Snyk API & Web is a new-gen fully-integrated dynamic application security testing (DAST) solution that creates and helps you manage a complete inventory of your APIs and Web Apps, and then probes them for vulnerabilities.

With Snyk, you can narrow the gap between development, security, and operations by making security an intrinsic part of your development life cycle. In this lesson, Snyk API & Web - Using the Web interface, you will learn how to configure targets, initiate scheduled scans, test APIs, review findings, discovery and reporting.

Snyk API & Web can also be configured using API, or integrated into CI/CD. It has integrations built to manage communication via Jira, Slack, and other options. From a workflow perspective, Snyk API & Web can be used via API, run partial scans on new/modified pages, and provide visibility to scans that teams own, just to name a few capabilities.

Detailed information can be found in:

• General documentation
• Developer documentation
• Integration documentation

What is a Target?

DAST scanning involves the scanner inventorying what pages, interactions or APIs exist by interacting with the website just as a user would. This often involves crawling and then testing by sending modified requests to test for SQL injection, cross-site scripting, just to name a few of the tests sent. In the case of testing an API, a swagger file or postman collection can inform what to test. A Target URL must be provided in order to inform the scanner where to start, but more importantly, limit the scope of the scan to what it's allowed to crawl and test.

So essentially, a Target is the URL of a Web Application, Website, or API.

The Target defines the scope of the scan. The scanner will never leave its scope. It will never scan any page that is not prefixed with the Target's base URL. Extra Hosts, a feature we will discuss later, is the exception to this.

For example, if the Target is https://example.com, the scanner will not scan https://www.example.com or any other hosts. In other words, the scanner will only scan URLs prefixed by example.com.

You can also think of a Target as to how you want to organize your security testing. Imagine you have a big application at https://example.com. This application includes different sections or modules that can even be built by different teams. You can split it into different Targets to facilitate your workflows, like https://example.com/sectionA and https://example.com/sectionB.

Scoping and complexity of how to configure Snyk in more complex applications is discussed later in the "Defining scan scope" section of this lesson. The following list is just a snapshot of some of the scenarios that will be discussed:

• The site is composed of several domains as you navigate it.
• The user is redirected to a login page hosted elsewhere.
• Load balancers changing the domain.

Configuring a Target

This video will cover the following topics:

• Creating a Target
• Profiling a site
• Configuring Targets in the web interface
• Selecting Web vs Standalone API
• Selecting Agent
• Assigning a team

Video: 6m01s

If this is the first time you've scanned your site, you may need to validate, or authorize your site for scanning. If this is required, you will see the following warning upon creation of your target:

You must verify your site in order to scan with Snyk API & Web. Click the warning and click the "Verify" button.

A set of options will be presented to validate the site:

For more information on why verification of ownership is required and how to use the different methods, please refer to Snyk's documentation on ownership.

Targets define where to start navigating, but also how to restrict the scope of a crawl or scan. Essentially anything found after the specified path will be included in the scope of the scan. For example https://www.patchmutual.com/bank would restrict the crawler to anything that starts with /bank in the path.

There's also an additional setting, which we will see in the later Additional settings - Extra Hosts section. Extra hosts specify domain(s) that might be detected during a crawl where API calls might be made over AJAX from the front end UI of the site. If Snyk encounters an AJAX call and the host is specified in Extra hosts, it will be in scope for testing. Note that the crawler does not do additional crawling on these domains.

Topics covered in the following video:

• Scoping to specific URLs
• Load balancers
• Domain sharding
• Applications listening on specific ports
• Domain redirects

Video: 12m33s

Modern web applications often have authentication processes in order to access and use them. This section will review how to configure this within Snyk API & Web using form-based authentication where Snyk API & Web completes the provided login form and how to use a recorded login sequence.

The Login form method is useful for simple sites where login consists of a simple form submittal.

Topics covered in the following video:

• Authentication using the login form method
• Basic authentication
• One-time tokens
• Defining logout behavior
• Basic authentication

Video: 7m28s

For logins that might involve several pages or sequences, the recorded login sequence is the preferred method to train Snyk to log into an application.

