-
Notifications
You must be signed in to change notification settings - Fork 6
FAQ
Vespasian discovers REST APIs (generating OpenAPI 3.0 specs), GraphQL APIs (generating SDL schemas via introspection or traffic inference), and SOAP/WSDL services (generating WSDL documents). It automatically detects the API type from captured traffic, or you can specify it explicitly with --api-type.
Standard web crawlers follow HTML links and index pages. Vespasian intercepts all HTTP traffic from a headless browser, including XHR/fetch API calls, WebSocket upgrades, and dynamically constructed requests that don't appear in HTML. It then classifies those requests by API type and generates structured specifications, not just URL lists.
Vespasian discovers any API endpoint that the application calls during the crawl. If the frontend calls /api/internal/debug at runtime, Vespasian will capture and document it, even if it doesn't appear in any published API documentation.
Yes. If you've already captured traffic using Burp Suite, browser dev tools (HAR), or mitmproxy, use vespasian import to convert it to the capture format, then vespasian generate to produce specifications. No re-crawling needed.
Yes. Vespasian uses a tiered introspection strategy. If the full introspection query is blocked, it tries progressively simpler queries. If all introspection is disabled, it falls back to inferring the schema from observed queries and mutations in the captured traffic.
Vespasian's crawl stage drives a browser and follows links, which is read-only. The probing stage sends OPTIONS requests, fetches ?wsdl documents, and runs GraphQL introspection queries — all read-only operations. However, always coordinate with the target owner and prefer staging environments during security assessments.
Vespasian outputs OpenAPI 3.0 (YAML/JSON) for REST APIs, GraphQL SDL for GraphQL APIs, and WSDL XML for SOAP services.
Yes. By default Vespasian drives a headless Chrome browser (via go-rod) with full JavaScript execution, intercepting all HTTP traffic including XHR/fetch calls and dynamically constructed requests that SPAs make at runtime. A lightweight, dependency-free net/http crawler is also available via --headless=false, but it does not execute JavaScript — use the default headless mode for SPAs.
Use the -H flag to inject authentication headers into the headless browser's requests:
vespasian scan https://app.example.com -H "Authorization: Bearer <token>" -o api.yamlYes. Vespasian outputs standard specification formats (OpenAPI, GraphQL SDL, WSDL) that can be consumed by other tools. For example, you can pass the output directly to Hadrian for automated authorization testing. The proxy flag (--proxy) also lets you route traffic through Burp Suite during crawling.
Vespasian is built by Praetorian. Learn more about the Praetorian Guard attack surface management platform. Licensed under Apache 2.0.