Skip to content

Introduction

Welcome to VulnAPI Documentation!

Demo


VulnAPI is an Open Source DAST that scans APIs for vulnerabilities and security risks. It provides reports on any vulnerabilities detected during the scan, including the risk level, vulnerability, description, and operation performed when the vulnerability has been found.

VulnAPI offers three methods for scanning APIs:

  • Using Curl-like CLI: Directly invoke the CLI with parameters resembling curl commands.
  • Using OpenAPI Contracts: Use an OpenAPI spec to enumerate all endpoints for scanning.
  • Using GraphQL: Point VulnAPI at a GraphQL endpoint to scan it for vulnerabilities.

Before making your first scan with VulnAPI, you have to download and install it. Please follow the instructions on the Installation page.

Before scanning, you can discover target API useful information by using the discover command.

To discover target API useful information, execute the following command:

Terminal window
vulnapi discover api [API_URL]

Example output:

Terminal window
| WELL-KNOWN PATHS | URL |
|------------------|------------------------------------|
| OpenAPI | http://localhost:5000/openapi.json |
| GraphQL | N/A |
| TECHNOLOGIE/SERVICE | VALUE |
|---------------------|---------------|
| Framework | Flask:2.2.3 |
| Language | Python:3.7.17 |
| Server | Flask:2.2.3 |

To perform a scan using the Curl-like CLI, execute the following command:

Terminal window
vulnapi scan curl [API_URL] [CURL_OPTIONS]

Replace [API_URL] with the URL of the API to scan, and [CURL_OPTIONS] with any additional curl options you wish to include.

To perform a scan using OpenAPI contracts, execute the following command:

Terminal window
echo "[JWT_TOKEN]" | vulnapi scan openapi [PATH_OR_URL_TO_OPENAPI_FILE]

Replace [PATH_OR_URL_TO_OPENAPI_FILE] with the path or the URL to the OpenAPI contract JSON file and [JWT_TOKEN] with the JWT token to use for authentication.

To perform a scan against a GraphQL endpoint, execute the following command:

Terminal window
vulnapi scan graphql [GRAPHQL_ENDPOINT] -H "Authorization: Bearer [JWT_TOKEN]"

The CLI provides detailed reports on any vulnerabilities detected during the scan. Below is a condensed example:

OPERATIONRISK LEVELCVSS 4.0 SCOREOWASPVULNERABILITY
GET /Medium5.1API8:2023 SecurityX-Frame-Options Header is
Misconfigurationmissing
High9.3API2:2023 BrokenJWT Token is not verified
Authentication
Info0.0API8:2023 SecurityHSTS Header is missing
Misconfiguration

See the Output Formats reference for full details on table columns, JSON/YAML formats, and CI/CD integration.

All the vulnerabilities detected by the project are listed at this URL: API Vulnerabilities Detected.

More vulnerabilities and best practices will be added in future releases. If you have any suggestions or requests for additional vulnerabilities or best practices to be included, please feel free to open an issue or submit a pull request.

The scanner supports proxy configurations for scanning APIs behind a proxy server. To use a proxy, set the HTTP_PROXY or HTTPS_PROXY environment variables with the proxy URL.

A command arg --proxy is also available to specify the proxy URL.

See the CLI Reference for complete command documentation.

The scanner collects anonymous usage data to help improve the tool. This data includes the number of scans performed, number of detected vulnerabilities, and the severity of vulnerabilities. No sensitive information is collected. You can opt-out of telemetry by passing the --sqa-opt-out flag.

This scanner is provided for educational and informational purposes only. It should not be used for malicious purposes or to attack any system without proper authorization. Always respect the security and privacy of others.