@GlitchOrb
An API security testing automation tool that ingests OpenAPI/GraphQL/gRPC definitions, generates automated test plans, executes them with safety controls, and produces evidence-based reports mapped to OWASP API Top 10:2023.
- Python 3.12+
- uv (recommended) or pip
Using uv:
# Clone the repository
git clone https://github.com/GlitchOrb/APISecurityEngine.git
cd APISecurityEngine
# Install dependencies and sync environment
uv sync
# Run the CLI
uv run ase --help# Install pre-commit hooks
uv run pre-commit install
# Run tests
uv run pytest
# Type checking
uv run mypy apisecurityengine/ tests/
# Linting & Formatting
uv run ruff check .
uv run ruff format .APISecurityEngine is designed with safety first. It requires explicit flags to perform invasive tests.
# Get help
ase --help
# Scan a target safely (Dry Run)
# --dry-run parses the specification and looks for structural vulnerabilities
# but DOES NOT send any mutative traffic to the target server.
ase scan --target https://api.example.com --dry-run
# Execute full destructive tests
# --proof-mode removes safety guards and executes real mutative payloads
# (e.g., Mass Assignment POSTs, DELETE requests) against the target.
ase scan --target https://api.example.com --openapi schema.yaml --proof-modeWant to see the engine in action without installing anything locally? Spin up a safe, sandboxed Cloud Shell environment with a pre-configured dangerously vulnerable mock API.
APISecurityEngine includes checks and guidance for common real-world API incident patterns, such as:
- Authorization bypass patterns (BOLA/IDOR) and role boundary violations
- Weak authentication and token handling pitfalls
- Unrestricted resource consumption (rate limiting / cost amplification)
- SSRF-style URL fetch misuse
- Security misconfiguration signals (CORS/headers/debug endpoints)
- Improper API inventory exposure and forgotten endpoints
- Secrets hygiene: preventing API keys/tokens from leaking into source control
Note: APISecurityEngine is a testing and validation tool. It does not “patch” CVEs automatically; it helps identify risky patterns and provides recommended defenses.
| OWASP API Top 10:2023 | Heuristic / Execution Check | CWE Relevance | Defense Snippet Guide |
|---|---|---|---|
| API1: BOLA | Cross-profile parameter swapping (/users/{id} vs Profile B) |
CWE-284 | Object-Level Auth Defenses |
| API2: Broken Auth | Unauthenticated execution on routes mapping requires_auth=True |
CWE-306 | Secrets Hygiene Scanners |
| API3: BOPLA | Permissive payload insertions ("is_admin": true) |
CWE-915 | Explicit DTO Serialization Models |
| API4: Resource Consumption | Enumerating missing limits/page schemas on collections | CWE-770 | Implement Upper bounds pagination |
| API5: BFLA | Profile A executions against isolated admin/dashboard domains | CWE-285 | Function-Level Auth Guards |
| API6: Sensitive Flows | Tracing business heuristics (checkout, transfer) |
CWE-799 | Rate Limits & Bot Defenses |
| API7: SSRF | Metadata IPs/Localhost pinging injected via URL query parameters | CWE-918 | SSRF & Rebinding Protections |
| API8: Misconfigurations | Trace/OPTIONS header evaluations and CORS misalignments | CWE-16 | Enforce Global Proxies Security Headers |
| API9: Improper Inventory | Routing bypass attempts natively against version shifting (e.g. /v2/) |
CWE-1059 | Deprecate and 404 old environments |
| API10: Unsafe Consumption | Unprotected webhook validations mapping omitted signature parameters | CWE-300 | Always demand HMAC Webhook Signatures |