All Categories API Security Testing Configuring your custom APIs for security testing

Configuring your custom APIs for security testing

By Manindar
December 20, 2022

Importing custom APIs 

API-import-method1.png

  1. From the Home dashboard, click on the New application button

  2. Complete the domain verification process (You can refer to this help section if you need assistance with verification)

  3. On the API import screen, choose custom API and then click on the API configuration button to proceed

Configuring custom APIs 

API-import-method2.png

REST API

  1. From the dropdown menu in the top-right corner, select REST API.

  2. Provide a name for the API in the name field 

  3. Choose the HTTP method from the available options in the drop-down menu 

  4. Enter the API URL in the field.

Parameters

API_parameters-tab.png

  1. Create the Key-Value variable pair by entering the Key and the corresponding Value in the respective fields

  2. You can also include/exclude the variable by selecting or deselecting the checkbox

  3. And if you decide to delete any of the Key-Value pairs, you can click on the delete icon

  4. Finally, click on Save button to complete the configuration

Authorization

API_authorization.png 

  1. You can either Inherit the global authorization, set up the API with No auth or choose from any of the 4 available authorization types - API Key, Bearer Token, Basic Auth or OAuth 2.0 in accordance with the authorization present for the APIs

  2. Select an existing configuration from the Configurations dropdown or set up new details based on the selected authorization type

Note: If you have configured and enabled the Global authorization, the related data will also be reflected in this tab. Enable Has API role checkbox if the API has the role-based authorization. (If you selected unmatchable configurations, an error message box will be prompted on the top-right of the dashboard). 

Headers

API_headers-tab.png

Create the ‘Key-Value’ variable pair by providing the key and its respective value in the respective fields. 

Click on the ‘Save’ button. 

Body

API_body-tab_none.png

If the API doesn’t have a body, by-default, the radio button will be on ‘None’. 

API_body-tab.png

If you wish to add a new API body, then choose the body type (Form data, x-www-form-urlencoded, Raw). 

If you choose the Form data button, then you must provide its ‘Key-Value’ pair and click on the Save button. 

API-body-tab_form-data.png

If you choose the x-www-form-urlencoded button, then you must provide its ‘Key-Value’ pair and click on the Save button. 

API_body-tab_x-www-form-urlencoded.png

And if you choose Raw button, then you must choose the file type based (TEXT, JSON, XML, HTML) in which you can copy paste the file content.  


API_body-tab_raw.png

Click on the Save button after you complete your configurations. 

GraphQL API

  1. From the dropdown menu in the top-right corner, select GraphQL API.

  2. Enter the API name in the Name field 

    name.png

  3. GraphQL API schema operations 

    • If introspection is enabled, then you can use Fetch Schema here. 

      fetch-schema.png

    • If introspection is disabled, you can upload a JSON-formatted schema file from your local machine with Upload Schema here.

      fetch-schema.png

  4. Click on the Save button 

    You can find the Query, Mutation, and Subscription sub-menus under the GraphQL API project in the APIs menu. 

    3.png

  5. Add valid values to the keys in the Query variables box. (Without valid data, this API won’t be considered for testing.) 

 4.png

  1. Click on the Send button to validate the request. 

  1. Click on the Save button. 

Configuring global authorization

Global authorization helps you to authorize your entire APIs in an application that is applicable across user roles with common authorization.

Global-authorization.png

To set up a global authorization for your current custom APIs:

1. Dropdown REST APIs or GraphQL from the sidebar and click on Global authorization

  1. Choose from any of the 4 available authorization types - API Key, Bearer Token, Basic Auth or OAuth 2.0 in accordance with the authorization present for the APIs

Based on the authorization type, you can refer to the respective section listed below.

Authorization type – API Key

API-key_Global-authorization.png

  1. If you choose API key, provide the Key and Value in the respective fields

  2. And then define Add to for the key and value - it can either be added to the Header or Query Params

  3. Click Save to complete the configuration

Authorization type – Bearer Token

authorization-without-role_bearer-token.png

  1. If you choose Bearer token, provide the Token in the corresponding field 

  2. Click Save to complete the configuration

Authorization type – Basic Auth

authorization-without-role_basic-auth.png

  1. If you choose Basic Auth, provide the Username and Password in the respective fields

  2. Click Save to complete the configuration

Authorization type – OAuth 2.0

authorization-without-role_Oauth2.0.png

If you choose OAuth 2.0, you have to configure the below fields:

  1. Define whether you want to Add authorization data to - Request Headers or Request URL

  2. Choose the Grant type from the drop-down list

  3. And then fill the remaining fields based on the chosen Grant type (Note: For more details regarding the related fields, refer to https://oauth.net/2/)

