APIsec for Backend engineers

This tool is designed for backend engineers who need to validate API surface area without integrating an agent into their stack. You submit a target URL, receive a risk score from A to F, and get a prioritized list of findings. The scanner operates as a read-only black-box system, using only GET and HEAD requests plus text-only POST for LLM probes, and completes a scan in under one minute.

The scanner evaluates 12 categories aligned to OWASP API Top 10 (2023). It checks authentication bypasses and JWT misconfigurations such as alg=none, HS256 usage, expired tokens, missing claims, and sensitive data in claims. It tests for BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Additional categories include property authorization over-exposure, input validation issues like CORS wildcards and dangerous HTTP methods, rate limiting and resource consumption signals, data exposure including PII patterns and API key formats, encryption hygiene, SSRF indicators, inventory management gaps, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths.

Where applicable, findings map to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 files with recursive $ref resolution, cross-referencing spec definitions against runtime behavior to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, supported methods include Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can submit credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

Pro tier enables scheduled rescans at intervals of six hours, daily, weekly, or monthly, with diff detection across scans to surface new findings, resolved findings, and score drift. Alerts are delivered via email at a rate-limited frequency of one per hour per API, and HMAC-SHA256 signed webhooks can be configured to auto-disable after five consecutive failures. Integration paths include a web dashboard for managing scans and reports, a CLI via an npm package with JSON or text output, a GitHub Action that can fail CI/CD builds when scores drop below a threshold, an MCP server for AI coding assistants, and a programmable API for custom workflows.

The scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection, does not detect business logic vulnerabilities, does not perform blind SSRF testing, and does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking destructive payloads, and blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.