v5.0.1 AI-aware · OWASP Top 10

APISCAN — OWASP API Security Scanner

Proactive API vulnerability testing against the OWASP API Security Top 10 (2023) by Perry Mertens

AI-enhanced OWASP API Security Scanner

APIscan proactively identifies security risks by testing against the OWASP API Security Top 10 (2023). It uses your OpenAPI/Swagger specification to generate realistic attack payloads and detect issues such as Broken Object Level Authorization (BOLA), Broken Authentication, Excessive Data Exposure, and other critical API vulnerabilities.

Supports OAuth 2.0, Bearer, mTLS, and API key authentication. Runs scans in parallel, generates realistic requests, and offers optional AI-assisted review.

APISCAN logo

GUI Overview

Launch with python apiscan_gui.py — cross-platform Tkinter interface for Windows, macOS, and Linux.

Target tab — URL, Swagger, crawl settings, scan output
Target — URL, Swagger, Crawl
Authentication tab — Bearer, Basic, OAuth2, API Key, mTLS
Authentication — 7 auth flows
Form Login tab — Auto-Detect, credentials, token path
Form Login — Auto-Detect
Advanced tab — threads, timeout, TLS, retry, debug
Advanced — Performance & Network

What's New in v5.0.1

Auto Form-Login

Automatic login form detection for crAPI, Juice Shop, and custom apps. HTML form parsing, JSON API detection, token auto-extraction, and SPA-aware field discovery. GUI tab with one-click Auto-Detect.

Crawl Validator

Smart endpoint validation filters fake paths (Juice Shop "Unexpected path" errors, SPA fallbacks, 404 HTML pages). Keeps only real API endpoints — from 71→4 on Juice Shop.

--crawl --crawl-depth N --crawl-aggressive --crawl-passive
--crawl-validate (on by default), --no-crawl-validate, --crawl-validate-mode balanced|strict, --crawl-validate-workers N

Deep Scan Mode

APISCAN_DEEP_SCAN=1 auto-switches to full payloads, high intensity, no quick mode. All injection types including SSTI, LDAP, XXE, RCE with injection_payloads.json.

Expanded Quick Scan

Default scan now covers 9 base tests + 6 injection types (SQL, Path, XSS, NoSQL, LFI, SSTI). Endpoint cap raised from 20→30 for better coverage without slowing down.

Business Logic Testing

New _test_business_logic detects negative prices, excessive discounts, admin role assignment, and privilege escalation via deep scan mode.

Production Ready

Tested against Juice Shop and crAPI. Crash-free: dedup fix for dict payloads, session retry fix for 500 responses, HTML response skip in form detection, error spam suppression.

Real-World Attack Patterns

Detects real-world threat actor TTPs: ShinyHunters unauthenticated data exposure (UNC6040), Salesforce enumeration & Data Loader bulk exfiltration, plus many more attack patterns.

Chain Mode --chain-mode

Automatic escalation of BOLA findings: leaked tokens, email addresses, user IDs, and roles are extracted from BOLA responses and automatically re-injected into other endpoints from the same Swagger spec.

How it works: BOLA findings with cross_user=True or sensitive_hit=True are used to generate chained requests. Leaked data (JWT tokens, API keys, user IDs, roles) is recognized via regex patterns and reused in parameters of other endpoints. Detects privilege escalations, horizontal/vertical access leaks, and reports them in api_chain_escalation_report.html.

python apiscan.py --url https://api.example.com \
  --swagger openapi.json --flow token --token "<JWT>" \
  --chain-mode

Quick Start

# 1) Install (Python 3.11+ recommended)
pip install -r requirements.txt

# 2) Run with a Swagger/OpenAPI file
python apiscan.py --url https://api.example.com \
  --swagger openapi.json --flow token --token <BEARER>

# Optional: export variables template
python apiscan.py --url https://api.example.com \
  --swagger openapi.json --export_vars vars_template.yml

Quick scan (default)

API10 (Unsafe Consumption of APIs) runs 9 base tests + 6 injection types by default on up to 30 endpoints. Fast and comprehensive for everyday use.

