Speed: Allow user to provide technology hints
Problem
API Security sends thousands of requests to test an API operation. Many checks have different tests depending on the technology in use, such as a specific database vendor, or OS. A typical target doesn't use every database and OS in it's architecture, so much of the testing performed isn't useful and takes up time.
A requirement is to support technology hints at the Route level, allowing multiple routes to be defined, each with a different technology hint. This allows testing a service router that is backed by different technology stacks.
Proposal
Allow the user to provide technology hints that restrict testing when possible through a new variable DAST_API_TUNE_TECH_HINT.
The _TUNE_ portion indicates this is a performance tuning variable.
Allowed values and format:
<route> ::= "[" <hints> "]" ("," "[" <hints> "]")+
<hints> ::= <hint> (";" <hint>)*
<hint> ::= <category> "=" <tech> ("," <tech>)*
<category> ::= <string_literal>
<tech> ::= <string_literal>
<string_literal> ::= ([0-9] | [a-z] | [A-Z])+https://bnfplayground.pauliankline.com/
Examples:
- Single route
DAST_API_TUNE_TECH_HINT: os=linux;db=mysql,mongo
- Multiple routes. The route name must be defined in the configuration file.
DAST_API_TUNE_TECH_HINT: [route=api1;os=linux;db=mysql,mongo],[route=api2;os=linux;db=mysql]
| Category | Value | Comment |
|---|---|---|
| os | linux | Linux |
| os | mac | OS X |
| os | win | Windows |
| db | mysql | MySQL |
| db | mssql | Microsoft SQL Server |
| db | mongo | Mongo |
| db | pg | PostgreSQL |
| db | oracle | Oracle |
Tasks
-
Add new variable -
Release new version of analyzer -
Documentation -
Document variable and available values -
Expand Performance Tuning section to include this variable
-