Akto for Backend-for-Frontend (BFF)

Backend-for-Frontend (BFF) patterns consolidate multiple backend services into a facade that exposes a tailored API to web and mobile clients. This consolidation reduces chatty interactions but concentrates risk at the edge. The surface becomes a high-value target for enumeration, data overfetching, and authorization bypass. This tool scans the public endpoints of a BFF to map the effective exposure and detect weak authentication, excessive data exposure, and insecure composition across the underlying services.

The scanner evaluates BFF APIs against the 2023 OWASP API Top 10 using black-box probes. Detection capabilities include Authentication issues such as JWT misconfigurations and security header compliance, BOLA and IDOR via sequential and adjacent ID probing, BFLA and Privilege Escalation through admin endpoint discovery, and Property Authorization over-exposure. Input Validation covers CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Data Exposure includes PII patterns, API key formats, and error leakage. Additional coverage spans SSRF indicators, Inventory Management issues like missing versioning, and LLM / AI Security probes focused on prompt injection and data exfiltration.

• Authentication: multi-method bypass, JWT alg=none, expired tokens, missing claims.
• Authorization: BOLA, IDOR, BFLA, privilege escalation via role leakage.
• Data exposure: PII, credit card Luhn checks, AWS and Stripe keys.
• Input validation: CORS wildcard with credentials, unsafe methods.
• LLM security: adversarial probes for prompt extraction and jailbreaks.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references the specification against runtime observations to identify undefined security schemes, unexpected sensitive fields, deprecated operations, and missing pagination. For BFFs, this highlights discrepancies between the documented contract and the actual behavior observed during black-box probing, surfacing implicit trust boundaries that may be overlooked in code reviews.

openapi: 3.0.3
info:
  title: Store BFF
  version: 1.0.0
paths:
  /products/{id}:
    get:
      summary: Get product
      parameters:
        - name: id
          in: path
          required: true
          schema:
            type: string
      securitySchemes:
        bearerAuth:
          type: http
          scheme: bearer
      responses:
        '200':
          description: OK

Authenticated scans increase coverage for BFFs that rely on tokens or cookies. Supported methods include Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. The scanner forwards a strict allowlist of headers: Authorization, X-API-Key, Cookie, and X-Custom-*. No intrusive payloads are used; destructive actions are not performed. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers.

Results are delivered as a risk score with prioritized findings and remediation guidance. The scanner maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, findings help you prepare for and align with security controls described in relevant standards. Note that the tool does not fix, patch, block, or remediate. It does not perform active SQL injection or command injection testing, and it cannot detect business logic vulnerabilities or blind SSRF, which require domain context and human expertise. It is not a replacement for a human pentester in high-stakes audits.