An extensible, asynchronous Command Line Interface (CLI) tool designed to autonomously parse API specifications and detect critical OWASP API Top 10 vulnerabilities.
As REST APIs and microservice architectures grow, securing individual endpoints against logical and injection flaws becomes increasingly difficult. The API Security Scanner automates this process. By consuming an OpenAPI / Swagger specification, the scanner understands the context of the target API and fires highly optimized, concurrent adversarial payloads to identify potential security risks.
Why this matters: Security should be integrated directly into the engineering workflow. This tool is designed to mimic the mindset of a penetration tester, acting seamlessly in local environments or CI/CD pipelines to catch vulnerabilities before code merges into production.
- Asynchronous Execution: Built on
aiohttpandasyncio, the engine dispatches hundreds of requests concurrently for maximum speed. - Dynamic Spec Parsing: Automatically translates structural specs directly into testable payloads using generic mock data generators.
- Extensible Module System: Vulnerability detection logic is decoupled. Need to add a new security test? Just drop a python script in the
scanner/modules/directory. - Reporting Variations: Exports findings beautifully in JSON, Markdown, and PDF formats.
- SQL Injection: Advanced payload injection triggering explicit database panics and regex-matching errors.
- Broken Authentication: Detection of insecure endpoint exposures, missing JWT tokens, and token parsing crashes.
- Insecure Direct Object Reference (IDOR): Heuristic mutation of numeric pathway objects to breach tenant isolation.
- Mass Assignment: Invisible injection of sensitive role flags (e.g.,
is_admin=true) intoPUT/PATCHstructures. - Rate Limiting Deficiencies: Concurrent 50-request flood bursts to ensure robust API Gateway throttling mechanisms exist.
- Missing Security Headers: Verification of strictly enforced TLS paths (HSTS), CSP, and preventions against content sniffing.
To view the full data flow including payload logic, please view the Mermaid source diagrams in our docs page.
Ensure Python 3.10+ is installed on your machine.
# Clone the repository
git clone https://github.com/your-username/API-Security-Scanner.git
cd API-Security-Scanner
# Setup virtual environment
python -m venv venv
# On Windows: .\venv\Scripts\Activate.ps1
# On Linux/Mac: source venv/bin/activate
# Install dependencies
pip install -r requirements.txtThis repository includes a purposefully flawed demo API to prove functionality.
- In Terminal 1, start the demo API server:
PYTHONPATH="." uvicorn demo-api.api:app --host 127.0.0.1 --port 8000- In Terminal 2, run the scanner to consume the local API specification:
cd scanner
python main.py --spec ../demo-api/openapi.json --target http://127.0.0.1:8000 --format all --output ../reports/sample_report --verbose The scanner identifies the issue and proves its existence. Example of a produced finding:
3. Missing Rate Limiting in POST http://127.0.0.1:8000/login
- Severity: Medium
- Description: Endpoint successfully processed 50 concurrent requests without returning 429 Too Many Requests.
- Payload: Burst of 50 requests
For a complete generated demonstration, see reports/sample_report.md.
This project is in active development with the following items slated for Phase 5 (Enterprise Scaling):
- Docker & CI/CD Action Hooks: Allow pipelines to instantly fail if the tool detects critical severities.
- Machine Learning NLP Filter: Replace explicit regex error matching with an ML classifier to analyze generic web 500 errors and differentiate actual security panics vs standard application failure.
- Stateful Auth Walking: Extract generated JWTs and intelligently re-apply them throughout further IDOR module scans.
If you are reviewing this repository as part of an engineering evaluation, please see the Technical Interview Guide for deeper rationale behind my technology choices, concurrency handlers, and performance metrics.