- 03 Jun 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
Transform rules
- Updated on 03 Jun 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
Traceable's API Security Testing (AST) provides the option to transform parameters in headers or the request body. Parameter transformation is useful when scans fail due to redacted data in the request or when you need to run the scan with OpenAPI spec. Parameter transformation also helps find more vulnerabilities because it allows for more successful test attacks.
The following examples show how transforming parameters can help run more accurate scans:
Example - Redacted data
Your request may have sensitive data, such as, email ID, name, and so on, which may be redacted due to configurations. You can transform such a redacted parameter to a value that you define in transform_rules
JSON or YAML file. For example, you may have email
as a sensitive data key, the value of which was redacted (*******
). You can transform this, for example, to myname@mycompany.com
. With this transformation, the test attack to scan for vulnerabilities that earlier failed because of redacted data will now pass.
Example - OpenAPI spec
You can run an OpenAPI spec scan in which a parameter name
did not have an example value. It was assigned a random value, for example, john.doe. The scan may not pass with this random value. You can transform this value, for example, to https://app.traceable.ai
.
Traceable also provides you the option to suppress sensitive parameters using the same transform_rules
JSON or YAML file. This suppression is useful when sensitive data is being sent to your Traceable account, and some parts of it are still not redacted or obfuscated. See the following section for information on the steps to suppress the data.
Steps to run transform or suppression
Transforming or suppressing parameter values consists of two steps:
Create a
transform_rules
JSON or YAML file.Run the transform command, either using Python or Docker CLI.
Step 1 - Create the transform file
Single transform value for a parameter
The following sample JSON transform_rule
file defines the schema for transforming single parameters:
{
"transform_params": [
{
"key": "http.request.header.host",
"value": "13.3.2.1",
"action": "MODIFY",
"scope": {
"key": "API_NAME",
"operator": "CONTAINS",
"value": "/post/orders"
}
},
{
"key": "authorization",
"value": "Bearer token",
"action": "REGEX_MODIFY",
"scope": {
"key": "API_NAME",
"operator": "NOT_CONTAINS",
"value": "/get/payments"
}
}
]
}
As you can see in the above file, http.request.header.host
value is modified to 13.3.2.1. The action
is MODIFY
. The scope defines which APIs you wish to run the transform on. If you do not provide the scope, transform is run on all the APIs. The following table explains the various keys of the above file:
JSON key | Description |
---|---|
| Defines a list of parameters that you wish to transform. |
| Defines the keys of the parameters that you wish to transform. The following is the format:
|
| Defines the value that would replace the original value. |
| The type of action that you wish to take. It can have one of the following values:
|
| Defines the APIs for which you wish to apply transformation rules. This is an optional key. If you do not define the scope, |
| API_NAME |
| Value related to the key. In the above case, it would be the name of the API. |
| The operator can have the following values:
|
Multiple transform values for the parameter
The following sample JSON transform_rule
file defines the schema for transforming multiple parameters:
{
"transform_params": [
{
"key": "http.request.body.fruit",
"value": "$SINGLE_FRUIT_VALUE",
"action": "MODIFY"
},
{
"key": "http.request.body.firstName",
"value": "$GROUP_NAME_VALUE",
"action": "MODIFY"
},
{
"key": "http.request.body.lastName",
"value": "$GROUP_NAME_VALUE",
"action": "MODIFY"
},
{
"key": "http.request.body.age",
"value": "$GROUP_NAME_VALUE",
"action": "MODIFY"
}
],
"values_store": {
"single_choice_store": {
"$SINGLE_FRUIT_VALUE": ["apple", "mango", "banana", "watermelon"]
},
"group_choice_store": {
"$GROUP_NAME_VALUE": [{
"http.request.body.firstName": "John",
"http.request.body.lastName": "Doe",
"http.request.body.age": 25
},
{
"http.request.body.firstName": "Kevin",
"http.request.body.lastName": "Smith",
"http.request.body.age": 35
}
]
}
}
}
Note the following points:
$SINGLE
- A random single value is selected from the choices you provide.$GROUP
- A random group of parameters is selected from the choices you provide.
For example, in the above sample schema, a random fruit value is chosen from the given choices (apple, mango, banana, and watermelon). Similarly, a group is picked from the choices you have provided.
The following table explains the various JSON keys:
JSON key | Description |
---|---|
| Defines the set of values that are possible for any parameter. |
| Key is the variable that is used in |
| Key is the variable that is used in |
Suppression of parameters
The following sample JSON transform_rule
file defines the schema for suppressing parameters:
{
"transform_params": [
{
"key": "authorization",
"action": "SUPPRESS",
"suppression_type": "REDACT"
},
{
"key": "http.request.header.host",
"action": "SUPPRESS",
"suppression_type": "OBFUSCATE"
"scope": {
"key": "API_NAME",
"operator": "CONTAINS",
"value": "/post/orders"
}
}]
}
As you can see in the above file, http.request.header.host
value is being suppressed. The action
is SUPPRESS
. The scope defines on which APIs you wish to run the suppression. If you do not provide the scope, transform is run on all the APIs. The following table explains the various keys of the above file:
JSON key | Description |
---|---|
| Defines a list of parameters that you want to suppress. |
| Defines the keys of the parameters that you wish to suppress. |
| The type of action that you want to take, here, suppress or redact the parameter. It can have SUPPRESS as the value. |
| The type of suppression that you want to perform on the parameter. It can have one of the following values:
|
| Defines the APIs for which you wish to apply suppression. This is an optional key. If you do not define the scope, |
| The API name that contains the sensitive parameter. |
| The operator can have the following values:
|
| Value related to the key. In the above case, it would be the name of the API. |
Step 2 - Run the transform command
Once you have created the transform_rule
file, run the transform command. You can run it either using python or docker CLI. Make a note of the following before running the transform command:
Keep the Platform token handy. In Traceable Platform, navigate to My Preferences → API Token → Generate API Token button.
Decide the name of the scan and scan policy.
Python CLI command
Enter the following command to run the transform using Python:
./traceable ast scan initAndRun --scan-name test-scan-1 --policy scan-policy-1 --token <platform_token> --transform-rules ~/.traceable/transform_rules.json
Docker CLI
Enter the following command to run the transform using Docker CLI:
docker run --rm -v /localmount_folder_path:/app/userdata traceable-data -it traceableai/traceable-cli ast scan initAndRun --scan-name test-scan-1 --policy scan-policy-1 --token <platform_token> --transform-rules /app/userdata/transform_rules.json