AppSpider Pro DAST/API Integration
AppSpider Pro (by Rapid7) is a dynamic application security testing tool that crawls and attacks web applications to identify exploitable vulnerabilities. This integration allows Invicti ASPM to trigger AppSpider Pro scans and import findings.
Prerequisites
| Field | Description |
|---|---|
| AppSpider Pro URL | The URL of your AppSpider Pro instance (e.g., https://appscan.your-company.com) |
| Username | AppSpider Pro account username |
| Password | AppSpider Pro account password |
How to Get Credentials (on AppSpider Pro Side)
- Contact your AppSpider Pro administrator for a service account with API access.
- The administrator creates the account via Administration > Users in the AppSpider Enterprise console.
- Assign the Scan Manager or Administrator role to enable scan creation and result retrieval via API.
- Use the provided username and password in the integration configuration.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate AppSpider Pro
Scroll through the list of DAST/API scanners to find AppSpider Pro.
-
If AppSpider Pro is not activated, you will see an "Activate" button. Click it to enable the integration.
Note: The scan method badge on the AppSpider Pro card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the AppSpider Pro card to open the configuration panel. Fill in the required fields:
-
Authentication Type: Select the authentication method (Basic for username/password or Token for API token).
-
Username (Basic auth): Enter the service account username.
-
Password (Basic auth): Enter the service account password.
-
Token (Token auth): Enter the API token.
-
URL: Enter your AppSpider Pro server URL (e.g.,
https://appscan.your-company.com). -
Insecure: Enable this checkbox only if your AppSpider Pro instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms successful authentication.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate AppSpider Pro |
| 4 | Enter URL, Username, and Password |
| 5 | Test the connection |
How to Create a Scan
Navigate to Project Scanners
- Open a project in Invicti ASPM.
- Go to Settings > Scanners.
- Click Add Scanner.
Add AppSpider Pro Scanner
- Select DAST/API as the scanner type.
- Choose AppSpider Pro from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Preset | AppSpider scan preset configuration to use | Yes |
| Macro | Login or workflow macro to attach to the scan | No |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t appspider -b <branch_name>Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid credentials | Verify the username and password with your AppSpider administrator |
| Wrong server URL | Confirm the AppSpider Pro server address and ensure it includes https:// |
| SSL certificate error | Ensure the server uses a valid SSL certificate or configure trust for the CA |
| Firewall block | Open the required port (typically 443) between Invicti ASPM and AppSpider Pro |
Scan Issues
| Issue | Resolution |
|---|---|
| No scan configurations listed | Ensure the service account has access to the target configurations |
| Scan not starting | Verify AppSpider scan engines are running and available |
| Empty results | Check that the scan completed in AppSpider and the report is available |
| Access denied | Ensure the account has the Scan Manager or Administrator role |
Best Practices
- Create a dedicated service account for the integration with only the required permissions.
- Use HTTPS for all AppSpider Pro API communications.
- Rotate credentials periodically and update the integration settings.
- Pre-configure scan configurations in AppSpider Pro to ensure consistent scanning behavior.
- Review and tune crawl configurations to cover all relevant application entry points.
Limitations
- AppSpider Pro must be accessible from the Invicti ASPM network.
- Concurrent scan capacity is limited by the AppSpider Pro license and available scan engines.
- Scan configurations must be pre-created in AppSpider Pro; they cannot be created from the Invicti ASPM integration.
- Username/password authentication is used; API token authentication is not supported.
Updated about 10 hours ago