  • APISCAN_API10_QUICK=1
  • APISCAN_API10_QUICK_MAX_ENDPOINTS=30
  • APISCAN_API10_QUICK_SQL_MAX_TESTS=10
  • APISCAN_API10_QUICK_DIRTRAV_MAX_TESTS=8
  • APISCAN_API10_QUICK_HPP_MAX_PARAMS=3
  • APISCAN_API10_QUICK_REDIRECT_MAX_TESTS=6

Full or deep scan

# PowerShell: optional quick tuning
$env:APISCAN_API10_QUICK_MAX_ENDPOINTS="20"
$env:APISCAN_API10_QUICK_SQL_MAX_TESTS="10"

# PowerShell: full API10 scan
$env:APISCAN_API10_QUICK="0"

# PowerShell: deep scan, slower and more intensive
$env:APISCAN_DEEP_SCAN="1"

# Bash/Linux/macOS: optional quick tuning
export APISCAN_API10_QUICK_MAX_ENDPOINTS=20
export APISCAN_API10_QUICK_SQL_MAX_TESTS=10

# Bash/Linux/macOS: full API10 scan
export APISCAN_API10_QUICK=0

# Bash/Linux/macOS: deep scan
export APISCAN_DEEP_SCAN=1

GUI & Form Auto-Login

Cross-Platform GUI

Launch with python apiscan_gui.py. Tkinter-based interface with tabs for Scan Configuration, Authentication, Form Login, and Scans — works on Windows, macOS, and Linux.

Form Login Tab

Three-step guided setup: Step 1 — where is the login page? Step 2 — enter credentials. Step 3 — configure token extraction path. Auto-switches auth flow to form when credentials are filled.

Auto-Detect

Click Auto-Detect to let APISCAN find the login endpoint by probing common API paths (Juice Shop /rest/user/login, crAPI /identity/api/auth/login, and more). Detects JSON APIs, skips HTML web forms, and auto-extracts token paths.

Form Login via CLI

# crAPI
python apiscan.py --url http://127.0.0.1:8888 \
  --swagger openapi.json \
  --flow form \
  --login-username user@email.com \
  --login-password "Password123"

# Juice Shop
python apiscan.py --url http://10.1.1.1:3000 \
  --crawl --flow form \
  --login-username jaa@sample.de \
  --login-password "sample@$AS"

Setup and LLM Helper Scripts

Environment and dependency setup (setup.py)

The setup wizard installs or verifies Python dependencies, creates requirements.txt and .env.example, checks environment variables, and prints a summary with next steps.

# Run full setup
python setup.py

# Skip dependency install, only check config
python setup.py --skip-deps

# Minimal mode, no quick start guide
python setup.py --minimal

LLM and AI configuration (llmsetup.py)

The LLM setup script configures one or more AI providers (Ollama, OpenAI, Anthropic, DeepSeek), writes a .env file plus shell-specific helper scripts, and generates test_env.py for validation.

# Start interactive LLM and environment setup
python llmsetup.py

# Typical flow:
# 1) Select providers (e.g. Ollama and OpenAI)
# 2) Choose a default model per provider
# 3) Generate .env and apiscan_env.* scripts
# 4) Load the script in your shell, then run:
python test_env.py

Core Features

Comprehensive API Testing

Full OWASP API Security Top 10 (2023) coverage with 11 dedicated audit modules:

  • BOLA (Broken Object Level Authorization)
  • Broken Authentication
  • Property-level Authorization
  • Resource Consumption
  • Function-level Authorization
  • Business Logic Flows
  • SSRF
  • Security Misconfiguration
  • Inventory Management
  • Unsafe Consumption
  • AI-assisted Analysis

Authentication Support

Multiple authentication flows with flexible configuration:

  • Auto Form-Login (crAPI, Juice Shop)
  • Bearer Token (JWT)
  • OAuth2 Client Credentials
  • OAuth2 Authorization Code
  • Basic Authentication
  • NTLM Authentication
  • API Key in Headers
  • Client Certificate (mTLS)

Smart Request Planning

Advanced request generation from OpenAPI specs:

  • Automatic path parameter filling
  • Request body generation from schemas
  • Content-Type detection and handling
  • Multipart/form-data support
  • Dummy data generation for testing
  • Adaptive retry on 5xx errors

Advanced Reporting

Comprehensive reporting capabilities:

  • Individual HTML reports per vulnerability type
  • Combined master report
  • CSV export for planning and verification
  • Detailed logging with timestamps
  • Vulnerability summary with risk levels

