VulnAPI is an open-source Dynamic Application Security Testing (DAST) tool designed to help developers and security engineers scan APIs for common vulnerabilities and weaknesses before attackers can exploit them.

Scan methods

• Curl-like CLI — point VulnAPI at any API URL with curl-style options for a quick one-off scan
• OpenAPI contracts — feed an OpenAPI spec (local file or URL) to scan all documented endpoints automatically

Discover command

Before scanning, use the discover command to fingerprint a target API: detect exposed files, well-known paths, GraphQL endpoints, OpenAPI specs, and the underlying framework, language, and server.

What it detects

• JWT vulnerabilities (alg=none bypass, blank secret, null signature, HMAC confusion, weak secrets)
• Missing or misconfigured security headers (CSP, CORS, HSTS, X-Frame-Options, X-Content-Type-Options)
• Unauthenticated endpoint exposure
• And more — see https://www.cerberauth.com/docs/vulnapi/vulnerabilities for the full list

Reports

Each scan produces a detailed report per operation with risk level, CVSS 4.0 score, OWASP category, and a description of every finding.

Additional features

• Proxy support via --proxy flag or HTTP_PROXY / HTTPS_PROXY environment variables
• Anonymous telemetry opt-out with --sqa-opt-out

This tool is intended for authorised security testing and educational purposes only. Never scan systems you do not own or have explicit written permission to test.

• Documentation: https://www.cerberauth.com/docs/vulnapi/
• Source: https://github.com/cerberauth/vulnapi