ScanDAST 24.2 - API Call Error

Hi all,

we installed ScanDAST 24.2 and performed a scan successfully using the SSC Web GUI.

We then try to do some calls to DAST API but we get the following errors

• From swagger UI (X.X.X.X:8081/.../index.html) :


Error: response status is 401

Response headers
content-length: 0
date: Wed,26 Jun 2024 07:22:08 GMT
server: Kestrel


• From fcli (fcli ssc app list):

com.fortify.cli.common.rest.unirest.UnexpectedHttpResponseException:
Request: GET X.X.X.X/.../projects:
Response: 401
Response Body:
{"message":"Authentication failed.","responseCode":401,"errorCode":-10301}
at com.fortify.cli.common.rest.unirest.config.UnirestUnexpectedHttpResponseConfigurer$UnexpectedHttpResponseInterceptor.onResponse(UnirestUnexpectedHttpResponseConfigurer.java:36)
at kong.unirest.CompoundInterceptor.lambda$onResponse$1(CompoundInterceptor.java:48)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
at kong.unirest.CompoundInterceptor.onResponse(CompoundInterceptor.java:48)
at kong.unirest.apache.ApacheClient.request(ApacheClient.java:134)
at kong.unirest.Client.request(Client.java:57)
at kong.unirest.BaseRequest.request(BaseRequest.java:365)
at kong.unirest.BaseRequest.asObject(BaseRequest.java:266)
at com.fortify.cli.common.output.writer.output.standard.StandardOutputWriter.writeRecords(StandardOutputWriter.java:174)
at com.fortify.cli.common.output.writer.output.standard.StandardOutputWriter.write(StandardOutputWriter.java:122)
at com.fortify.cli.common.output.cli.mixin.AbstractOutputHelperMixin.write(AbstractOutputHelperMixin.java:73)
at com.fortify.cli.common.output.cli.cmd.AbstractOutputCommand.run(AbstractOutputCommand.java:31)
at picocli.CommandLine.executeUserObject(CommandLine.java:2103)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2538)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2530)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2492)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2350)
at picocli.CommandLine$RunLast.execute(CommandLine.java:2494)
at picocli.CommandLine.execute(CommandLine.java:2247)
at com.fortify.cli.app.runner.DefaultFortifyCLIRunner.run(DefaultFortifyCLIRunner.java:49)
at com.fortify.cli.app.FortifyCLI.execute(FortifyCLI.java:38)
at com.fortify.cli.app.FortifyCLI.main(FortifyCLI.java:32)


• Containers logs don't show any errors.

• curl call taken from swagger UI

curl -X 'GET' \
'X.X.X.X:8081/.../applications' \
-H 'accept: text/plain' \
-H 'Authorization: TOKEN-VALUE'

gives the following

* Trying X.X.X.X:8081...
* Connected to X.X.X.X (X.X.X.X) port 8081
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / secp384r1 / rsaEncryption
* ALPN: server accepted h2
* Server certificate:
* subject: REDACTED
* start date: Jun 14 10:12:28 2024 GMT
* expire date: Jun 14 10:12:28 2026 GMT
* issuer: REDACTED
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for X.X.X.X:8081/.../applications
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: X.X.X.X:8081]
* [HTTP/2] [1] [:path: /api/v2/applications]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: text/plain]
* [HTTP/2] [1] [authorization: TOKEN-VALUE]
> GET /api/v2/applications HTTP/2
> Host: X.X.X.X:8081
> User-Agent: curl/8.7.1
> accept: text/plain
> Authorization: TOKEN-VALUE
>
* Request completely sent off
< HTTP/2 401
< date: Wed, 26 Jun 2024 08:25:44 GMT
< server: Kestrel
< content-length: 0
<
* Connection #0 to host X.X.X.X left intact


• SSC logs show that URLs called are

- /ssc/api/v1/projects?fields=id,name,-_href&limit=-1
- /ssc/api/v1/projectVersions?fields=id,name,active,project&limit=1000&includeInactive=true

If we log in into SSC Web GUI and paste the above URLs in browser's address bar we have the following successful outcome:


- /ssc/api/v1/projects?fields=id,name,-_href&limit=-1 ==>> works fine and gives the following with expected data

{"data":[{"id":1,"name":"Expected Application Name"}],"count":1,"responseCode":200,"links":{"last":{"href":""first":{"href":"https://X.X.X.X/ssc/api/v1/projects?fields=id,name,-_href&limit=-1&start=0"}}}">X.X.X.X/.../projects

- /ssc/api/v1/projectVersions?fields=id,name,active,project&limit=1000&includeInactive=true ==>> gives the following message

{"data":[{"id":10000,"project":{"id":1,"name":"Expected Application Name","description":null,"creationDate":"2024-06-24T13:47:27.134+00:00","createdBy":"sicappadmin","issueTemplateId":"Prioritized-HighRisk-Project-Template"},"name":"1.0","active":true,"_href":"https://X.X.X.X/ssc/api/v1/projectVersions/10000"}],"count":1,"responseCode":200,"links":{"last":{"href":""first":{"href":"https://X.X.X.X/ssc/api/v1/projectVersions?fields=id,name,active,project&limit=1000&includeInactive=true&start=0"}}}">X.X.X.X/.../projectVersions

So I guess that when DAST API calls SSC API there's some problem I can't spot.
We're using a CIToken-type token of a user with Administrator role.

Any thoughts on this matter on how to debug this in a better way?

Thank you very much for your time.

  • Verified Answer

    +1

    Lesson learned ;-) Problem solved. 

    API should always be called prepending authorization token value with the word 'FortifyToken' and not 'Bearer' even if it's thrown out a lot in the docs. 

    Example: 'FortifyToken xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'   without quotes. 

    Happy API calls. 

  • 0   in reply to 

    as you pointed out, you must preface the token with FortifyToken or FORTIFYTOKEN. If you generate the token from SC DAST's /auth it should return with FORTIFYTOKEN already added. If you are generating via SSC API endpoint or UI then the scheme or prefix must be added.

    Apologies for the confusion, if you encountered areas of the documentation that need clarification, you can click the 'Send documentation feedback' link on that specific page to share your thoughts on how to better clarify the information presented.