Skip to main content

API Scanning

AIPTx provides comprehensive API security testing for modern API architectures.

REST API Testing

OpenAPI/Swagger Integration

api:
  type: rest
  spec: ./openapi.yaml
  # or remote
  spec: https://api.example.com/openapi.json

Custom Endpoints

api:
  endpoints:
    - method: GET
      path: /api/users/{id}
      params:
        id: ["1", "2", "999", "admin"]

    - method: POST
      path: /api/users
      body:
        name: "{{fuzz}}"
        email: "{{fuzz}}@test.com"
        role: ["user", "admin"]

GraphQL Testing

api:
  type: graphql
  endpoint: https://api.example.com/graphql
  introspection: true

  queries:
    - |
      query {
        user(id: "{{fuzz}}") {
          email
          role
        }
      }

  mutations:
    - |
      mutation {
        updateUser(id: "{{fuzz}}", role: "admin") {
          success
        }
      }

  tests:
    - introspection_enabled
    - query_depth_limit
    - batch_query_attack
    - field_authorization

gRPC Testing

api:
  type: grpc
  endpoint: api.example.com:443
  proto_files:
    - ./protos/service.proto
  reflection: true

API Security Tests

TestDescription
Authentication bypassMissing or weak auth
Authorization flawsIDOR, privilege escalation
Input validationInjection, overflow
Rate limitingDoS protection
Data exposureSensitive data in responses

Response Analysis

api:
  response_analysis:
    sensitive_data:
      - password
      - secret
      - token
      - ssn
      - credit_card
    pii_detection: true
    verbose_errors: true