Skip to content
OWASP API Top 10 · 2023 · non-destructive

API Security Scanner

Point it at any REST or GraphQL endpoint for an instant, board-ready posture — auth, rate-limiting, injection, data exposure and misconfiguration, each mapped to OWASP + CWE with the fix.

25+ tests 100% OWASP <3s scan JSON · CSV

Scan an endpoint

Try:

Request Headers

Quick add:

Equivalent cURL

curl -X GET 'https://api.example.com/v1/resource' \
  -H 'Content-Type: application/json'

Your posture appears here

Enter an endpoint or pick a sample, then run a scan to see the live grade, severity breakdown and OWASP map.

How the scanner actually works

No black box. From your browser we send the request to our server, which performs the analysis and returns exactly what it saw — every finding above is derived from the target’s own live response, not a canned checklist.

1

Live request

Your browser posts the target URL to our Node server, which issues one real request with your chosen method, headers and body — following redirects, with a 12-second timeout.

fetch(url, { method, headers, redirect: follow })

2

Header & transport read

We capture the full response-header set, status, latency and body size, then grade eight security headers and the TLS/HSTS posture against their observed values.

response.headers → HSTS · CSP · XFO · XCTO · Referrer · Permissions · COOP · CORP

3

Stack fingerprinting

Server, X-Powered-By, CDN markers (cf-ray, x-vercel-id, via) and session-cookie names are matched against a rule-set to identify the CDN, web server, framework and language — flagging any version leak.

Server · X-Powered-By · X-AspNet-Version · cf-ray · PHPSESSID · JSESSIONID …

4

CORS & cookies

The Access-Control-Allow-Origin / Allow-Credentials pair is analysed for the dangerous wildcard-with-credentials case, and every Set-Cookie is parsed for Secure / HttpOnly / SameSite.

ACAO=* + ACAC=true → high · missing Secure/HttpOnly/SameSite → flag

5

Method & GraphQL probe

A non-destructive OPTIONS preflight reveals advertised methods; GraphQL endpoints get one read-only introspection query to check whether the schema is exposed.

OPTIONS → Allow header · POST {__schema{queryType{name}}}

6

Secret & PII scan → scoring

The response body is regex-scanned for JWTs, cloud keys, private keys, cards, emails and stack traces. Findings are weighted by severity into a 0–100 score, an A+–F grade, and OWASP API Top-10 mapping.

critical −25 · high −15 · medium −8 · low −3 → grade

Strictly non-destructive & authorized-use only. The scanner sends one normal request, one OPTIONS preflight, and (for GraphQL) one read-only introspection query. It never sends injection payloads, brute-forces, or writes data. Internal, localhost and link-local addresses are blocked to prevent SSRF. Only scan endpoints you own or are permitted to test.

What we test — and why it matters

Every check runs against your live endpoint and maps to a real-world attack path, not a checkbox.

Authentication

We check whether the endpoint answers without credentials and whether auth headers are even in play — the second-most-exploited API weakness.

Authorization (BOLA)

Broken Object Level Authorization is the #1 API risk. We flag it for manual verification and explain exactly how to prove ownership on every request.

Configuration

HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS and TLS are inspected from the live response.

Rate limiting

We look for X-RateLimit / Retry-After signals — their absence is a direct route to brute-force, credential-stuffing and resource exhaustion.

Data exposure

The response body is pattern-scanned for tokens, keys, PII, private keys and stack traces that should never leave your server.

Injection surface

We surface where input validation is required and map each risk to its CWE and OWASP category with concrete remediation.

OWASP API Security Top 10 (2023)

The definitive risk taxonomy for APIs. Each card lists the compliance controls that reference it — the language your auditors already speak.

API1

Broken Object Level Authorization

Endpoints expose object identifiers, creating a wide attack surface for cross-tenant access.

PCI 7.1GDPR Art.32SOC 2 CC6.1
API2

Broken Authentication

Authentication mechanisms implemented incorrectly let attackers assume identities.

PCI 8.2SOC 2 CC6.1ISO A.9
API3

Broken Object Property Level Authorization

Missing property-level checks lead to excessive data exposure or mass assignment.

