Akto for E-Commerce

E commerce APIs handle payment flows, inventory checks, and customer data across public and internal boundaries. Attack surfaces include checkout endpoints, authentication callbacks, and third party integrations. This scanner evaluates runtime behavior without requiring code or infrastructure changes, providing an independent view of how your APIs appear to an external attacker.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), focusing on risks prevalent in e commerce environments. Findings include authentication bypass attempts, IDOR through sequential ID probing, privilege escalation via admin endpoint discovery, and over exposed object properties that may reveal internal fields or support mass assignment. Input validation checks identify CORS wildcards with credentials, dangerous HTTP methods, and debug endpoints. Rate limiting and resource consumption probes surface missing or permissive limits, oversized responses, and unpaginated arrays. Data exposure detection targets PII patterns such as email addresses, Luhn validated card numbers, context aware SSN formats, and API key formats including AWS, Stripe, and GitHub. Encryption checks verify HTTPS redirects, HSTS presence, cookie flags, and mixed content issues. SSRF probes target URL accepting parameters and body fields, including attempts to identify internal IP ranges and bypass mechanisms. Inventory management checks flag missing versioning and legacy path patterns, while unsafe consumption surfaces excessive third party URLs and webhook callback exposure. LLM and AI security testing includes 18 adversarial probes across Quick, Standard, and Deep tiers, covering system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, injection techniques, and token smuggling.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution. It cross references the specification against runtime behavior to highlight undefined security schemes, sensitive fields exposed by the spec, deprecated operations, and missing pagination controls. This helps identify discrepancies between documented contracts and actual implementation, which is critical for maintaining reliable integrations with payment providers and marketplaces.

Authenticated scans support Bearer tokens, API keys, Basic auth, and cookies. Domain verification requires DNS TXT records or an HTTP well known file to ensure only the domain owner can submit credentials. When credentials are provided, the scanner forwards a restricted allowlist of headers including Authorization, X-API-Key, Cookie, and X-Custom-* to limit exposure. Read only methods such as GET and HEAD are used, with text only POST allowed for LLM probes. The scanner does not execute destructive payloads, and private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers.

The Web Dashboard centralizes scan results, score trends, and remediation guidance, with the option to generate branded compliance PDFs. The CLI enables on demand scans via a command such as middlebrick scan https://api.example.com, with JSON or text output options. A GitHub Action can enforce quality gates in CI/CD pipelines, failing builds when scores drop below defined thresholds. The MCP Server allows scanning from AI coding assistants, and the API client supports custom integrations for automated workflows. Continuous monitoring options include scheduled rescans every six hours, daily, weekly, or monthly, with diff detection for new findings, resolved findings, and score drift. Email alerts are rate limited to one per hour per API, and HMAC SHA256 signed webhooks can be configured with auto disable after five consecutive failures.