APIsec for API marketplaces

API marketplaces aggregate endpoints from multiple providers, exposing a broad attack surface through authentication, rate limits, and data handling. The scanner evaluates common risks such as weak authentication schemes, excessive data exposure, and unsafe consumption patterns across marketplace APIs. Findings are mapped to OWASP API Top 10 (2023) to highlight issues that commonly affect shared API infrastructures.

Authentication issues are detected across multiple methods, including Bearer tokens, API keys, Basic auth, and cookies. The scanner identifies JWT misconfigurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It also checks security headers and WWW-Authenticate compliance. Authorization checks include BOLA and IDOR via sequential ID enumeration and adjacent ID probing, along with BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Property authorization risks are assessed by detecting over-exposure, internal field leakage, and mass-assignment surfaces. Authenticated scanning requires domain verification and restricts forwarded headers to minimize impact.

Input validation checks include dangerous HTTP methods, CORS wildcard usage with and without credentials, and debug endpoints. Data exposure detection covers PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack. Error and stack-trace leakage is also flagged. The scanner identifies SSRF indicators like URL-accepting parameters and body fields, internal IP detection mechanisms, and active IP-bypass probes. These checks help surface configuration issues that commonly appear in marketplace integrations.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 specifications with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. This approach supports audit evidence for controls described in SOC 2 Type II and PCI-DSS 4.0, while aligning with security practices relevant to other regulatory frameworks through alignment language rather than compliance guarantees.

LLM and AI security coverage includes 18 adversarial probe types across Quick, Standard, and Deep scan tiers, targeting system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, prompt injection variants, token smuggling, tool abuse, nested instruction injection, and PII extraction. Continuous monitoring options provide scheduled rescans, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks with auto-disable after repeated failures. Scan data is deletable on demand and never used for model training.