I’m trying out Akto on a web application with an API back-end and I’m trying to figure out how to remove out-of-scope endpoints that are being collected.
I’m using the Burp plugin to send traffic to Akto. I’ve enabled the plugin’s “In scope items only” option, but it’s still sending out-of-scope URLs.
I’ve also tried configuring “Default payloads” in Akto to exclude these URLs. For example, data.pendo.io is the domain I’d like excluded. So I added it as a “Default payload” with a matching pattern of .*. This didn’t seem to have any effect.
Next, I tried to remove the pendo endpoints from the API collections but there doesn’t seem to be any way to do this. I can only add them or remove them from groups. (Also, what happens when you remove an endpoint from “All Apis”? Where does it go?)
There’s now a mix of in-scope and out-of-scope API endpoints that have been auto-added to the API collections Akto ships by default. I can’t use these groups to run tests anymore because it will include out-of-scope APIs.
Why can’t I clean out out-of-scope endpoints from my inventory?
What about the entries that have already made it into the inventory? Is there any way to clean those up? Or do I have to delete the collection and re-import?
So, I followed your suggestions. In the Akto Burp extension, I used a filter to only display the hosts I’m interested in. Then I right-clicked and selected “Export entries to Akto”. (There is no “Send data to Akto” option.) This popped up a Save File dialog and exported the results as a HAR file.
This was unexpected because I thought it would continue to use the API. I went back to the “Quick Start” tab in Akto because I remembered there’s a HAR File Upload connector. The connector doesn’t actually have any upload functionality and directs me to the documentation:
The documentation appears to be out of date and there is no option in Akto anymore to upload the HAR file. (I’m using the Docker compose file to run Akto which uses local and latest tags.) Selecting my collection only produces the following options at the bottom of the table:
Remove collection
Export as CSV
Deactivate collection
Set ENV type
At this point I’m ready to give up, but I have two questions:
Have I fundamentally misunderstood how the inventory is supposed to be populated? Or am I using one of the more uncommon methods of populating the inventory?
I noticed the other connectors (Postman and OpenAPI) would produce a more refined inventory because they have been curated outside of Akto. Using the “traffic capture” connectors introduce too much noise unless you’re able to perform filtering before they submit their data to Akto.
I did not follow step 3 in the documentation here:
I don’t usually drop out-of-scope traffic completely in case I want to see those requests later. Instead, I use filters to hide them. Apparently you can’t do this because the Akto extension just sends everything; even though there’s a checkbox on the Options tab that reads “In scope items only”.
I’ve got my Burp project properly configured to drop all out-of-scope traffic now and it appears to be working well. Thanks for the help!