Book a demo

Conditional flows

You can execute and compare responses from multiple API calls in YAML tests

This instruction is required when you want to fire multiple API calls and compare their responses. A simple use case is testing for Username enumeration vulnerability using password-reset endpoint.

To configure Akto test YAML for multiple requests, set type: true

execute: 
  type: multiple    # this means multiple requests are configured
  requests: 
   - req: 
     ...
   - req:
     ...

Instructions available -

For each request, you can now use

  • validate block to test for a certain response

  • success to specify which request to execute next if validate block returns true

  • failure to specify which request to execute next if validate block returns false

  • Anywhere, you can set success or failure as vulnerable (to mark a vulnerability) or exit

  • Requests are named as x1 x2 etc. automatically. You can use this to jump to a node on success or failure . You can also use them in data operators (eg response payload of x1 should have length > 80 characters)

If success or failure isn't specified, we jump to the next request. If it's the last request, then we jump to the validate block of the test.

Example - Try a wrong password. If API returns 4xx, then try with wrong usernames

Next step -

try with invalid usernames, and check if the response string is different. If they are different, then the application is vulnerable to username enumeration.

Complete YAML -

PreviousStrategyNextTemplate YAMLs

Last updated

Was this helpful?