Introduction
Welcome to VulnAPI Documentation!

What is VulnAPI?
Section titled “What is VulnAPI?”VulnAPI is an Open Source DAST that scans APIs for vulnerabilities and security risks. It provides reports on any vulnerabilities detected during the scan, including the risk level, vulnerability, description, and operation performed when the vulnerability has been found.
VulnAPI offers three methods for scanning APIs:
- Using Curl-like CLI: Directly invoke the CLI with parameters resembling curl commands.
- Using OpenAPI Contracts: Use an OpenAPI spec to enumerate all endpoints for scanning.
- Using GraphQL: Point VulnAPI at a GraphQL endpoint to scan it for vulnerabilities.
Installation
Section titled “Installation”Before making your first scan with VulnAPI, you have to download and install it. Please follow the instructions on the Installation page.
Documentation
Section titled “Documentation”Before scanning, you can discover target API useful information by using the discover command.
Discover Command
Section titled “Discover Command”To discover target API useful information, execute the following command:
vulnapi discover api [API_URL]Example output:
| WELL-KNOWN PATHS | URL ||------------------|------------------------------------|| OpenAPI | http://localhost:5000/openapi.json || GraphQL | N/A |
| TECHNOLOGIE/SERVICE | VALUE ||---------------------|---------------|| Framework | Flask:2.2.3 || Language | Python:3.7.17 || Server | Flask:2.2.3 |Using Curl-like CLI
Section titled “Using Curl-like CLI”To perform a scan using the Curl-like CLI, execute the following command:
vulnapi scan curl [API_URL] [CURL_OPTIONS]Replace [API_URL] with the URL of the API to scan, and [CURL_OPTIONS] with any additional curl options you wish to include.
Using OpenAPI Contracts
Section titled “Using OpenAPI Contracts”To perform a scan using OpenAPI contracts, execute the following command:
echo "[JWT_TOKEN]" | vulnapi scan openapi [PATH_OR_URL_TO_OPENAPI_FILE]Replace [PATH_OR_URL_TO_OPENAPI_FILE] with the path or the URL to the OpenAPI contract JSON file and [JWT_TOKEN] with the JWT token to use for authentication.
Using GraphQL
Section titled “Using GraphQL”To perform a scan against a GraphQL endpoint, execute the following command:
vulnapi scan graphql [GRAPHQL_ENDPOINT] -H "Authorization: Bearer [JWT_TOKEN]"Output
Section titled “Output”The CLI provides detailed reports on any vulnerabilities detected during the scan. Below is a condensed example:
| OPERATION | RISK LEVEL | CVSS 4.0 SCORE | OWASP | VULNERABILITY |
|---|---|---|---|---|
| GET / | Medium | 5.1 | API8:2023 Security | X-Frame-Options Header is |
| Misconfiguration | missing | |||
| High | 9.3 | API2:2023 Broken | JWT Token is not verified | |
| Authentication | ||||
| Info | 0.0 | API8:2023 Security | HSTS Header is missing | |
| Misconfiguration |
See the Output Formats reference for full details on table columns, JSON/YAML formats, and CI/CD integration.
Vulnerabilities Detected
Section titled “Vulnerabilities Detected”All the vulnerabilities detected by the project are listed at this URL: API Vulnerabilities Detected.
More vulnerabilities and best practices will be added in future releases. If you have any suggestions or requests for additional vulnerabilities or best practices to be included, please feel free to open an issue or submit a pull request.
Proxy Support
Section titled “Proxy Support”The scanner supports proxy configurations for scanning APIs behind a proxy server. To use a proxy, set the HTTP_PROXY or HTTPS_PROXY environment variables with the proxy URL.
A command arg --proxy is also available to specify the proxy URL.
Additional Options
Section titled “Additional Options”See the CLI Reference for complete command documentation.
Telemetry
Section titled “Telemetry”The scanner collects anonymous usage data to help improve the tool. This data includes the number of scans performed, number of detected vulnerabilities, and the severity of vulnerabilities. No sensitive information is collected. You can opt-out of telemetry by passing the --sqa-opt-out flag.
Disclaimer
Section titled “Disclaimer”This scanner is provided for educational and informational purposes only. It should not be used for malicious purposes or to attack any system without proper authorization. Always respect the security and privacy of others.