4. Project Dashboard
Reading time 21 min
After registering the API, a Project tile is added in the 'Projects Section'. Users can view the Individual Project Dashboard by clicking on the desired Project tile or row.
In the Project Dashboard you can view all the current project stats represented by figures and charts. You can initiate a scan, view scan history, and check project health status. Another useful feature is the list view of the 'Open/Closed Vulnerabilities' at the very bottom of the 'Project' page.
It also has 'Configurations' and 'Reports' pages that allows the user to configure the current API project as per the requirement and view or download detailed reports of the current Project pentest.
4.1. Project Overview
The 'Project Overview' page clearly displays all the stats of the current Project. All of the displayed stats are self-explanatory. But, the notable and most important ones are the Scan, Endpoints, Security Categories, and Playbooks tile. The 'Select Environment' option allows you to select different API environments for testing. By default the environment is 'Master' but you can add and edit existing environments in the 'Configurations' page.
More details on the environment, Profile, and Playbooks are given in chapter 4.2.
4.1.1. View Project Health Status, Scans & Activity
The 'Project Health Status' tile besides the pie charts shows the current status of the project.
- Environment: Shows the current environment, host and port project is configured on. By default the environment is "Master". Users can directly edit the project environment by clicking on "Master". If anything in red is mentioned here that means something was missed while 'Registering the API'. (more details in chapter 4.2.1.)
- Credentials: Shows the environment credentials the project is set up with. You can directly edit or configure them by clicking on 'Edit Cred'. (more details in chapter 4.2.1.)
- Playbook Health: Displays whether all of the available 'Playbooks' are compatible with the Project Environment and are ready for a 'Scan'.
-> All Scans:
You can view the details of all the 'Scans' performed on the Project. To view 'Scan' details, click
'All Scans' on the tile besides 'Monthly Scans'.
You can view detailed individual 'Scan' results by clicking on desired scan from the list.
-> Activities:
You can view the activities performed by all of the users on the project. Logs generated for the particular activity can be viewed by clicking on "file icon" in front of the activity.
To view the activities, click
'Activities' under the 'All Scans'.
This is the logs view of the activity.
4.1.2. View Endpoints & Edit the API Source Code
The Endpoints tile on the 'Project' page shows the total number of endpoints the registered API has. When you click on this tile, it redirects the you to a page where details of all the Endpoints are given.
The notable feature on this page is that it provides you an option to edit the API source code with an OAS Editor.
Note: if you are not a tech-geek please do not attempt using this feature. This requires a deep understanding of APIs and programming them.
4.1.3. Initiate a Scan
The important feature on the 'Project' page is the 'Scan'. You can initiate a Scan on the current Project by clicking on the blue scan
tile on the right of the page.
Before initiating a scan, you need to do quick configurations which includes:
- Profile: Select the environment and profile to run the scan on. (more details in chapter 4.2.3.)
- Scanner: Select a Public or Private Scanner. (scanner details in chapter 7: Deploy Scanners)
- Categories: Select the Security Category(s) to test against the API. (more details in chapter 9)
You can initiate a Scan by clicking on 'Submit' or go to the 'Advanced' section for more custom settings.
The Advanced section requires following information:
- Resources: Select the API resources to include in the Scan.
- Endpoints: Select the API endpoints to include in the Scan.
- Playbooks: Add custom Playbooks for the Scan. (more details in chapter 4.2.4.)
Also, you can select the check box 'Email report after scan completion' to receive the Scan report on your registered email.
When a user clicks on 'Submit', the Scan is initiated.
After the Scan is completed, it displays all the results.
This page gives the details of Playbooks against the API and their outcome. You can view logs and Analytics of each playbook separately by clicking on the buttons under 'Analytics' column.
This is the log view.
This is the Analytics view.
4.1.4. View Open Vulnerabilities
At the bottom of the 'Project' page, the list of Open Vulnerabilities appears after the Scan. You can view the details of each vulnerability by clicking on it.
It allows a you to perform certain actions like downloading the reports, closing the vulnerabilities, viewing RBAC map, or view the list of closed vulnerabilities.
If a you click on any 'Open Vulnerability' then you will be redirected to vulnerability details page. This page contains all of the information about the particular vulnerability including the logs and remediation techniques. You can perform certain actions that include:
- Reverify: Will ask you to perform another scan. This way a you can verify if it was a false positive.
- Deactivate Test: Will discard/close the vulnerability and deactivate the 'Playbook'. This means that this test will not longer run for this endpoint
- Mark endpoint unsecured: Will add a 'Unsecure' flag to that particular endpoint. This can be done for segmentation of secured and unsecured endpoints. This option will only show up for authentication type vulnerabilites
- Dismiss: Will completely remove the vulnerability from the record.
- Bulk Close/Archive: Will close or archive all the vulnerabilities. Those particular vulnerabilities will not appear under 'Open vulnerabilities' section.
- Review: Allows the you to mark the vulnerability 'reviewed' for others to see.
4.2. Configurations Page
The 'Configurations' next to the 'Project' tab takes you to the Project configuration page. This page is the control panel of the Project, where you can play around with:
- Environment & Credentials
- Variables
- Profiles
- Playbooks
- Categories
- Payloads
- Integrations
- Details
Please note that all the settings will be limited to the current Project only. Every Project needs to be configured separately from the respective 'Project Dashboard'.
4.2.1 Set up the Environment & Credentials
This page allows you to add, edit, and delete the current API testing environment and the API user-login credentials.
-> Environment Details:
When a you register the API, the API environment is created. The default name is "Master" and the base URL is the API URL registered. You can add or clone an environment by clicking on the ellipsis besides the scroll bar.
when you click on the 'Add Env' then you are redirected to the below page. Enter the "Name" and the "Base URL", and click
'Create' to add a new environment.
