Scanning REST webservices without WSDL/WADL file

I am scanning a webservice that uses REST
When I use the scan web service wizard, I can see an option to import wsdl file or specify a location

But the website that I am scanning has no WSDL file or a location to specify.

Webservice uses REST type requests.

Could you please tell me how to scan this web service ?

  • The Web Service Scan Wizard is only meant for SOAP/WSDL-based web services.  For RESTful web services you would use the standard web site scan wizards, Guided Scan wizard (friendlier form) or Basic Scan Wizard (earlier/primitive form).


    Most RESTful web services are of the form URL Rewriting, and so WebInspect manages these with the Custom Parameters scan settings.  Essentially you have to create Rules that identify to WebInspect which portions of the URI are actually fuzzable inputs rather than folder names.  Once these are identified, they will be fully tested as inputs rather than treated as folder names for things such as Directory Truncation, et al.  The Help Guide (F1 button) for Custom Parameters offers a full explanation and samples for this.


    If you have a WADL file for the web service, that can be Imported to the Custom Parameters settings and that will auto-generate the necessary Rules for the API end points.  Our support team may be able to help if the service is defined in JSON files, in terms of extracting the end points to Import to the Custom Parameters.


    If your RESTful service is a bit more advanced that just URL Rewriting, you may need to identify additional details for WebInspect.  A common trick is to create a HTML page that exercises or calls all the available API end points, and then scan that page with WebInspect.  Another good trick is to pre-record a Workflow (start macro) with the Workflow Macro Recorder and then use that to feed the scanner.


    I had a client whose developers used the POSTman plugin to generate the necessary POSTs for their functional testing.  I had him require that they capture their tests using Web Proxy or BURP proxy, and then provide those captures as part of their submission for security testing.  He could then load those captures into WebInspect's scan wizard as Workflows, and he did not have to spend any time generating them or knowing all the details needed to exercise the services.


    Lastly, if you utilized the free WebInspect Agent on the target system (Java or IIS .NET), the Agent would automatically inform WebInspect of all the API end points and automatically generate the necessary Custom Rules during the scan.  This IAST combination of scanning a target that has the WebInspect Agent installed on it is known as "WebInspect Real-Time" or "WIRT", and it offers many additional features beyond this REST feature.