Free tool uncovers API vulnerabilities
According to Verizon’s 2025 Data Breach Investigations Report, API-related breaches have increased nearly 40 percent year-on-year, with broken authorization cited as one of the most exploited flaws.
Now though Intruder, a leader in attack surface management, has launched Autoswagger -- a free, open-source tool that scans OpenAPI-documented APIs for broken authorization vulnerabilities.
APIs have become the backbone of modern applications, and the explosion of APIs has created an increased attack surface for every organization, especially those who depend heavily on third-party APIs (payments, analytics, social login, etc.) -- which may introduce risks beyond their control. When broken authorization vulnerabilities are discovered and exploited by bad actors, the results can be very damaging .
“These vulnerabilities are so easy to exploit, you could teach someone with no technical background how to do it in a day,” says Chris Wallis, CEO and founder of Intruder. “When you consider how common these issues are and how frequently companies release new code or expose new endpoints, it’s clear this is a critical gap. That’s why we’re making Autoswagger available for free -- to help teams find and fix these flaws before attackers do.”
Autoswagger works by detecting API schemas across a range of common formats and locations, starting with a list of an organization’s domains. It scans for OpenAPI and Swagger documentation pages, sending requests to each host to locate valid schemas. Once identified, it parses the API specifications and automatically generates a list of endpoints to test, taking into account each endpoint’s definition, required parameters, and expected data types.
It can then execute targeted scans to identify broken authorization flaws by sending requests to each endpoint using valid parameters pulled from the documentation. It flags endpoints that return a valid response instead of expected HTTP 401 or 403 errors, which would normally indicate proper access control. This highlights endpoints where authentication is missing or ineffective.
It also analyzes any successful responses for signs of exposed sensitive data, such as personally identifiable information (PII), credentials or internal records.
“Exposing documentation for your API effectively increases your attack surface, and as a defence in depth measure, you should not expose API documentation unless it’s a business requirement,” says Dan Andrew, head of security at Intruder. “The lesson here is, in addition to regular API scanning after each development iteration, that you shouldn’t publicly document your APIs unless you can’t avoid it. Without a ‘map’, this kind of vulnerability becomes much harder for attackers to exploit.”
You can find out more on the Intruder blog and get hold of Autoswagger from GitHub.
Image credit: [email protected]/depositphotos.com