VulnAPI

VulnAPI is an open-source project designed to help you scan your APIs for common security vulnerabilities and weaknesses. By using this tool, you can detect that some API potential vulnerabilities and fix security issues.

Documentation is available on Github : https://github.com/cerberauth/vulnapi

You can test the scanner against example Vulnerability challenges : https://github.com/cerberauth/api-vulns-challenges.

The scanner is capable of detecting the following vulnerabilities:

• JWT none algorithm accepted
• JWT not verified
• JWT weak secret used
• JWT null signature accepted

The scanner also detects the following security best practices:

• CSP Header is not set
• HSTS Header is not set
• CORS Header is not set
• X-Content-Type-Options Header is not set
• X-Frame-Options Header is not set
• HTTP Trace Method enabled
• HTTP Cookies not marked as secure, httpOnly, or SameSite

The scanner perform some discoverability scans:

• Server Signature exposed
• Discovery of API endpoints using OpenAPI contracts
• GraphQL Introspection enabled

The CLI provides detailed reports on any vulnerabilities and missing best practices detected during the scan.