Command Line Options

Basic Options
Authentication
Scan Options
Advanced
--urlBase URL of the API to scan (required)
--swaggerPath to Swagger/OpenAPI JSON file (required)
--threadsNumber of concurrent threads (default: 2)
--debugEnable debug output (verbose logging)
--insecureDisable TLS certificate validation
--crawlAuto-discovery via HTTP crawling
--crawl-depthCrawl link depth (default: 3, max: 10)
--crawl-aggressiveAggressive crawl mode — follow all links
--crawl-passivePassive crawl — only seed URL, no embedded links
--crawl-validateValidate crawled endpoints (on by default; --no-crawl-validate to skip)
--crawl-validate-modeValidator strictness: balanced (default) or strict
--crawl-validate-workersConcurrent validator workers (default: 8)
--flowAuthentication flow: none, token, client, basic, ntlm, auth
--tokenBearer token value (used with --flow token)
--apikeyAPI key value (sent in header specified by --apikey-header)
--apikey-headerHeader name for API key (default: X-API-Key)
--client-certPath to client certificate file (PEM, used for mTLS)
--client-keyPath to private key file (PEM, used for mTLS)
--basic-authBasic auth in the form user:password
--ntlmNTLM credentials in the form DOMAIN\user:password
--api1 … --api11Run specific API security tests (default: all)
--plan-onlyBuild all requests and write apiscan-plan.csv, do not send
--plan-then-scanFirst build full plan (CSV), then perform the scan
--verify-planAfter planning, send each planned request and expect success
--success-codesComma list of codes or ranges, e.g. 200-299,302 (default: 200-299)
--chain-modeAuto-escalate BOLA findings: re-inject leaked data (tokens, emails, user IDs, roles) into other endpoints
--dummyUse dummy data for request bodies and parameters
--export_varsExport variables template YAML if .yml/.yaml else JSON
--proxyOptional proxy URL, e.g. http://127.0.0.1:8080
--ids-fileJSON file mapping path parameter names to concrete values
--rewriteRegex=>replacement rewrite applied to each URL (can be repeated)
--no-sanitizeDisable built-in URL normalization; only apply explicit --rewrite rules
--retry500Adaptive retries on HTTP 5xx for POST/PUT/PATCH (default: 1)
--no-retry-500Disable adaptive 5xx retries
--normalize-versionNormalize version segments, e.g. /v2.00/ → /v2.0/
--crawlAuto-discovery via HTTP crawling (depth, aggressive, passive)
--crawl-depthCrawl link depth (default: 3, max: 10)
--crawl-aggressiveAggressive crawl mode — follow all links
--crawl-passivePassive crawl — only seed URL, no embedded link following
--crawl-validateValidate crawled endpoints (default: on). Use --no-crawl-validate to skip
--crawl-validate-modeValidator strictness: balanced (default) or strict
--crawl-validate-workersConcurrent validator workers (default: 8)

Usage Examples & Recipes

Basic Scan with Bearer Token

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --flow token --token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  --threads 5

API Key Authentication

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --apikey "your-api-key-here" --apikey-header "X-API-Key" \
  --api1 --api2 --api5  # Test only specific vulnerabilities

OAuth2 Client Credentials

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --flow client \
  --client-id "your-client-id" \
  --client-secret "your-client-secret" \
  --token-url "https://auth.example.com/oauth/token" \
  --scope "api.read api.write"

Planning Phase Only

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --flow token --token "<JWT>" \
  --plan-only

Generates apiscan-plan.csv with all planned requests without executing them.

Verification with Custom Success Codes

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --flow token --token "<JWT>" \
  --verify-plan --success-codes "200-299,304"

Tests all planned requests and expects success codes in 200-299 range or 304.

Using ID Mapping File

# ids.json content:
{
  "userId": "12345",
  "orderId": "67890", 
  "vehicleId": "abc123",
  "postId": "post-001"
}

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --ids-file ids.json \
  --flow token --token "<JWT>"

URL Rewriting for Path Normalization

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --rewrite "/v2(?!\.)=>/v2.00" \
  --rewrite "/alpha/beta/alpha=>/alpha/beta" \
  --no-sanitize \
  --flow token --token "<JWT>"

Through Proxy with Debug Output

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --proxy http://127.0.0.1:8080 \
  --insecure \
  --debug \
  --flow token --token "<JWT>"

Dummy Mode for Testing

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --dummy \
  --flow token --token "<JWT>" \
  --verify-plan

Uses generated dummy data for all request bodies and parameters.

Custom Headers from File

# headers.json content:
{
  "X-Custom-Header": "custom-value",
  "X-Tenant-ID": "tenant-123",
  "X-Request-ID": "req-456"
}

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --headers-file headers.json \
  --flow token --token "<JWT>"

AI-Assisted Analysis

# Set environment variables first
export LLM_PROVIDER=openai_compat
export LLM_MODEL=gpt-4o-mini
export LLM_API_KEY=sk-...

