Skip to content

API Security Scanner

Jump to bottom
Carter Perez edited this page Dec 9, 2025 · 1 revision

API Security Scanner

Enterprise-grade automated API security scanner for vulnerability assessment across REST, GraphQL, and SOAP endpoints.

Overview

A full-stack security testing tool that performs deep vulnerability assessment, detecting OWASP API Top 10 flaws through intelligent fuzzing, authentication bypass testing, and comprehensive reporting.

Status: Complete | Difficulty: Advanced

Tech Stack

Backend

Technology Version Purpose
FastAPI 0.121+ Async Python web framework
PostgreSQL 16 Primary database
SQLAlchemy 2.0+ Async ORM
Alembic 1.17+ Database migrations
JWT (python-jose) - Authentication
slowapi - Rate limiting
httpx/aiohttp - Async HTTP clients

Frontend

Technology Version Purpose
React 19.1 UI framework
TypeScript 5.8 Type safety
Vite 7.1 Build tool
TanStack Query v5 Server state management
Zustand 5.0 Client state
Radix UI - Accessible components
Recharts 3.1 Data visualization
Socket.io 4.8 Real-time updates

Infrastructure

  • Docker + Docker Compose
  • Nginx reverse proxy
  • Makefile automation

Features

Security Scanners

Scanner Description
SQLi Scanner SQL injection detection with multiple payload types
IDOR Scanner Insecure Direct Object Reference testing
Auth Scanner Authentication bypass and weakness detection
Rate Limit Scanner API rate limiting analysis

Core Capabilities

  • Configurable scanning parameters (max requests, timeouts, retries)
  • Rate limiting for scanner requests and API endpoints
  • JWT-based authentication with token expiration
  • Real-time scan results via WebSocket
  • Database persistence for scan configs and results
  • Extensible payload library

Architecture

┌─────────────────────────────────────────────────────────┐
│                      Frontend (React)                    │
│  ┌─────────┐  ┌──────────┐  ┌─────────┐  ┌───────────┐ │
│  │ Scanner │  │ Results  │  │ History │  │ Dashboard │ │
│  │  Forms  │  │  View    │  │  View   │  │   Charts  │ │
│  └────┬────┘  └────┬─────┘  └────┬────┘  └─────┬─────┘ │
└───────┼────────────┼─────────────┼─────────────┼───────┘
        │            │             │             │
        ▼            ▼             ▼             ▼
┌─────────────────────────────────────────────────────────┐
│                    API Gateway (Nginx)                   │
└─────────────────────────┬───────────────────────────────┘
                          │
┌─────────────────────────▼───────────────────────────────┐
│                   Backend (FastAPI)                      │
│  ┌──────────────────────────────────────────────────┐   │
│  │                     Routes                        │   │
│  │  /auth  /scans  /results  /config  /ws           │   │
│  └──────────────────────┬───────────────────────────┘   │
│                         │                                │
│  ┌──────────────────────▼───────────────────────────┐   │
│  │                    Services                       │   │
│  │  AuthService  ScanService  ResultService         │   │
│  └──────────────────────┬───────────────────────────┘   │
│                         │                                │
│  ┌──────────────────────▼───────────────────────────┐   │
│  │                    Scanners                       │   │
│  │  ┌─────────┐ ┌──────┐ ┌──────┐ ┌────────────┐   │   │
│  │  │  SQLi   │ │ IDOR │ │ Auth │ │ Rate Limit │   │   │
│  │  └─────────┘ └──────┘ └──────┘ └────────────┘   │   │
│  │              BaseScanner + Payloads              │   │
│  └──────────────────────────────────────────────────┘   │
└─────────────────────────┬───────────────────────────────┘
                          │
┌─────────────────────────▼───────────────────────────────┐
│                    PostgreSQL                            │
│  Users | Scans | Results | Configs | Payloads           │
└─────────────────────────────────────────────────────────┘

Quick Start

cd PROJECTS/api-security-scanner

# Copy environment file
cp .env.example .env

# Start development environment
make dev

# Access at http://localhost:3000

Configuration

Key environment variables (see .env.example):

# Database
DATABASE_URL=postgresql+asyncpg://user:pass@localhost:5432/scanner

# JWT
JWT_SECRET_KEY=your-secret-key
JWT_ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=30

# Scanner Settings
MAX_CONCURRENT_REQUESTS=10
REQUEST_TIMEOUT=30
MAX_RETRIES=3

Scanner Usage

SQLi Scanner

Tests endpoints for SQL injection vulnerabilities using:

  • Error-based injection
  • Union-based injection
  • Blind injection (boolean and time-based)

IDOR Scanner

Tests for Insecure Direct Object References:

  • Sequential ID enumeration
  • UUID prediction
  • Parameter tampering

Auth Scanner

Tests authentication mechanisms:

  • Default credentials
  • Token manipulation
  • Session handling

Rate Limit Scanner

Analyzes API rate limiting:

  • Request flooding
  • Bypass techniques
  • Threshold detection

API Endpoints

Method Endpoint Description
POST /auth/register User registration
POST /auth/login JWT authentication
POST /scans Create new scan
GET /scans/{id} Get scan status
GET /scans/{id}/results Get scan results
WS /ws Real-time updates

Development

# Run linters
make lint

# Run type checking
make typecheck

# Run tests
make test

# Format code
make format

Source Code

View on GitHub

©AngelaMos | CertGames.com | CarterPerez-dev | 2025

Navigation

Home

Projects

Guides

Resources

Progress: 3/60

View on GitHub

Clone this wiki locally