Topics covered in the following video:

• Creating a recorded login sequence

Video 3m29s

A scanner must maintain session with an application to effectively scan it. This means that the scanner must know how to login, but also know when it is no longer in session. While some sites may behave in a way that is obvious that the site is logged out, many aren't so easy to know for a non-human.

Snyk has an intelligent mechanism that looks for the UID/PWD selectors post-login to determine if it is logged out. Or simply put, you wouldn't expect to be prompted again for credentials if you're already logged in; similarly, by default, Snyk is looking for that to indicate you've been logged out.

For the cases where the site might just put text on the screen, or a button to log back in, or some other case where auto-detection is not suitable, the logout detection can be configured to indicate that Snyk is logged out and no longer has a valid session with the application.

The following video discusses configuring logout detection, followed by a discussion on different patterns, in addition to how Snyk works by stage.

Video: 6m49s

Once the target is configured and authentication set up, there are additional settings that can be extremely valuable based on your usecase, such as:

• Scan profiles used
• Defining additional hosts
• Defaulting report types to generate
• Listing technologies to inform scanner
• Configuring integration settings
• Defining navigation sequences to assist crawler traversing complex forms or processes

In this video presentation, we will configure the Scanner tab, where you have the ability to provide navigation sequences, further define what is scanned, or not, provide headers and cookies, as well as add a scanning agent or define blackout periods.

While Snyk will interact with the application in an intelligent manner, providing Navigation sequences is very valuable. Navigation sequences train Snyk how to interact with more complex interactions where specific values or workflows are required. You can record several and choose to include in testing or only test those interactions, which can be invaluable for unit testing.

Video: 5m04s

This video covers the following topics:

• Scan profiles

Video: 1m57s

Extra hosts allow Snyk to test AJAX requests to the specified domains. The following video will discuss these profiles.

Video: 1m44s

The following video discusses:

• Default format to generate
• What report to generate

Video: 1m18s

The following video discusses the Technologies tab.

Video 0m46s

The following video discusses the integration of Snyk API and Web. For more information, refer to Snyk documentation on integrations for Snyk API & Web.

Video: 0m34s

This presentation will review guidance specific to configuring APIs for scanning.

It's important to note that while Snyk will intelligently try to use the correct values, you can ensure effective testing by validating the Swagger file, in addition to the values being used, or using Postman collections or setting the values to use via the UI.

It's also important to note that using the URL for the schema, instead of file upload, has the core advantage that Snyk will fetch a fresh version of the schema before each scan!

Video: 6m35s

This video will present the various phases of the scan process and how to examine progress.

Video: 11m25s

These presentations will review how to review findings, discovery, and generate reports.

In this presentation, we discuss reviewing findings from the scan that was just run, and from the Findings view.

A common use case is also to go to the Target to see the findings of that Target. It can be better to manage there, rather than in the results of a scan or in the Findings tab, even though it depends on the type of user and what they’re looking for.

Topics:

• Reviewing findings
• Issue management

Video: 11m04s

Topics covered in the following video:

• Generating reports from the findings view or from within a scan

Video 3m14s

Topics covered in the following video:

• Dashboard

Video: 3m12s

Topics covered in this video:

• Discovery
• Setting assets as new/not new
• Renaming assets
• Creating targets from discovered assets

Video 3m02s

The Archived state is an automatic state. Users can enable Snyk to allow archiving or disabling the feature. If the option to archive is enabled, which it is, by default, Snyk will automatically archive assets that aren’t seen after a certain period of time. The default value is 30 days for archiving. This timeframe can be edited by the user in the Discovery settings module, found by navigating to Settings->Discovery settings on the sidebar from 1 day to 365 days.

In this lesson we learned how to create and configure a target, start a scan, review its findings, and review reports.

Now try this out in a staging or QA application, then review API and CI/CD concepts here:

• General documentation
• Developer documentation