Public APIs security

Public APIs expose functionality and data to untrusted networks, and their design often emphasizes availability and integration over strict boundary control. Common weaknesses include weak authentication, excessive data exposure, and improper error handling that reveals implementation details. Because these interfaces are reachable from the internet, they are frequently the first stable target for reconnaissance and exploitation.

A black-box scanner evaluates behavior without source code or architecture access. It tests authentication mechanisms, parameter handling, and endpoint configurations through crafted requests. Detection coverage includes JWT misconfigurations such as alg=none, HS256 usage, expired tokens, and missing claims, as well as security headers and WWW-Authenticate compliance.

• BOLA and IDOR via sequential ID enumeration and adjacent-ID probing.
• BFLA and privilege escalation through admin endpoint probing and role leakage.
• Input validation issues like CORS wildcard usage, dangerous HTTP methods, and debug endpoints.
• Data exposure patterns including email, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack.
• SSRF indicators such as URL-accepting parameters that resolve to internal IPs.
• LLM/AI security probes covering system prompt extraction, instruction override, jailbreaks, data exfiltration, token smuggling, and multi-turn manipulation.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references the spec against runtime behavior to find undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination. This helps identify discrepancies between documented controls and actual implementation.

Authenticated scans with Bearer tokens, API keys, Basic auth, and cookies require domain verification through DNS TXT records or an HTTP well-known file to ensure credentials are presented to the domain owner. Only specific headers are forwarded, and destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. On cancellation, your scan data can be deleted and is purged within 30 days.

findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). They help you prepare for audits and align with security controls described in other frameworks, supporting audit evidence without asserting certification or compliance. The platform integrates with a web dashboard for trend tracking, a CLI for on-demand scans, a GitHub Action CI/CD gate, an MCP server for AI coding assistants, and programmatic access for custom workflows.