This Rapid7® AppSpider® 6.8 release includes:
Swagger REST API Scanning – AppSpider is now capable of testing Swagger-enabled API’s which further automates the process of testing APIs within AppSpider by eliminating the need to capture traffic via a proxy prior to testing. Now, you can simply upload a Swagger file to AppSpider and then AppSpider leverages Universal Translator to analyze the file and then discover vulnerabilities in the API. This should save you significant time and enable your team to test more of your APIs than before.
The Swagger capability is accessible within “Tools” section in AppSpider. You can upload Swagger Rest API documents to enable the API to be scanned in AppSpider. Swagger, an open source solution, is one of the most popular API frameworks. It defines a standard interface to REST APIs that is agnostic to the programming language. A Swagger-enabled API, enables both humans and computers to discover and understand the capabilities of the service.
AppSpider parses the swagger document to generate function calls and create values for the expected parameters. The file is then saved as a TREC (traffic recording) file, which then can be used by AppSpider to scan and attack the REST API. The Swagger Utility currently supports the Swagger 2.0 version saved in JSON.
New Attack Modules
Reverse Clickjacking – A technique of tricking a user to click on something different from what the user perceives they are clicking on. When a web application is vulnerable to a Reverse Clickjacking attack, it will pass invalidated input sent through requests to the client.