Skip to main content

Overview

This guide explains how to configure and launch an API security test in DeepTraQ. API testing allows you to automatically validate API functionality, security posture, and resilience using OpenAPI/Swagger specifications.

DeepTraQ supports automated API testing using two scanning engines:

  • OWASP ZAP Web & API Scanner – Dynamic security testing of API endpoints for common vulnerabilities.
  • OpenAPI Spec Testing (API Fuzzer) – Schema-driven API fuzzing that validates endpoint behavior, input validation, and error handling.

API testing works by ingesting an OpenAPI/Swagger specification and generating requests against the API endpoints defined in the specification.

You may also embed walkthrough videos or demonstration recordings here if available.

Supported Platforms

Supported API Specifications

DeepTraQ supports the following API specification formats:

  • Swagger / OpenAPI v2.0
  • OpenAPI v3.x

Supported file formats:

  • .json
  • .yaml
  • .yml

The specification can be provided either by:

  • Uploading a file
  • Providing a URL pointing to the OpenAPI specification

Supported Authentication Methods

API authentication currently supports:

  • Bearer Token
  • Session Cookie
  • Custom HTTP Headers
  • API Key headers
  • Business-specific headers (tenant, organization, region, etc.)

Authentication is injected into requests during scanning to access protected endpoints.

Supported Targets

API testing supports:

  • REST APIs
  • Microservice APIs
  • Backend service endpoints
  • Internal APIs
  • External APIs exposed through API gateways

The host configured for the scan must match the host defined in the OpenAPI specification.

Supported Protocols

  • HTTPS
  • HTTP

Prerequisites

Before creating an API scan:

  • Target API host must be accessible from the scanner
  • OpenAPI / Swagger specification must be available
  • Valid authentication token or cookie if APIs require authentication
  • API host must match the host defined in the OpenAPI specification
  • Target environment should be identified (Production, Test, Development, etc.)

Limitations

The following limitations currently apply to API testing.

LimitationDescription
Single Host per ScanOnly one API host can be tested in a single scan.
Specification Driven TestingAPIs must be defined in the OpenAPI specification to be tested.
Maximum Scan DurationMaximum scan duration is limited to 2 hours.
Authentication TypesCurrently supports Bearer token, cookie, or header-based authentication only.
Unsupported Scan ModulesInfrastructure scanning and CVE scanning are not applicable to API tests.

Steps

1. Create a Scan

Go to:

Scans → Create Scan

Select the scan category.

Choose:

API Testing

2. Configure Scan Details

Provide the basic scan information.

FieldDescriptionExample
Scan NameName used to identify the scanvdcx
DescriptionShort description of the scan purposeAPI security validation for payment service
EnvironmentEnvironment where API is deployedProduction, Test, Development, UAT, Custom

3. Configure Host

Provide the API host that will be tested.

Important rules:

  • Only one host is allowed per scan
  • The host must match the OpenAPI specification host
  • All endpoints defined in the specification should belong to this host

Example:

https://api.company.com

4. Select Scanner Type

Choose the type of API testing engine.

OWASP ZAP Web & API Scanner

OWASP ZAP actively scans API endpoints for security vulnerabilities including:

  • Injection flaws
  • Broken authentication
  • Security misconfigurations
  • Improper input validation
  • Cross-site scripting

This scanner performs dynamic security testing against API endpoints.

OpenAPI Spec Testing

OpenAPI Spec Testing performs schema-driven API fuzzing.

It validates:

  • API input handling
  • schema validation
  • error handling
  • unexpected input scenarios
  • API reliability

This scanner uses an OpenAPI-based fuzzer to automatically generate API requests.

5. Configure API Authentication

Since APIs often require authentication, credentials must be configured.

Supported authentication options include:

  • Bearer Token
  • API Cookie
  • Custom HTTP Headers

Bearer Token

Provide a bearer token used to authenticate API requests.

Example token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

The scanner automatically sends:

Authorization: Bearer <TOKEN>

An optional role may be provided for documentation purposes.

Provide an authenticated session cookie.

Example:

SESSIONID=abc123xyz

This cookie will be included in all API requests.

An optional role may be associated with the cookie.

Custom HTTP Headers

Additional headers can be provided if the API requires business-specific headers.

Examples include:

  • tenant identifiers
  • organization IDs
  • regional routing headers
  • API key headers

Headers must be provided as key-value pairs, one per line.

Example:

X-ORG-ID: 1
X-TENANT-ID: 23
X_REGION: Asia Pacific
Cookie: SESSIONID=abc123xyz

Important behavior:

  • If Bearer Token or Cookie is entered in the authentication fields, do not include Authorization or Cookie keys.
  • If headers are injected directly, they must be written as key-value pairs.

Example:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Cookie: SESSIONID=abc123xyz

6. Upload OpenAPI / Swagger Specification

Provide the API specification used to generate requests.

Supported upload formats:

  • .json
  • .yaml
  • .yml

Supported specification versions:

  • Swagger / OpenAPI 2.0
  • OpenAPI 3.x

Drag and drop the specification file into the upload area.

7. Provide OpenAPI Specification via URL

If the specification is hosted online, it can be provided as a URL.

Example:

https://api.company.com/api/docs/openapi.json

When providing a specification URL:

  • Enter the URL in the Host configuration
  • Skip the file upload step

8. Enable Debug Artifacts

For better debugging and troubleshooting, enable the following options when creating the scan:

  • Save vulnerabilities with information/log level
  • Save all scan artifacts for later reference

These options store important artifacts such as:

  • scanner logs
  • debugging reports
  • scan artifacts

These are useful when troubleshooting authentication or API testing issues.

9. Run the Scan

After completing configuration:

  • Review the scan configuration
  • Click Run Scan to start immediately
  • Or schedule the scan for later execution

The scanner will parse the OpenAPI specification and begin testing the defined endpoints.