API Security Testing
Why did my API not detect any vulnerabilities after the first scan?
Possible reasons include insufficient test data, restricted access permissions, or the scanning rules needing adjustments. We recommend checking if your API requires authentication and trying different scanning strategies.
Will API security scans impact my production environment?
By default, security scans are non-destructive. However, certain tests (like SQL injection or command injection) may trigger errors. We recommend running scans in a test environment first.
Will my API key or sensitive information be exposed?
We do not store or expose your API keys. It's advised to use test accounts for scanning and rotate your keys regularly.
How secure is my API data when using your tool?
We follow strict data security and privacy policies. All test data is processed in a secure environment and will not be shared with third parties.
How do you ensure the security of my API data?
We take your data security seriously. Here’s how we protect it:
- Data Encryption: All data is encrypted during transmission and while stored.
- Access Control: Strict access controls ensure that only authorized personnel can access your data.
- Security Audits: We conduct regular security audits to identify and address potential vulnerabilities.
How do I analyze the results of an API security test?
The test report will list all identified security risks and provide detailed vulnerability descriptions, impact analysis, and recommended fixes. You can refer to the CVSS score to prioritize fixing higher-risk vulnerabilities.
What does the test report generated by your tool include?
Our tool generates reports that include:
- Vulnerability List: A list of all detected security vulnerabilities, including their type, severity, location, and suggested fixes.
- Test Summary: An overview of the tests conducted, including the number of APIs tested, types of vulnerabilities examined, and the overall test results.
- Detailed Test Results: A breakdown of each vulnerability, including the test steps, expected results, and actual outcomes.
Can I customize the execution strategy of the API security test?
Yes, you can configure different scan types to perform more in-depth scanning of specific vulnerabilities.
How comprehensive is the API security test coverage?
We support OWASP API Security Top 10, covering major API vulnerabilities such as SQL injection, XSS, authentication flaws, and sensitive data exposure. Free plan scans cover around 60%-70%, while basic plans cover 90%-100%.
Do I have to register to use the service?
The free plan is available for anyone to use. However, we highly recommend registering to better manage your history, schedule regular scans, and access advanced features.
How can I prevent my API from being abused or exposed to attackers?
To enhance API protection, use rate limiting, authentication, CORS configuration, and Web Application Firewalls (WAF). Regular security scans will help detect potential risks.
How can I automate API security testing and integrate it into my CI/CD pipeline?
You can use our CLI tool or API to integrate security testing into GitHub Actions, Jenkins, or GitLab CI/CD, ensuring automatic security scans after every code change.
Can API security scanning fully replace manual security testing?
No. Automated tests can identify known vulnerabilities, but complex business logic issues still require manual testing by security experts.
What should I do if I encounter an issue? How can I get support?
Currently, we offer support primarily through email and online Q&A. In the future, we will expand support channels, including online documentation, knowledge base, email support, and social media. Our support team is always ready to assist you with any issues.
One-Stop Functional, Performance, and Security Testing
Why can't I customize the configuration on these 3 pages after my first registration?
[Functional Test Configuration], [Performance Test Configuration], and [Security Test Configuration]: Sorry, for free users, the test items are pre-configured by default. After upgrading to a paid plan, you will be able to customize and modify the configuration options.
Why are these 3 report pages empty after my first registration?
[Functional Test Report], [Performance Test Report], and [Security Test Report]: The test reports display the results of the most recent test execution. Since you haven't executed any tests yet as a new user, there are no reports available. Please run a test first, and then the reports will appear.
Can I see the import history of APIs?
For batch-imported APIs, only the most recent import record is displayed. If you have specific requirements, please contact us, and we will process it for you.
Can I see historical execution records?
Currently, only the most recent execution result is displayed. If you need access to historical records, please contact us, and we will assist you with your request.
What is shown in the API List after import?
The API List table shows the generated test cases and sample test data for each API, based on the configuration rules from the standard file you imported. These are used for the preparation of subsequent tests.
How long does each execution take?
The execution time is not fixed, as it depends on the number of APIs in your imported JSON, YAML, or CSV file, parameter configurations, execution rules, and request configurations. As a general reference, for 20 APIs generating around 2,000 test cases, plus execution time, it typically takes about 5 to 10 minutes.
Can I generate more test cases?
You can upgrade your plan or purchase additional execution cycles.
Are the generated test cases comprehensive?
We generate a large number of test cases and test data based on the configuration options in your API file, including normal, abnormal, and boundary value cases. The coverage can reach 80%-90%, depending on your file configuration.
Can the test reports generated by this platform completely replace manual testing?
Unfortunately, the platform cannot fully replace 100% of manual testing. Complex business logic, business rules, advanced authentication and authorization processes, context-dependent behavior, and asynchronous/event-driven processes still need to be manually tested and confirmed. Our platform is designed to handle routine tasks, such as validating normal and abnormal cases, ensuring format correctness, and conducting performance and security tests. If you have further requirements or need more detailed testing, please feel free to contact us.