-
Notifications
You must be signed in to change notification settings - Fork 6
API Security Scanner
Carter Perez edited this page Dec 9, 2025
·
1 revision
Enterprise-grade automated API security scanner for vulnerability assessment across REST, GraphQL, and SOAP endpoints.
A full-stack security testing tool that performs deep vulnerability assessment, detecting OWASP API Top 10 flaws through intelligent fuzzing, authentication bypass testing, and comprehensive reporting.
Status: Complete | Difficulty: Advanced
| Technology | Version | Purpose |
|---|---|---|
| FastAPI | 0.121+ | Async Python web framework |
| PostgreSQL | 16 | Primary database |
| SQLAlchemy | 2.0+ | Async ORM |
| Alembic | 1.17+ | Database migrations |
| JWT (python-jose) | - | Authentication |
| slowapi | - | Rate limiting |
| httpx/aiohttp | - | Async HTTP clients |
| Technology | Version | Purpose |
|---|---|---|
| React | 19.1 | UI framework |
| TypeScript | 5.8 | Type safety |
| Vite | 7.1 | Build tool |
| TanStack Query | v5 | Server state management |
| Zustand | 5.0 | Client state |
| Radix UI | - | Accessible components |
| Recharts | 3.1 | Data visualization |
| Socket.io | 4.8 | Real-time updates |
- Docker + Docker Compose
- Nginx reverse proxy
- Makefile automation
| Scanner | Description |
|---|---|
| SQLi Scanner | SQL injection detection with multiple payload types |
| IDOR Scanner | Insecure Direct Object Reference testing |
| Auth Scanner | Authentication bypass and weakness detection |
| Rate Limit Scanner | API rate limiting analysis |
- Configurable scanning parameters (max requests, timeouts, retries)
- Rate limiting for scanner requests and API endpoints
- JWT-based authentication with token expiration
- Real-time scan results via WebSocket
- Database persistence for scan configs and results
- Extensible payload library
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frontend (React) β
β βββββββββββ ββββββββββββ βββββββββββ βββββββββββββ β
β β Scanner β β Results β β History β β Dashboard β β
β β Forms β β View β β View β β Charts β β
β ββββββ¬βββββ ββββββ¬ββββββ ββββββ¬βββββ βββββββ¬ββββββ β
βββββββββΌβββββββββββββΌββββββββββββββΌββββββββββββββΌββββββββ
β β β β
βΌ βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β API Gateway (Nginx) β
βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββ
β Backend (FastAPI) β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Routes β β
β β /auth /scans /results /config /ws β β
β ββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββββββββββββΌββββββββββββββββββββββββββββ β
β β Services β β
β β AuthService ScanService ResultService β β
β ββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββββββββββββΌββββββββββββββββββββββββββββ β
β β Scanners β β
β β βββββββββββ ββββββββ ββββββββ ββββββββββββββ β β
β β β SQLi β β IDOR β β Auth β β Rate Limit β β β
β β βββββββββββ ββββββββ ββββββββ ββββββββββββββ β β
β β BaseScanner + Payloads β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββ
β PostgreSQL β
β Users | Scans | Results | Configs | Payloads β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
cd PROJECTS/api-security-scanner
# Copy environment file
cp .env.example .env
# Start development environment
make dev
# Access at http://localhost:3000Key environment variables (see .env.example):
# Database
DATABASE_URL=postgresql+asyncpg://user:pass@localhost:5432/scanner
# JWT
JWT_SECRET_KEY=your-secret-key
JWT_ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=30
# Scanner Settings
MAX_CONCURRENT_REQUESTS=10
REQUEST_TIMEOUT=30
MAX_RETRIES=3Tests endpoints for SQL injection vulnerabilities using:
- Error-based injection
- Union-based injection
- Blind injection (boolean and time-based)
Tests for Insecure Direct Object References:
- Sequential ID enumeration
- UUID prediction
- Parameter tampering
Tests authentication mechanisms:
- Default credentials
- Token manipulation
- Session handling
Analyzes API rate limiting:
- Request flooding
- Bypass techniques
- Threshold detection
| Method | Endpoint | Description |
|---|---|---|
| POST | /auth/register |
User registration |
| POST | /auth/login |
JWT authentication |
| POST | /scans |
Create new scan |
| GET | /scans/{id} |
Get scan status |
| GET | /scans/{id}/results |
Get scan results |
| WS | /ws |
Real-time updates |
# Run linters
make lint
# Run type checking
make typecheck
# Run tests
make test
# Format code
make formatΒ©AngelaMos | CertGames.com | CarterPerez-dev | 2025
Progress: 3/60