Kickstart 2025 with New DAST Scanner Features
The start of a new year brings exciting updates to our DAST scanner!
Our goal is simple: to improve testing accuracy by leveraging real, concrete examples of API requests when they might be required. While we don’t need to have direct access to live traffic to start in-depth testing, we’ve made it easier than ever to import and use traffic examples - giving you better results and more actionable insights (without performance overhead).
Here’s a closer look at what’s new:
Discover our new features
1 - HAR File Support for REST API Scanning in DAST
We now support HAR files as REST API schemas. This enhancement offers you greater flexibility when scanning your APIs for vulnerabilities, especially since generating a HAR file can be faster and easier than creating or maintaining a Swagger/OpenAPI specification.
What are HAR files?
HTTP Archive (HAR) files are JSON-formatted files that capture network activity, including requests and responses, between a client and a server during a browsing session. With this update, our DAST scanner can now ingest HAR files to interpret and scan REST APIs, simplifying the scanning process and expanding its capabilities.
What are the benefits?
HAR files capture actual API interactions, including dynamically generated requests and responses during runtime. This is particularly useful in scenarios such as:
- Dynamic APIs: When API behavior depends on real-time parameters or session states that aren’t fully documented in Swagger or OpenAPI.
- Legacy or incomplete documentation: For APIs lacking comprehensive or up-to-date schemas. Additionally, HAR files reflect real-world usage, uncovering hidden or undocumented endpoints and specific request variations that static schemas might miss. This leads to more thorough scans and improved vulnerability detection.
How it works?
- Generate a HAR file by capturing the API traffic using tools like browser developer tools or network monitoring software.
- Upload the HAR file to the DAST scanner via the API schema configuration interface:
- Go to Security scan and click on New Application
- Select REST API
- Configure your Network and Authentication (if needed)
- Upload the HAR file to define your API schema
- Initiate the scan : Once uploaded, the scanner parses the HAR file, automatically identifying API endpoints, HTTP methods, parameters, and other details. Start the scan and let the DAST scanner analyze your API for vulnerabilities.
2 - Enhanced Support for OpenAPI Specs with cURL Examples
Next, our DAST scanner now supports OpenAPI specifications with cURL traffic examples, including those built using extensions like Redocly. This enhancement leverages real-world examples to boost scan quality and simplify your security testing process.
What's new
OpenAPI specifications can include cURL traffic examples to demonstrate specific API requests and responses. With this update, our DAST scanner can now parse OpenAPI specs with embedded cURL examples and use them to initiate scans.
We’ve also added support for Redocly, a tool that simplifies creating OpenAPI specs enriched with cURL examples, ensuring seamless integration into your workflows.
How It Works
- Prepare Your OpenAPI Spec:
Use tools like Redocly to build your OpenAPI specification, embedding cURL examples to document API behavior and parameters.
- Upload the Spec to the DAST Scanner:
- Go to Security Scan and click New Application
- Select REST API
- Upload your OpenAPI spec with cURL examples
3.Run the Scan:
The scanner will parse the OpenAPI spec, leverage the cURL examples for precise API interactions, and begin testing for vulnerabilities!
3 - Burp Suite Exports Support for REST API Scanning in DAST
We’re excited to introduce another great capability for our DAST scanner: support for Burp Suite exports as REST API schemas. This enhancement streamlines your workflow by allowing you to leverage Burp Suite traffic captures to define your API schema, ensuring more comprehensive and efficient vulnerability scans.
What are Burp Suite Exports, and why use them?
Burp Suite is a widely-used tool for security testing, and its exports provide detailed records of HTTP traffic captured during web application testing. With this update, our DAST scanner can now ingest Burp Suite exports to interpret and scan REST APIs.
How it works
- Capture Traffic with Burp Suite
Use Burp Suite to intercept and record API traffic during your testing session. Export the captured data in the supported format.
- Upload to DAST Scanner Configure your scan in a few easy steps:
- Go to Security Scan and click New Application.
- Select REST API.
- Configure your Network and Authentication settings (if required).
- Upload the Burp Suite export file to define your API schema.
- Initiate the Scan
The scanner parses the Burp Suite export, identifying endpoints, HTTP methods, and other critical details. Start the scan to analyze your API for vulnerabilities.
4 - Improved Postman Collections Support
Postman Collections support has received a major upgrade! Our DAST scanner now parses collections more effectively, even when they’re poorly implemented—a common challenge with Postman Collections.
Why This Matters
Postman Collections are examples of API requests by design. With these improvements, our scanner ensures better accuracy and coverage for your scans, regardless of the quality of the collection.
These new features and improvements are designed to help you streamline your workflows and achieve more comprehensive vulnerability detection. Whether you’re using HAR files, OpenAPI specs, Burp Suite exports, or Postman Collections, Escape's DAST scanner is ready to meet your needs.
As you dive into 2025, we wish you a productive year—and hopefully, not too many critical vulnerabilities found! 🚀
We hope these new features and improvements help streamline your security testing workflows and provide even more comprehensive DAST scan results. Try it out for yourself, and let us know what you think in our Slack community!