Version: 1.0-beta
Author: Perry Mertens email:pamsniffer@gmail.com
License: MIT
APISCAN is a free, extensible API security scanning tool built in Python that targets the OWASP API Security Top 10 (2023). It supports Swagger/OpenAPI specifications, performs active vulnerability scans, and generates clear reports in multiple formats.
- Active scanning of REST APIs using OpenAPI/Swagger definitions.
- Realistic vulnerability detection (e.g., fuzzing, timing, injection, SSRF).
- Modular audits for each OWASP API Top 10 risk.
- CLI with extensive authentication support.
- Output in DOCX, Markdown, JSON, and TXT.
| OWASP API Risk ID | Description | Module |
|---|---|---|
| API1 | Broken Object Level Authorization | bola_audit.py |
| API2 | Broken Authentication | broken_auth_audit.py |
| API3 | Broken Object Property Level Authorization | broken_object_property_audit.py |
| API4 | Unrestricted Resource Consumption | resource_consumption_audit.py |
| API5 | Broken Function Level Authorization | authorization_audit.py |
| API6 | Sensitive Business Logic | business_flow_audit.py |
| API7 | SSRF (Server-Side Request Forgery) | ssrf_audit.py |
| API8 | Security Misconfiguration | misconfiguration_audit.py |
| API9 | Improper Inventory Management | inventory_audit.py |
| API10 | Unsafe Consumption of 3rd-Party APIs | safe_consumption_audit.py |
| API11 | AI-assisted Security Analysis | ai_client.py |
python apiscan.py --url https://api.example.com --swagger openapi.json --token eyJhbGciOi... --flow token --token(Bearer token)--basic-auth(username:password)--apikey+--apikey-header--ntlm(domain\user:password)--client-cert+--client-key(mTLS)--client-id,--client-secret,--token-url,--auth-url,--redirect-uri(OAuth2)
python swaggergenerator.py --url https://api.example.com --output openapi.json --depth 3 --aggressivecombined_report.html
pip install -r requirements.txtMIT License - see LICENSE file.
This tool is intended for educational and authorized security testing only. Unauthorized use is prohibited. Always ensure you have permission before scanning, crawling, or testing any target systems.
📧 pamsniffer@gmail.com
🌍 https://github.com/perrym/apiscanner
--url: Base URL of the API--swagger,help="Path to Swagger/OpenAPI-JSON": Path to Swagger/OpenAPI-JSON--token,help="Bearer-token or auth-token": Bearer token or auth token--basic-auth: Basic authentication in the form user:password--apikey: API key for API access--apikey-header,default="X-API-Key": Header name for the API key--ntlm: NTLM auth in the form domain\user:pass--client-cert:--client-key:--client-id:--client-secret:--token-url:--auth-url:--redirect-uri:--flow: Authentication flow to use: token, client, basic, ntlm--scope:--threads:--cert-password: Password for client certificate--debug: Enable debug outputf"--api{i},help=f"Run only API{i} audit":
Module: ai_client.py
New: Support for both local Ollama and OpenAI API (GPT-4o)
This optional module performs AI-driven endpoint analysis based on the OWASP API Top 10. It now supports two modes:
Use this mode when you have a valid OpenAI API key:
export OPENAI_API_KEY=sk-...
python apiscan.py --url https://api.example.com --swagger openapi.json --api11The module uses https://api.openai.com/v1/chat/completions and the gpt-4o model by default, but this can be customized via the arguments in analyze_endpoints_with_gpt().
python apiscan.py --url https://api.example.com --swagger openapi.json --api11Use the --port parameter to switch from 11434 (Ollama) to another local service. This mode does not require an internet connection or OpenAI key.
ai_analysis_output.json: JSON file with summaries per endpoint- For each endpoint:
- OWASP risks
- Abuse scenarios
- Test strategies
- Risk assessment