Scan web applications and APIs
Use Veracode DAST Essentials (recommended) or Veracode Dynamic Analysis to perform Dynamic Application Security Testing (DAST) on web applications, REST APIs, or Postman Collections. The tests include scans that crawl your web application URLs, endpoints in API specifications, or requests in Postman Collections, to understand the architecture, and interact with these assets like an attacker.
For example, for web applications, this includes links, text, form fills, and other page elements with which users can interact. It also checks attack points that are less visible to the user, such as header values, cookies, and URL parameters. The scan engine then audits the objects and attributes that the crawler discovered, and sends attacks, such as Cross-Site Scripting and SQL Injection, to these objects and attributes to identify exploitable vulnerabilities.
Because modern web applications are complex and feature-rich, the crawler must not only interact with the application or API endpoint as intended, but must also must exercise each part of the application or endpoint with payloads that test for vulnerabilities. More complex web applications, for example, require more requests and permutations of tests, which can increase the testing time.
To detect common vulnerabilities, we recommend scanning all internet-facing and internal web applications or APIs. For example, if an attacker compromises internet-facing web applications or APIs, they could gain access to internal web applications or APIs, exploit any vulnerabilities, and cause further damage to your organization.
DAST scanning solutions
We provide the following DAST solutions for analyzing web applications, REST APIs, and Postman Collections. Both solutions use the Veracode scan engine for DAST, identify vulnerabilities in your internal or external web applications or APIs, and provide guidance for mitigating vulnerabilities to prevent future attacks. To automate login to website URLs or scan internal applications or APIs, both solutions support login scripts and Internal Scanning Management (ISM).
For an overview of these solutions, watch DAST in the Veracode Platform.
DAST Essentials
Use Veracode DAST Essentials to quickly assess the security risks of your web applications and APIs. DAST Essentials provides a modern interface that enables your development teams to create and manage analyses with minimal friction.
To perform non-invasive tests on live production applications, run quick scans. Or, to perform a deeper analysis on applications or APIs in development or testing, and automate these analyses by scheduling them, run full scans.
You can create and manage analyses and scans in the Veracode Platform or using the REST API. You can also integrate DAST Essentials with your CI, SCM, and ticketing tools.
To get started, see the quickstart or learn about the advanced and enterprise features.
Dynamic Analysis
Use Veracode Dynamic Analysis for automated and scalable dynamic scanning with broad coverage.
You can create and manage analyses and scans in the Veracode Platform or using the REST API. You can also integrate Dynamic Analysis with your CI/CD and ticketing tools.
To get started, create an analysis for scanning a web application or API specification.
Video: DAST in the Veracode Platform
Prerequisites
Before you can access and use DAST Essentials or Dynamic Analysis, you must:
- Have a Dynamic Analysis license.
- Have an account with the Creator, Submitter, or Security Lead role to be able to create, configure, or start an analysis. Any member of the team associated with the analysis can view it and the results.
- Ensure your web applications or APIs are accessible from the domain for your region. This access might require creating a staging or test environment to host your application or API, making configuration changes to your firewall rules, and performing other IT activities. When running an analysis, you see traffic coming from the IP address for your region domain. Therefore, you must add the IP address to your allowlist.
- Ensure the target URLs or APIs endpoints you want to scan are externally accessible to Veracode for scanning. If these assets require authentication, ensure the login credentials are correct. If you configured authentication, after you submit the scan, we perform a connection and login verification. If you use a login script, ensure that the credentials are valid.
- Ensure the target web applications or APIs are active. The scans can tolerate occasional outages or downtime occurring up to five times during scanning. Excessive outages, operations within a maintenance window, or if the analysis loses its connection to Internal Scanning Management (ISM) during scanning, can cause the analysis to fail.
- Ensure the assets you want to scan use supported technologies.
- For API scanning, ensure you have a supported API specification file, permissions to scan the file, and the required authentication information. You can upload a new file or use an existing file uploaded previously. For OpenAPI specifications and Postman Collections, you must provide the base URL where the API for your specification is hosted. All scans of the specification will use this URL as an allowed host and ignore requests to other hosts. For Postman Collections, if you have defined variables in Postman environments, you must add the variables from the environment files to the variable field in your Postman Collections.
To address any details specific to your organization, contact Veracode Technical Support or your Veracode account manager.
Supported technologies
DAST Essentials and Dynamic Analysis support the following technologies for scanning and analysis.
| Scan type | Supported technologies |
|---|---|
| Web application |
|
| API |
|
Unsupported technologies
DAST Essentials and Dynamic Analysis do not support the following technologies for scanning and analysis.
| Scan type | Unsupported technologies |
|---|---|
| Web application |
|
| API |
|
Scan capacity
Your scan capacity subscription determines the concurrent scan capacity at which you can perform DAST Essentials or Dynamic Analysis scans. After you configure and start an analysis, the availability of scan engines determines if scans of the URLs or API endpoints run concurrently or if they are queued until capacity becomes available.
You can monitor the scan status for DAST Essentials and Dynamic Analysis.