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --flow token --token "<JWT>" \
  --api11  # Run AI-assisted analysis

Adaptive Retry on Server Errors

python apiscan.py --url https://api.example.com \
  --swagger openapi.json \
  --flow token --token "<JWT>" \
  --retry500 3  # Retry up to 3 times on 5xx errors

Comprehensive Enterprise Scan

python apiscan.py --url https://api.company.com \
  --swagger enterprise-api.json \
  --flow token --token "<JWT>" \
  --threads 10 \
  --proxy http://corporate-proxy:8080 \
  --ids-file prod-ids.json \
  --headers-file prod-headers.json \
  --rewrite "/v1/=>/v1.00/" \
  --retry500 3 \
  --verify-plan \
  --success-codes "200-299,302,304"

Scan Workflow

Initialization

Parse arguments, set up logging, create output directory

Authentication

Configure session with specified auth flow

API Reachability

Check if target API is accessible

Swagger Processing

Load and parse OpenAPI specification

Planning Phase

Generate request plan from endpoints (optional)

Verification Phase

Test planned requests (optional)

Security Audits

Execute selected API security tests (API1–API11)

Reporting

Generate HTML reports and combined summary

Supported OWASP API Security Risks

API1: Broken Object Level Authorization

Tests for inadequate access controls on object endpoints using ID manipulation and privilege escalation attempts.

API2: Broken Authentication

Assesses authentication mechanisms for weaknesses like credential stuffing, weak tokens, and flawed session management.

API3: Broken Object Property Level Authorization

Checks if users can access or modify object properties they shouldn't have permissions for.

API4: Unrestricted Resource Consumption

Tests for resource exhaustion attacks through large payloads, deep nesting, or excessive requests.

API5: Broken Function Level Authorization

Verifies proper authorization checks for sensitive functions and administrative endpoints.

API6: Unrestricted Access to Sensitive Business Flows

Assesses business logic vulnerabilities that could be exploited to manipulate workflows.

API7: Server Side Request Forgery (SSRF)

Tests for SSRF vulnerabilities where the API makes requests to internal or external resources.

API8: Security Misconfiguration

Checks for security misconfigurations like verbose errors, insecure defaults, or missing security headers.

API9: Improper Inventory Management

Assesses API inventory exposure including outdated versions, exposed debug endpoints, and deprecated APIs.

API10: Unsafe Consumption of APIs

Tests for vulnerabilities when consuming third-party APIs, including data validation and trust boundaries.

API11: AI-Assisted Security Analysis

Uses AI to identify complex security patterns and business logic flaws that traditional scanners might miss.

Troubleshooting

Connection Issues

Symptoms: Timeouts, connection refused, SSL errors
Solutions: Check network connectivity, verify URL, use --insecure for self-signed certs, configure proxy with --proxy

Authentication Failures

Symptoms: 401 Unauthorized, 403 Forbidden responses
Solutions: Verify token validity, check auth flow configuration, ensure proper headers with --headers-file or --extra-header

Path/Endpoint Issues

Symptoms: 404 Not Found, wrong endpoints being called
Solutions: Use --no-sanitize to disable URL normalization, add --rewrite rules for path corrections, verify Swagger file accuracy

Request Body Problems

Symptoms: 400 Bad Request, 422 Unprocessable Entity
Solutions: Use --dummy for generated data, check request body schemas in Swagger, use --export_vars to create template

Performance Issues

Symptoms: Slow scanning, timeouts
Solutions: Reduce --threads, use --apiX flags to run specific tests only

AI Analysis Failures

Symptoms: API11 errors, LLM connection issues
Solutions: Verify LLM environment variables (LLM_PROVIDER, LLM_MODEL, LLM_API_KEY), check API quotas, ensure network access to LLM provider

Output & Reporting

HTML Reports

Individual vulnerability reports (api_*_report.html) and combined master report with detailed findings, risk levels, and remediation guidance.

CSV Files

apiscan-plan.csv (planned requests) and apiscan-verify.csv (verification results) for further analysis or integration with other tools.

Log Files

Detailed execution logs in the log/ directory with timestamps, request/response data, and error information for debugging.

Console Output

Real-time progress with colored status indicators, vulnerability counts, and summary statistics upon completion.

Prerequisite: You need an OpenAPI/Swagger file

APISCAN works from an OpenAPI/Swagger specification to plan and verify calls.
If you already have a Swagger/OpenAPI file (e.g., openapi.json or swagger.yaml), you can use it directly with --swagger.

If you only have a Postman collection, convert it first:

  1. Export your Postman collection (*.postman_collection.json).
  2. Convert it to OpenAPI/Swagger using the open-source converter: https://github.com/perrym/postman-to-swagger.
  3. Use the converted file with APISCAN via --swagger.

Example conversion flow

# Convert Postman -> Swagger/OpenAPI (see repo for options)
python postman-to-swagger.py --input ./MyCollection.postman_collection.json --output ./openapi.json

# Then run APISCAN using the converted spec
python apiscan.py --url https://api.example.com --swagger ./openapi.json --plan-only --verify-plan

© Perry Mertens — Released under the AGPL-v3.0 License.