API Test Patrol (Early Access)¶

Wallarm's API Test Patrol is designed to perform dynamic security testing of your applications and APIs to identify a wide range of vulnerabilities - including those outlined in both the OWASP Top 10 and the OWASP API Security Top 10 - through comprehensive, automated tests.

API Test Patrol capabilities:

• Deep, dynamic analysis of API endpoints.

• Detection of vulnerabilities in the application or API itself, as well as security misconfigurations in the underlying infrastructure or environment.

• Visualization of found issues in the Wallarm Console's Security Issues section.

• Lightweight execution via Docker container.

Wallarm's API Test Patrol is currently an early access feature under development - you can go through the currently available features.

How it works¶

Use API Test Patrol by fulfilling the following steps:

1. Create test policy: specify the target application, provide its OpenAPI specification, base URL, and select the tests to run.

2. Copy Docker command: find your test policy on the Test policies tab, click it, and copy the provided Docker command.

3. Run and monitor: start the agent with the command. Track progress and view results on the Test runs tab.

Test types¶

API Test Patrol uses two types of tests to detect security issues:

• Environment misconfiguration tests check for vulnerabilities and misconfigurations in the environment or infrastructure the application and APIs run on (not the API logic). Examples:

  • Exposed source code, backups, configuration files.
  • Accessible .git, .env, or system files.
  • Insecure web server settings (e.g., directory listing, weak TLS).

• Input parameter tests check each input point (parameters, headers, etc.) defined in the OpenAPI specification for application-level vulnerabilities. Covered vulnerabilities:

  • Command injection
  • CRLF injection
  • LFI / RFI
  • NoSQL injection
  • Open redirect
  • Path traversal
  • Remote code execution (RCE)
  • SQL injection
  • SSRF
  • SSTI
  • XSS
  • XXE
  • Infoleak

Enabling and setup¶

To start using API Test Patrol, enable and configure it as described in API Test Patrol Setup.

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send