GDPR Art.5HIPAA 164.312
API4

Unrestricted Resource Consumption

No limits on request size/rate opens the door to DoS and cost-inflation abuse.

SOC 2 A1.1PCI 6.5
API5

Broken Function Level Authorization

Complex role hierarchies let users reach admin functions they should not.

PCI 7.2ISO A.9.4
API6

Unrestricted Access to Sensitive Business Flows

Business flows lacking anti-automation are abused at scale (scalping, spam).

SOC 2 CC7.2
API7

Server Side Request Forgery

Fetching remote resources without validating the URI enables internal pivoting.

PCI 6.5.10CWE-918
API8

Security Misconfiguration

Missing headers, permissive CORS and weak TLS leave predictable openings.

PCI 2.2ISO A.14SOC 2 CC6.6
API9

Improper Inventory Management

Shadow and deprecated endpoints stay exposed without proper documentation.

SOC 2 CC7.1
API10

Unsafe Consumption of APIs

Trusting third-party API data more than user input propagates their flaws to you.

ISO A.15

Frequently asked questions

What is the OWASP API Security Top 10?
OWASP API Security Top 10 is a list of the most critical security risks for APIs: 1) Broken Object Level Authorization (BOLA), 2) Broken Authentication, 3) Broken Object Property Level Authorization, 4) Unrestricted Resource Consumption, 5) Broken Function Level Authorization, 6) Unrestricted Access to Sensitive Business Flows, 7) Server Side Request Forgery, 8) Security Misconfiguration, 9) Improper Inventory Management, 10) Unsafe Consumption of APIs.
How do I test my API for security vulnerabilities?
Enter your API endpoint URL, select the HTTP method (GET, POST, PUT, DELETE), add any required headers or authentication tokens, and click Scan. Our scanner will check for OWASP Top 10 vulnerabilities, authentication issues, rate limiting, injection flaws, and security misconfigurations.
What is Broken Object Level Authorization (BOLA)?
BOLA (also known as IDOR - Insecure Direct Object Reference) occurs when an API doesn't properly verify that a user has permission to access a specific resource. Attackers can manipulate object IDs in requests to access unauthorized data. This is the #1 API vulnerability according to OWASP.
Is this API security scanner free to use?
Yes! Our basic API security scanner is completely free. It checks for common vulnerabilities including authentication issues, security headers, rate limiting, and basic injection flaws. For comprehensive enterprise testing with advanced features, consider our premium options.
Can I test GraphQL APIs with this scanner?
Yes! Our scanner supports both REST and GraphQL APIs. For GraphQL, we check introspection exposure, query depth limits, batching attack vectors, and field-level authorization. Enter your GraphQL endpoint and we'll automatically detect the API type.
What security headers should my API have?
Essential API security headers include: Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Content-Security-Policy, X-XSS-Protection, Cache-Control for sensitive data, and proper CORS configuration with Access-Control-Allow-Origin.
How do I protect my API from rate limiting attacks?
Implement rate limiting by IP address and user account, use token bucket or sliding window algorithms, return 429 Too Many Requests with Retry-After header, implement exponential backoff, and consider using API gateways like Kong or AWS API Gateway for built-in rate limiting.
What is the difference between authentication and authorization?
Authentication verifies WHO you are (login credentials, API keys, tokens). Authorization determines WHAT you can access (permissions, roles, scopes). APIs need both: authenticate the user/client first, then authorize each request based on their permissions for that specific resource.
How can I prevent SQL injection in my API?
Use parameterized queries or prepared statements, implement input validation and sanitization, use ORM frameworks, apply least privilege database permissions, escape special characters, and use Web Application Firewalls (WAF). Never concatenate user input directly into SQL queries.
What makes JWT tokens secure?
Secure JWT implementation requires: using strong algorithms (RS256 over HS256 for distributed systems), short expiration times, secure secret/key storage, validating all claims (iss, aud, exp), using HTTPS only, implementing token refresh mechanisms, and considering JTI for token revocation.

Secure your APIs before attackers test them for you

Scan on every deploy, wire it into CI, and hand your team findings that already come with the fix. Free, instant, no signup.

Learn More

Related Articles

Dive deeper with our expert guides and tutorials related to API Security Scanner

Loading articles...