In Traceable, Plugins are the foundation of API Security Testing. They simulate attack scenarios by injecting modified inputs (mutations) and validating the responses (assertions) for finding vulnerabilities. Using these plugins, you can assess how well your application can withstand real-world attacks.
Plugins
Plugins operate through a defined architecture and are made up of three key components: vulnerabilities, mutations, and assertions. Each component plays a critical role in identifying potential weaknesses in your application. Together, they form the testing loop, called a plugin that detects exploitable behavior and helps improve your API’s security posture.
This document walks you through the types of plugins, their components, and the step-by-step process of how plugins work, enabling you to efficiently use and even create custom plugins for advanced security testing.
What are the supported plugin types?
Traceable provides you with two types of test plugins:
Plugin Type | Description |
|---|---|
Traceable Plugin | Traceable provides these plugins out of the box. These plugins are pre-designed to assess and validate the security of your APIs against the most common vulnerabilities. You can view these test plugins by navigating to Testing → Test Plugins → Traceable. |
Custom Plugin | Traceable allows you to create plugins according to your requirements. These plugins are ideal for testing business-specific rules and unique API behavior, such as enforcing particular security policies, etc. You can configure these plugins either from the Traceable platform (recommended) or using the For more information, see Configuring and Writing Custom Plugins. RecommendationTraceable recommends creating custom plugins directly from the platform for a streamlined and efficient experience. Creating plugins from the platform eliminates the requirement for a manual setup of the |
For information on the attributes and operators involved in a plugin and the steps to configure a plugin, see Plugin Functions and Operators and Configuring Custom Plugins, respectively.
What is the use of the above plugins?
You can use these plugins for regular security assessments, compliance checks, custom compliance reporting, and advanced threat detection. By using these plugins together, you can ensure that your application security is efficient and robust.
Plugin Components
AST leverages multiple components as part of the test and custom plugins. This section highlights these components, their use, and how they interact to ensure robust testing of your application ecosystem.
Mutations
A mutation is an intentional change in the original values of request parameters, used to simulate attack inputs. Traceable supports mutating all the request parameters, such as URL, body, cookies, headers, and tokens. These parameters are mutated based on the operators you specify in the function. For more information on the function syntax and the supported operators, see Mutation Function.
Assertions
An Assertion defines what a vulnerable response looks like. Traceable compares the API’s response to the expected values, status codes, or behaviors. If the response matches the assertion logic that you define, the plugin confirms the presence of a vulnerability. For more information on the assertion types, syntax, and operators, see Assertion Function.
Vulnerability
A vulnerability is a security risk that both test and custom plugins are designed to detect. Traceable, by default, detects certain vulnerabilities as part of the Test plugins and ensures flexibility through custom vulnerabilities as part of the Custom plugins. When a plugin identifies an API request matching the conditions defined in a plugin, it flags it as a vulnerability. For more information on these vulnerabilities, see Vulnerability Types.
Traceable also evaluates hooks, if any, besides these major components, while executing a plugin. For more information, see Pre-hooks.
Working of a Plugin
As soon as you create a scan, Traceable executes the plugin configured in the scan policy. The execution starts a testing cycle where the plugin components (mutations and assertions) work together to simulate attacks and evaluate responses on your API endpoints and detect vulnerabilities, if any.
The following is a description of the interaction between the components and how they interact to detect vulnerabilities in your application ecosystem:
Test Execution — As soon as you create a test suite, Traceable starts executing it according to the configurations. During execution, Traceable runs the plugin and the tests within that plugin. As part of running the tests in the plugin, the following steps are executed:
Cloning — The original API request is cloned to create a mutated request, where all the mutations are executed. The original API request is kept for later use during assertions.
Pre-hooks — The custom hooks code, if any, is executed before any mutations or assertions. These hooks are commonly used for setups, such as authentication.
Mutations—The plugin's mutations are applied to the cloned request, modifying parameters like headers, query strings, body, or tokens.
Post-mutation pre-hooks — The custom hooks code, if any, is executed on the mutated request, for example, HMAC verification.
After the execution is completed, the mutated request is sent to the API. The response of the API to this mutated request is then sent for Parsing.
Test Evaluation — Traceable, upon receiving the API response, parses it, and executes the following steps:
Assertions — The assertions present in the plugin are executed on the response to check if the mutated request reveals a vulnerability.
Post-hooks — The custom hooks code, if any, is executed on the parsed response. This is commonly used for cleanup, logging, and chaining follow-up actions.
Once the above steps are completed, Traceable builds a result.
Result — Traceable uploads the test result to the platform. If Traceable observes a vulnerability, it creates and uploads the vulnerability to the platform. This vulnerability is shown under the suite and test in which it was observed. If Traceable does not observe a new vulnerability, it appends the test details to the existing vulnerability.