Intruder, a leader in attack surface management, is releasing Autoswagger—a free, open-source tool that scans OpenAPI-documented APIs for broken authorization vulnerabilities.
According to the company, Autoswagger automatically detects authorization weaknesses in APIs and discovers sensitive endpoints not requiring authentication where the application fails to check for a valid API token.
“These vulnerabilities are so easy to exploit, you could teach someone with no technical background how to do it in a day,” said Chris Wallis, CEO and founder of Intruder. “When you consider how common these issues are and how frequently companies release new code or expose new endpoints, it’s clear this is a critical gap. That’s why we’re making Autoswagger available for free—to help teams find and fix these flaws before attackers do.”
When broken authorization vulnerabilities are discovered and exploited by bad actors, the results can be very damaging, the company said.
Autoswagger begins by detecting API schemas across a range of common formats and locations, starting with a list of an organization’s domains.
It scans for OpenAPI and Swagger documentation pages, sending requests to each host to locate valid schemas. Once identified, it parses the API specifications and automatically generates a list of endpoints to test, considering each endpoint’s definition, required parameters, and expected data types, the company said.
From there, Autoswagger executes targeted scans to identify broken authorization flaws by:
- Sending requests to each endpoint using valid parameters pulled from the documentation.
- Flagging endpoints that return a valid response instead of expected HTTP 401 or 403 errors, which would normally indicate proper access control.
- Highlighting endpoints where authentication is missing or ineffective.
For more advanced use cases, Autoswagger can be run with the—brute flag to simulate bypassing validation checks. This helps uncover flaws in endpoints that require specific data formats or values, which may reject generic input.
Finally, the tool analyzes any successful responses for signs of exposed sensitive data, such as personally identifiable information (PII), credentials or internal records. Any endpoint missing proper authentication and returning sensitive information is included in the output report.
“Exposing documentation for your API effectively increases your attack surface, and as a defense in depth measure, you should not expose API documentation unless it’s a business requirement,” said Dan Andrew, head of security at Intruder. “The lesson here is, in addition to regular API scanning after each development iteration, that you shouldn’t publicly document your APIs unless you can’t avoid it. Without a ‘map’, this kind of vulnerability becomes much harder for attackers to exploit.”
Autoswagger is free to download and install via Github.
For more information about this news, visit www.intruder.io.