APIsec as a API pentesting tool

This tool performs black-box API scanning. It does not require code access, agents, or SDK integration. You submit an API endpoint and receive a risk score with prioritized findings within under a minute. The scanner uses read-only methods (GET and HEAD) and text-only POST for LLM probes, making it applicable to any language, framework, or cloud environment.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). It maps findings to PCI-DSS 4.0 and SOC 2 Type II controls where applicable. Detection capabilities include:

• Authentication bypass, JWT misconfigurations such as alg=none and expired tokens, and security header compliance
• BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing
• BFLA and privilege escalation through admin endpoint discovery and role/permission leakage
• Property over-exposure and mass-assignment surfaces
• Input validation issues including CORS wildcard usage and dangerous HTTP methods
• Rate limiting detection via header analysis and oversized response handling
• Data exposure using pattern recognition for PII, credit card Luhn checks, API key formats, and error leakage
• Encryption checks for HTTPS redirects, HSTS, and cookie attributes
• SSRF indicators involving URL parameters, internal IP detection, and IP-bypass probes
• Inventory issues such as missing versioning and server fingerprinting
• Unsafe consumption surfaces including excessive third-party URLs and webhook endpoints
• LLM/AI security with adversarial probes across Quick, Standard, and Deep tiers covering jailbreaks, data exfiltration, and token smuggling

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, Bearer tokens, API keys, Basic auth, and cookies are supported after domain verification via DNS TXT or HTTP well-known file. Only a limited set of headers is forwarded, and only the domain owner can scan with credentials.

Pro tier features scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans to surface new findings, resolved findings, and score drift. Alerts include email notifications rate-limited to one per hour per API and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. Integration options include a web dashboard for reporting and trends, a CLI with JSON and text output, a GitHub Action for CI/CD gating, an MCP server for AI coding assistants, and a programmatic API for custom workflows.

The tool does not fix, patch, block, or remediate issues. It provides detection and guidance only. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, and does not perform blind SSRF testing. It cannot replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints, and allowing customer data deletion on demand within 30 days of cancellation.