added
Web App Scanning: GraphQL API Assessment
3 months ago by Lance Duvall
Tenable Web App Scanning now supports GraphQL API scanning, expanding on the existing support for REST APIs. APIs are the foundation of modern web applications and a high-value target for attackers. An increasing number of applications use GraphQL, a modern and flexible API query language.
With this update, Tenable provides broader coverage across the modern API attack surface, helping customers assess both GraphQL and REST-based applications. For more information, see Launch an API Scan in the Tenable Web App Scanning User Guide.
To configure a WAS scan for GraphQL APIs, use one or more of the following new parameters when creating or updating a WAS scan configuration:
| Body Parameter | Data Type | Description |
|---|---|---|
settings.scope.graphql_file | string | A base64-encoded GraphQL SDL file that defines the API schema to scan. The file must comply with the GraphQL SDL specification. Alternatively, you can provide the SDL file via a URL using the graphql_file_url parameter.Note: The maximum supported file size is 1 MB. For larger schemas, host the file externally and reference it with the graphql_file_url parameter. |
settings.scope.graphql_filename | string | The filename to assign to the GraphQL SDL file provided in the graphql_file parameter. The extension must be .graphql. |
settings.scope.graphql_file_url | string | A URL to a GraphQL SDL file that defines the API schema to scan. The URL must begin with http:// or https:// and end with .graphql. Alternatively, you can supply the SDL file directly as a base64-encoded string using the graphql_file parameter. |
settings.scope.graphql_introspection | boolean | Specifies whether the WAS scanner should perform a GraphQL introspection query to automatically generate the schema for the target API. |
These new parameters are supported by the following API endpoints:
| Endpoint | Name | Description |
|---|---|---|
| POST /was/v2/configs | Create scan configuration | Creates a new scan configuration. |
| PUT /was/v2/configs/{config_id} | Upsert scan configuration | Updates an existing scan configuration or creates a new scan configuration. |