Production-safe testing
The scan engine is designed to test production web applications or APIs with minimal impact. It uses testing approaches that do not harm or accidentally delete any data on the target website or API server. For example, the Veracode SQL injection test patterns use timing-based methods that append to the existing query without altering its logic. In addition, the XSS test strings inject JavaScript that is benign and does not execute outside the embedded browser used by the scan engine.
A small number of applications might experience issues during scanning, which typically happens when a legacy application is not capable of supporting a moderate amount of traffic or when an application contains user input forms with CAPTCHA controls. Forms that lack input validation may be associated to business logic that generates email notifications or tickets. In these cases, the activity generated by the scan engine can reduce the availability of applications or generate redundant test data. For these reasons, we recommend notifying the application owners that are responsible for its management prior to performing scans.
Licensing for API scanning
To scan APIs (specifications or Postman Collections), you must have a Dynamic Analysis license. To determine the number of specification files you can scan, we use the target URLs in your license. Each target URL equates to a unique API server defined in your specifications. When you upload a specification to the Veracode Platform, it imports the URLs of the defined API servers. When you upload a Postman Collection, you must add a custom base URL. The scanners use the custom base URL as the target URL and only scan requests that use the target URL.
During a specification scan, the scanners detect the target API server and deduct it from the number of target URLs available in your license. If a specification has multiple servers defined, you can select the server you want to use when configuring the scan. If you scan a specification using a defined server, and then scan that same specification using a different server, we treat both servers as separate target URLs and deduct both target URLs from your license.
Ensure your Dynamic Analysis license has an adequate number of target URLs for the number of API specifications you want to scan. To obtain or change a Dynamic Analysis license, contact your Veracode sales representative.
How we process API specifications
When you upload an API specification as an OpenAPI or HAR file, the scan engine performs the following to prepare the file for analysis:
- Converts OpenAPI files to HAR files.
- Parses the HAR files to extract the list of endpoints and the URLs of the target API servers.
- Generates the API call requests.
If you upload a HAR file, it skips the conversion step. When configuring an analysis, you can select which endpoints from this list to include or exclude during scanning. The scan engine does not convert Postman Collections to HAR files.
The scan engine periodically reprocesses the API specifications to ensure that they are up-to-date. We recommend that you periodically review recurring scans to ensure that all endpoints or requests are accurate. If the server-side logic for detecting eligible endpoints or requests changes, you might need to update your scan configurations to include or exclude these rules.
After scheduling the analysis, you can download the HAR file of each scanned API specification from the Veracode Platform. You can also re-upload a downloaded HAR file for scanning.
OpenAPI 2.0 conversion to HAR
When converting OpenAPI 2.0 specification files to HAR format, the scan engine first converts them to OpenAPI 3.0 using the official OpenAPI Swagger Parser. Because OpenAPI 3.0 supports multiple servers, if an OpenAPI 2.0 file specifies the API server array with the host/basepath property, during conversion, the scan engine treats this value as a single entry in the server array.
OpenAPI 3.1 or 3.0 conversion to HAR
When converting OpenAPI 3.1 or 3.0 specification files to HAR format, the scan engine enumerates the API endpoints and generates values for all associated properties. While generating these values, the scan engine retains relevant schema data from the specification to ensure the values are valid. Veracode strongly recommends that all properties in a specification include a detailed schema.
The scan engine uses the endpoints and properties to form HTTP requests, which it also stores in the HAR format. For certain values, particularly URL properties, the HAR files contain URLs that include the property names, typically enclosed in curly brackets ({,}). Corresponding values are encoded within the open-ended comment property present on the request within the HAR file. Other structures within the HAR format might use the comment property to encode schema information and other metadata that the scan engine can use during scanning. Because of these dependencies, prior to re-uploading a downloaded HAR file, Veracode highly recommends that you do not modify the comment property or any of the structures within the HAR file.
HAR conversion and processing
Before scanning HAR files, the scan engine converts the HAR format to internal data structures. During the conversion, the scan engine resolves any URL properties to generate the final, fully-qualified URLs for each request, and then applies all property values.
If an API specification contains combinations of path tokens and hosts for the target API servers, these values can result in double-slashes (//) rather than single slashes during an API request. During conversion, the scan engine changes multiple repeating slashes into single slashes when generating the request URLs. To avoid potential errors during scanning, before uploading your specification, ensure all paths use the correct path format.
API server URLs
You can only scan the absolute, or base, URL of the server that is hosting the API you want to scan. The scan checks for this URL when you upload an API specification or Postman Collection to the Veracode Platform. If the scan can't determine this URL from the uploaded specification or Postman Collection, you see an error with a field to enter the fully-qualified URL. Enter the base URL for your API. For OpenAPI specifications, you can add a custom base URL. By default, when you configure a scan, Veracode automatically selects the base URL from the list of available servers. This base URL replaces any relative URLs in your specification. For Postman Collections, a base URL is required because the URL defines an allowed host that the scanners can attack to find vulnerabilities in requests. HAR files do not support base URLs. If you do not know the base URL for your API, contact the development team that provided the specification file.
After you add a base URL, the scanners treat the value as a url entry in the OpenAPI servers list, as explained in the OpenAPI 3 Documentation. Ensure your value includes any base path. For example, if an API has entry points under /v1/pets, the absolute URL must also have that path: https://api.example/com/v1/pets.