  4. Click on the Test button to ensure it is configured correctly

  5. Finally, click on Save to complete the configuration

Configuring global headers 

Global-headers1.pngGlobal-headers2.png

To set up global headers for your current custom APIs:

  1. Dropdown REST API or GraphQL from the sidebar and click on Global headers

  2. Create the Key-Value header pair by selecting the desired combination from the dropdown menus in the Key and Value fields, which will be applicable across the entire application

  3. You can also include/exclude the header by selecting or deselecting the checkbox

  4. And if you decide to delete any of the Key-Value pairs, you can click on the delete icon

  5. Finally, click on Save button to complete the configuration

Configuring global variables 

To set up global variables for your current custom APIs:

  1. Dropdown REST API or GraphQL from the sidebar and then click on Global variables

  2. Here you can follow two methods: JSON file import or manual configuration

Method 1: JSON file import (only applicable for Postman)

Global-variable_method1.png

  1. Click on the Import button present in the top right of the global variables screen  

  2. Browse and import the JSON file stored in your local machine from the prompt as shown below

Global-variable_method1_2.png

Method 2: Manual configuration 

  1. Create the Key-Value variable pair by entering the Key and the corresponding Value in the respective fields

  2. You can also include/exclude the variable by selecting or deselecting the checkbox

  3. And if you decide to delete any of the Key-Value pairs, you can click on the delete icon

  4. Finally, click on the Save button to complete the configuration

Configuring API authorization

To set up the authorization (role-based and without role):

  1. Dropdown REST API or GraphQL from the sidebar and go to API authorization

  2. Depending on the required authorizations, you may choose both or individually from the following: Role-based authorization or Authorization without role

Role-based authorization

Role-based-authorization1.png

Configuring new authorization definition 

  1. Click on the Add new button.

  2. Enter a unique name in the Name field and then select the authorization type from the Type dropdown menu. 

    Role-based-authorization_auth-definition.png

Configuring new role definition

  1. Click on the New Role Definition button

  2. Click on the Role drop-down menu and click on the New button

    Role-based-authorization_new-role-definition1.png

  3. Input a name for your role, enable the checkmark and click on the newly created role definition to proceed, and click on the save button.

    Role-based-authorization_new-role-definition2.png

    Role-based-authorization_new-role-definition3.png

  4. Click the drop-down menu icon next to the role definition

    Role-based-authorization_new-role-definition5.png

    Role-based-authorization_new-role-definition4.png

  5. Configure the required authorizations from the list of pre-configured authorization definitions.

  6. Input the authorization-related parameters by clicking the authorization definition according to your requirement.

    Role-based-authorization_new-role-definition6.png

  7. Click on the Save button

    You can find these settings reflected in the Has API role section in the APIs menu.

    Role-based-authorization_new-role-definition_API-menu_authorization.png

Authorization without role

authorization-without-role.png

Based on the authorization type, you can refer to the respective section listed below.

Authorization type – API Key

authorization-without-role_api-key.png

  1. If you choose API key, provide the Name, Key and Value in the respective fields

  2. And then define Add to for the name, key and value - it can either be added to the Header or Query Params

  3. Click Save to complete the configuration

Authorization type – Bearer Token

authorization-without-role_bearer-token.png

  1. If you choose Bearer token, provide the Name and Token in the corresponding field 

  2. Click Save to complete the configuration

Authorization type – Basic Auth

authorization-without-role_basic-auth.png

  1. If you choose Basic Auth, provide the Name, Username and Password in the respective fields

  2. Click Save to complete the configuration

Authorization type – OAuth 2.0 

authorization-without-role_Oauth2.0.png

If you choose OAuth 2.0, you have to configure the below fields:

  1. Provide the Name and define whether you want to Add authorization data to - Request Headers or Request URL

  2. Choose the Grant type from the drop-down list

  3. And then fill the remaining fields based on the chosen Grant type (Note: For more details regarding the related fields, refer to https://oauth.net/2/)

  4. Click on the Test button to ensure it is configured correctly

  5. Finally, click on Save to complete the configuration

API role map

With the API role map, you can map which user roles defined under Role-based authorization can access API groups or individual APIs in the most simplified interface. 

API-role-map.png

To define access for user roles:

  1. Against each listed user role, you can either Select all APIs or API groups or select the checkbox against each individual API

API logs

API-logs.png

The API logs menu enables you to see all the errors of the API configurations so that backtracking and fixing the misconfigurations can be done much faster.

Was this article helpful?