API Discovery (CLI)

API Discovery is the process of documenting APIs by scanning source code without prior knowledge of the code base.

Security teams, development teams, and platform engineers can all benefit from illuminating their APIs and automatically generating OpenAPI (a.k.a. Swagger) documentation and using it for development or testing purposes.

Prerequisites

Install the NightVision CLI. Follow the guide here to install the NightVision CLI on your system: Installing the CLI

Tutorial

In this tutorial, you’ll download Broken Flask, create the relevant resources in NightVision, and test the API.

First, fork the repository to your GitHub account by clicking this link: https://github.com/nvsecurity/broken-flask/fork

Clone the repository:

# Change this to your GitHub username
export GITHUB_USER=YourUsername

git clone https://github.com/$GITHUB_USER/broken-flask
cd broken-flask

(1) Start the app

You’ll need to start the app locally so you can scan it. Launch the app with Docker compose:

docker compose up -d

Note: If you don’t have Docker installed, the best way to install it is by installing Docker Desktop.

(2) Create the Target

Create the Target inside NightVision.

nightvision target create broken-flask-api http://localhost:4000 --type API

DAST Products need API Discovery

At this point, other commercial and open source DAST tools fall short. DAST tools need to understand the API contract and how to communicate with the API - but this API doesn’t have existing documentation.

Other DAST Products would require that your developers:

• Install a third party dependency like swagger-jsdoc or flask-swagger
• Modify hundreds of methods in their code base to document their API, just so you can run a security scan.

😤 That’s outrageous.

NightVision illuminates these APIs for you, so your developers don’t have to. 🚀

Back to the tutorial!

(3) API Discovery

Next, perform the API discovery by running the following command.

nightvision swagger extract . --target broken-flask-api --lang python

Note: The --target flag will attach the resulting Swagger file to the Target resource you created

(4) Run the scan

Now run the scan:

nightvision scan broken-flask-api

It will launch a scan. You can monitor the progress by clicking on the link to the scan.

Simple and easy configuration 💪

NightVision abstracts the complexity of setting up a security scan so that any engineer can do it - regardless of Application Security expertise. It’s just a few commands!

(5) View Scan Results

Once the scan is completed, the results will be opened in your web browser.

The scan details page contains an overview of the security issues discovered in the scan.

If you click on an issue, you’ll see a list of the URL paths, parameters, and payloads for a vulnerability type.

The issue page lists instances of a given vulnerability.

You can also click on the Status dropdown to mark an issue as ⚠️Open, 🚩False Positive , or ✅Resolved

The status dropdown allows you to mark findings as False Positives.

When you click on an issue instance, you’ll see more details:

The issue instance tab provides more data (more details below).

If you’re less familiar with Application Security or pentesting, the first two items are probably most interesting to you.

If you’re an experienced pentester, you’ll probably care more about 3-5.

1. Validate with curl: The “Validate button” gives you a curl command that you can run from your machine to replicate the HTTP response, and validate the vulnerability. This can be useful in regression/integration tests.
2. Explain with AI: The Explain with AI feature will explain the vulnerability in simple terms, how it manifested in this HTTP response, and the impact.
3. Request/Response: You can click here to view the HTTP Request used to trigger the vulnerability, or the HTTP Response that shows the response indicating the vulnerability.
4. Evidence: The Evidence tab will display information that was reflected in the response or other data that indicates the vulnerability exists, to help with your investigation.
5. Raw HTTP response: The raw HTTP request/response body can be viewed in the panel.