APIsec for ASP.NET Core

APIsec is a black-box scanner that tests running endpoints without access to source code or the runtime. It sends read-only requests and analyzes responses to assess security controls around ASP.NET Core pipelines, including routing, model binding, and default middleware behavior.

The scanner exercises framework defaults such as automatic model validation filters and the built-in authorization policies to see whether unsafe data is exposed. It checks how error responses are formatted to detect information leakage through stack traces or detailed exception messages.

OpenAPI analysis is used when a spec is available. The tool parses definitions, resolves recursive references, and compares declared security schemes against observed runtime behavior to identify undefined protections or deprecated operations.

APIsec tests multiple authentication methods against ASP.NET Core endpoints, including Bearer tokens, API keys, Basic authentication, and cookie-based flows. It validates JWT configurations such as algorithm handling, expiration checks, claim presence, and sensitive data placement in tokens.

The scanner verifies the presence and correctness of security headers, including HTTP Strict Transport Security, cookie flags, and WWW-Authenticate compliance. It also checks CORS configurations for overly permissive rules, such as wildcard origins, and flags combinations that may inadvertently allow credentialed cross-origin requests.

Authenticated scanning requires domain verification through DNS TXT records or a well-known HTTP file to ensure only the domain owner can submit credentials. Only a limited set of headers is forwarded to minimize unintended side effects.

APIsec looks for BOLA and IDOR by probing endpoints with sequential and adjacent identifiers to detect insecure direct object references. It examines whether authorization checks are consistently applied across resources in ASP.NET Core controllers.

BFLA and privilege escalation tests assess whether admin-only functionality is unintentionally exposed and whether role or permission fields are leaked in responses. Property-level checks identify over-exposed fields, internal data, and mass-assignment surfaces that could enable tampering.

For LLM-related endpoints, the scanner runs adversarial prompts to evaluate prompt injection, instruction override, data exfiltration attempts, and token manipulation techniques that could subvert AI-assisted features.

Input validation checks include dangerous HTTP methods, unrestricted CORS policies, and debug endpoints that should not be present in production. The scanner flags SSRF-prone URL-accepting parameters and body fields, including attempts to reach internal IP addresses or metadata services.

Inventory management issues such as missing API versioning and legacy path patterns are identified. Server fingerprinting behaviors that disclose framework or runtime details are also surfaced as findings.

Unsafe consumption risks are evaluated by reviewing third-party URL allowances and webhook callback surfaces that could be abused without proper validation controls.

Data exposure detection includes pattern-based searches for PII such as email addresses, credit card numbers validated by Luhn checks, and context-aware SSN formats. It also identifies API keys and tokens associated with AWS, Stripe, GitHub, and Slack in responses.

Encryption checks verify HTTPS redirect behavior, HSTS configuration, and secure cookie attributes. Mixed content issues and missing transport protections are flagged where applicable.

Continuous monitoring in the Pro tier provides scheduled rescans, diff detection across runs, and email alerts for new or resolved findings. HMAC-SHA256 signed webhooks support automated workflows, with safeguards that disable after repeated failures.