Overview
This document provides general information on onboarding a target for testing, including methods such as using a Crawler, .HAR files, API schemas, and single Entrypoints. It also includes relevant articles on each of these terms.
Now, once your project has been created, there are few things left. Firstly, you need to onboard a target before you start.
- Target - is the aim of your testing. It might be anything, whether Web Apps, APIs (REST & SOAP, GraphQL & more).
- Onboarding - is a process of preparing targets for a testing, looking for Entrypoints. Onboarding is held once, and it will be relevant as long as your target is the same.
How to onboard a target
Bright provides the following methods of finding Entrypoints:
Crawler
Bright can crawl your web application to define the attack surface. This option does not require any details that might get you tangled. To run a security scan using a crawler, you simply need to specify the target URL in the URL field. Learn more about a Crawler.
.HAR-file
An HTTP Archive File (.HAR file) is a recorded session of user interaction with an application. The .HAR file keeps all the HTTP requests and responses between the web client and web application. You can use a pre-recorded .HAR file when running a security scan. Using the data contained in the .HAR file, Bright defines the attack surface and ensures complete coverage of the scan scope. Learn more about .HAR-files in Bright.
API Schema
Bright supports the following versions of the API schemas: Swagger 2+, OpenAPI 3+, Postman 2+. You don't need to have an ideal API-schema, you can upload the one that you have. All you need to do is to fix it once. Learn more about API Schemas.
Single Entrypoint
You can manually add a single Entrypoint using an in-app tool, and then fix it in case if it has connectivity problems. Learn more about how to add fix Entrypoints.
Relevant articles
To prepare your target in a better way, see the relevant articles:
- Authentication - Bright's authentication capabilities enable testing of login-protected resources in your application or API. By configuring the authentication method(s) and valid credentials, complete scan coverage is achieved for security testing. Learn more about Authentication types.
- Discovery - is a process of finding entrypoints. This should be made once, since a target is not changed. Learn more about how to create a new Discovery.
- Entrypoint - is an object, which contains detailed information about target. Learn more about how to use and manage Entrypoints.
Updated 2 months ago