APISCAN - OWASP API Security Scanner

🔐 APIScan (AI-Aware) OWASP APIScanner by Perry Mertens pamsniffer@gmail

Version: 2.0-beta
Author: Perry Mertens (pamsniffer@gmail.com)
License: MIT

Overview

APISCAN is an extensible, advanced Python-based API security testing framework targeting the OWASP API Security Top 10 (2023). It supports Swagger/OpenAPI specifications, performs active vulnerability scanning, and generates comprehensive reports in various formats.

Key Features

Active scanning based on Swagger/OpenAPI specifications
Covers all OWASP API Top 10 (2023) risks
Support for real requests, dummy fuzzing, and AI-based review
Multiple authentication modes: token, OAuth2, NTLM, basic, mTLS
Reports: HTML

Supported Risks

OWASP API Risk ID	Description	Module
API1	Broken Object Level Authorization	`bola_audit.py`
API2	Broken Authentication	`broken_auth_audit.py`
API3	Broken Object Property Level Authorization	`broken_object_property_audit.py`
API4	Unrestricted Resource Consumption	`resource_consumption_audit.py`
API5	Broken Function Level Authorization	`authorization_audit.py`
API6	Sensitive Business Logic	`business_flow_audit.py`
API7	SSRF (Server-Side Request Forgery)	`ssrf_audit.py`
API8	Security Misconfiguration	`misconfiguration_audit.py`
API9	Improper Inventory Management	`inventory_audit.py`
API10	Unsafe Consumption of 3rd-Party APIs	`safe_consumption_audit.py`
API11	AI-assisted Security Analysis	`ai_client.py`

Example CLI Usage

# Real mode
python apiscan.py --url https://api.example.com \
                  --swagger openapi.json \
                  --token eyJhbGciOi... \
                  --flow token

# Dummy mode
python apiscan.py --url https://api.example.com \
                  --swagger openapi.json \
                  --token eyJhbGciOi... \
                  --flow token \
                  --dummy  #enables safe testing using auto-generated, schema-aware dummy values.

Swagger Crawler

python swaggergenerator.py --url https://api.example.com --output openapi.json --depth 3 --aggressive

AI-Driven Audit (API11)

Uses GPT-4o to generate security findings per endpoint.

python apiscan.py --url https://api.example.com --swagger openapi.json --api11

Command-Line Arguments (Summary)

--url                API base URL
--swagger            Path to OpenAPI JSON
--dummy              Enable dummy mode
--token              Bearer token
--basic-auth         Basic auth user:pass
--apikey             API key
--apikey-header      Header name for key
--ntlm               NTLM domain\user:pass
--client-cert/key    mTLS support
--flow               Auth flow: token, client, basic, ntlm
--api1 .. --api11    Run specific OWASP audit(s)
--threads            Parallelism (default: 2)
--debug              Enable debug mode

Contact

Email: pamsniffer@gmail.com
GitHub: perrym/apiscanner