups, configuration files.
    • Accessible .git, .env, or system files.
    • Insecure web server settings (e.g., directory listing, weak TLS).

  • Input parameter tests check each input point (parameters, headers, etc.) defined in the OpenAPI specification for application-level vulnerabilities. Covered vulnerabilities:

    • Command injection
    • CRLF injection
    • LFI / RFI
    • NoSQL injection
    • Open redirect
    • Path traversal
    • Remote code execution (RCE)
    • SQL injection
    • SSRF
    • SSTI
    • XSS
    • XXE
    • Infoleak

Enabling and setup

To start using API Test Patrol, enable and configure it as described in API Test Patrol Setup.