In this part of tutorial we will cover topic of DAST scanning (made via we applications scanners such as Acunetix or Burp Enterprise Edition).
Linking scanner with Mixeway
In order to create be able to use a specific scanner with Mixeway, You have to properly register it first. Unfortunately, each scanner use a different type of API and authentication methods that is why there is no universal method of getting it done. Each operation with scanner integration can be accessed in the Admin Zone and Scanner tab.
General requirement: Communication between Mixeway and Vulnerability scanner has to be properly secured which means Mixeway has to trust each certificate which is being used by scanner API. If You are using self-signed certificates, export public key, and then import it into the trust store which is used by Mixeway.
Please note that if there is no HashiCorp Vault integration made each password or key which has to be accessible by Mixeway in order to authenticate in scanner API will be stored in plain text in Database
Acunetix and Burp Enterprise Edition integrations
In order to use Acunetix integration You have to generate API Key first. You can read here – https://www.acunetix.com/support/docs/getting-comfortable-with-acunetix-apis/https://www.acunetix.com/support/docs/getting-comfortable-with-acunetix-apis/ how to get one.
To use Burp EE You need API Key as well. In order to get one, follow documentation: https://portswigger.net/burp/documentation/enterprise/administration-tasks/managing-team#creating-api-users
- Type : Acunetix | BURP EE
- RoutingDomain : <pick the one which will be covered by this scanner>
- Proxy: <If there is proxy need to access scanner API pick one>
- API url: <url of DAST api> e.g. https://127.0.0.1:8334
- API Key: <generaetd API Key>
IT Security Expert, DevSecOps enthusiast, Java developer in spare time, Mixeway lead architect and PhD candidate on Warsaw University of Technology in field of Machine learning techniques in Cybersecurity.