The 'Clone Env' option creates a copy of the current environment.
-> Authentications:
The 'Authentications' list contains all the 'Credentials/Tokens' previously provided while registering the API. You can also add and edit them on this page.
It is mandatory to have a "Default" an "Invalid_Auth" authentications in a every environment for security testing.
- "Default" contains default credentials
- "Invalid_Auth" contains invalid credentials
To add an authentication; click
on 'Add Auth' under the ellipsis menu.
For adding an authentication, provide the "Name", select "Authentication Type".
The credentials requirement varies with the selected type. Most of them require username and password.
You can bulk-add the authentications by clicking on 'Bulk Add Auths' under the ellipsis menu. The explanation is provided in Section 1.
To test the added authentication; click
on the name from the list, then click
on 'Test Authentications'. You can test all of the authentications by clicking 'Save & Test All Auths' button at the very bottom of the page.
If the authentication is valid then a pop-up will appear (like the screenshot below) and the status will change from "Not Working" to "Working".
4.2.2. Configure the Variables
This section allows you to add, edit or delete the API variables. Initially they are auto-fetched when the API is registered. You can add new variables and modify the ones already existing.
To add a new variable; click
on '+ New Variable' and provide the required values as shown in the screenshot below.
To add variables in bulk; click
on '+ New Variables (Bulk)' and provide the required values as shown in the screenshot below.
You can upload an excel file or enter all the variables in text box according to the format mentioned in the comment box.
4.2.3. Set up the Scan Profile
This section allows you to set up the scan profile(s) for the Project environment. You can configure the profile(s) for different environments.
To add a new profile; click
on '+ New Profile'. Provide the required values as shown in the screenshot below. Also, you can schedule the time for performing daily scans on the selected API environment.
There are already existing profiles which are automatically created when an API is registered and the environment is configured. You can edit these profiles and schedule daily scans on them.
APIsec provides "Trainning Profiles". The only difference in these profiles is that they do not track vulnerabilities. These profiles are for beginners who want to learn through exploring.
4.2.4. Play with Playbooks
Playbooks execute the payloads against the configured tyarget API + environment. APIsec has a over 1200 Playbooks but the number of Playbooks available for scanning are 229. As of now, 994 new Playbooks are added to the APIsec central repository. New Playbooks are constantly added and released for use in the product.
The "Coverage Breakdown" pie chart shows the categories of Playbooks and total number of Playbooks in each category. When a you click on a slice of pie chart, all of the Playbooks in that 'Security Category' appear below.
The "Playbook Trend" graph next to the pie chart represents the trend of Playbooks. From April 23, 2022 till the time of writing this document, The total number of Playbooks remained constant i.e, 1223.
The section below the figures contains the list of Playbooks. You can filter the Playbooks by categories, working, new addition or all Playbooks.
-> Create a New Playbook:
To create a new playbook, click
on '+ New Playbook'.
The Playbook script text editor has the template with comments. Someone with relevant technical background can understand the template from comments and write or edit the script. You also need to choose the Playbook type. Only 'POST Playbook' option is currently available, if the new Playbooks needs to have a POST method then choose this type.
-> Bulk Create/Delete Playbooks:
You can bulk add and delete the playbooks based on the 'Security Category(s)'.
To create Playbooks, select the category(s) and click
submit. APIsec auto-generates the Playbooks for the selected category. "Authentication Exploit" in the example.
You can bulk delete the Playbooks via 'Delete Playbooks' option.
-> Edit the Playbook(s):
APIsec also allows the you to edit the pre-built or user added Playbooks and propagate the changes across the platform.
To edit a Playbook, click
on the desired Playbook.
You can edit the script with the text editor and save the changes. You can perform a Scan on the API using that particular Playbook only.
To perform a Scan; select an environment, select a scanner, and click
on Scan.
The ellipsis on the top right of this pop-up contains different options to propagate the changes.
4.2.5. Categories
The categories on the 'Configurations' page are the same as the 'Security Categories' (chapter 9) option in the 'Services' menu. APIsec has a total 118 categories. 34 are currently active and 84 are inactive. The inactive categories are activated as needed.
You can switch between 'Tiles View' and 'List View' as needed. You can Apply the filters like All, Active, Inactive, and Type on the categories.
To view the details of a category and configure the attack scenarios, click
on the tile of desired category.
The page shown below contains:
- Name
- Overview
- Severity
- Vulnerability Impact
- Exploitation
- Remediation
- References
- Attack Scenarios
There are some configuration options at the bottom of page. These are explained in chapter 9.
To add a new attack scenario, click
on '+ Add Attack Scenarios' and provide the required values.
To edit already added attack scenario, click
on the desired one from the list.
When configurations is complete you can choose to only save the changes or 'Save and Rewrite Playbooks'. If major changes are done then it is recommended to click
on 'Save and Rewrite Playbooks'.
4.2.6. Payloads
APIsec has 4 types of Payloads:
- Default
- Injection
- Stored Injection
- Access Based Authentication Control (ABAC)
These payloads are used by Playbooks to exploit the vulnerabilities in the API. If a you edit any payload then you needs to re-configure the relevant Playbook(s).
To edit a Payload, click
on one from the list. Once the payload is edited, you can 'Lock & Save' or 'Save' or 'Save & Propagate'. The later option saves and propagates the changes across all the Playbooks.
4.2.7. View the Details of Project
This view contains all of the details about the registered API in the current project. The details include - API source code - API Name - API document or URL - Collaborators
The 'API project' page contains the details about the API.
The 'Collaborators' view allows you to assign registered users for managing the project.
'OpenAPI Spec' contains the API code. Non OAS is empty because the registered API format is the OpenAPI Specification. If the API is in any other supported format then the API code will appear in Non OAS.