Skip to main content

API Scanner

The selected target will be scanned using the available tools. Select the API Scanner tool to proceed.

note

The selected target will be scanned with the available tools. Select API Scanner Tool

Cookies Capture

To scan using the API Scanner, follow the steps below:

  1. Enter the task name in the Task Name textbox
  2. Input the endpoint in the Endpoint Path textbox (optional)
  3. Select the Scan Option – Full Scan or Basic Scan
  4. Choose the API Definition type (WADL, RAML, Postman Collection, Swagger 2, or OpenAPI 3)
  5. Select the API Definition Source, URL or File, and provide the corresponding link or upload the file
  6. Click the agree Terms of Service checkbox
  7. Click the Start Scan button to start the scan or click Cancel if you want to cancel

Running an Authenticated Scan with API Scanner

Cookies Capture Users can follow the following steps.

  1. Enable the authentication feature.
  2. Enter the Login Form URL, which is the authentication endpoint that issues tokens (e.g., https://loginapi.vulnapp.id/tokens).
  3. Enter the Login Request Payload, which is the login request body in the format the API expects (commonly JSON). Example JSON: {"username":"user1","password":"pass1"}.
    note

    Helium does not store any data or credentials used in this feature; all authentication requests are handled securely in real-time.

  4. Enter the Auth Token Location, which specifies the location of the token in the login response using dot notation for nested fields (e.g., access.token.id).
  5. Enter the Auth Header Name, which is the HTTP header the scanner will use to send the token (e.g., X-Auth-Token or Authorization).
  6. Enter the Auth Prefix (optional), which is the prefix to include before the token if required by the API (e.g., Bearer: token).
  7. Check the box "I am authorized to scan this target and I agree to the Terms of Service."
  8. Click APPLY to start the authenticated scan.