Pentest-Tools.com LogoPentest-Tools.com Tools Docs
  1. API Scanner

API Scanner

Overview

The API Vulnerability Scanner is a custom tool designed to assess the security of APIs. It performs comprehensive security assessments against REST and GraphQL APIs and finds common vulnerabilities that affect them, such as SQL Injection, XML External Entity (XXE) Injection, Mass Assignment, Information Disclosure, and others.


The scanner automatically searches for GraphQL endpoints and OpenAPI files. For REST APIs, the scanner parses OpenAPI, either discovered or manually provided, to identify all available endpoints and their parameters. The Deep scan then tests these endpoints using REST-specific detectors


For GraphQL APIs, our scanner parses the introspection schema to discover available queries, mutations, and types, then tests for GraphQL-specific vulnerabilities including information disclosure and denial of service issues.


Scan types

There are two predefined scan types (Light and Deep), as well as a Custom option that allows you to define which API tests you want to run, choosing between REST and GraphQL.

Light scan


The Light scan option provides a quick assessment of your API, typically completing in under a few minutes. It focuses on identifying basic security misconfigurations and technology fingerprinting.

API security tests included in the Light scan


☑ Fingerprint API framework and technology stack

☑ Check for known software vulnerabilities

☑ Analyze SSL/TLS certificates

☑ Check for secure communication issues

☑ Check for missing rate limiting headers

☑ Fuzz for OpenAPI specification file locations

☑ Discover GraphQL endpoints

☑ Check for GraphQL Information Disclosure

☑ Check for GraphQL Denial of Service (DoS)

☑ Check if HTTP DEBUG methods are enabled

☑ Check if HTTP OPTIONS method is enabled

☑ Check for CORS misconfiguration

☑ Check for SQL Injection

Deep scan


This is the default and recommended option for comprehensive API security assessment. It performs extensive testing across all API endpoints defined in your specification or introspection, actively probing for vulnerabilities outlined in the OWASP API Security Top 10 list.

API security tests included in the Deep scan


In addition to all Light Scan tests:


☑ Check for weak password submission methods

☑ Check for error and debug messages

☑ Check for internal errors exposure

☑ Check for sensitive data exposure

☑ Check for path disclosure issues

☑ Check for session tokens in URLs

☑ Check for XML External Entity (XXE) injection

☑ Check for NoSQL Injection

☑ Check for Local File Inclusion (LFI)

☑ Check for OS Command Injection

☑ Check for Server-Side Request Forgery (SSRF)

☑ Check for Open Redirect

☑ Check for PHP Code Injection

☑ Check for JavaScript Code Injection

☑ Check for Ruby Code Injection

☑ Check for Python Code Injection

☑ Check for Perl Code Injection

☑ Check for Log4j Remote Code Execution

☑ Check for Server-Side Template Injection (SSTI)

☑ Check for ViewState Remote Code Execution

☑ Check for Prototype Pollution

☑ Check for Request URL Override

☑ Check for HTTP Request Smuggling

☑ Check for Insecure Deserialization

☑ Check for IDOR (Insecure Direct Object References)

☑ Check for JWT weaknesses

☑ Check for Response Header Injection

☑ Check for Broken Authentication (API-specific)

☑ Check for Mass Assignment vulnerabilities

REST API specification files

For REST APIs, providing an API specification significantly improves scan coverage and accuracy if the file is not publicly available. The scanner supports:

  • OpenAPI (Swagger) files: Upload or provide a URL to your OpenAPI 2.0/3.0 specification (JSON or YAML format)

  • Postman collections: Upload a Postman collection (JSON format). The file will be converted to OpenAPI by the scanner.


Before running the scan, it's useful to validate your OpenAPI specification at https://editor.swagger.io/ to ensure it's correctly formatted.

Authenticated scanning

The API Vulnerability Scanner can scan the target API as an authenticated user or behind protected resources. This works for both REST and GraphQL APIs. 


This option allows you to specify custom HTTP headers that will be sent with each request to the target API. You can use these for authentication (e.g. JWT tokens, Bearer tokens, API keys, Basic Authentication, etc.) or for other specific API functionality. 


You can specify multiple headers if needed (one per line) like in this example:


Header1: the value of Header1

Header2: Subheader1 = value of Subheader1; Subheader2 = value of Subheader2



API Vulnerability Scanner FAQs

Why does my scan not start correctly when providing a specification file?


This usually happens because there are problems with the format of the file. Try validating the format online by using an editor such as https://editor.swagger.io/.


Can I try the API Vulnerability Scanner? 

You can test-drive the API Vulnerability Scanner for free on our website. Only Light scans are available for free, whereas Deep scans are available through paid plans, which also give you access to our entire product.