Starting today, SecTests includes dedicated API security testing on Pro and Enterprise plans. You can import your OpenAPI 3.x or Swagger 2.0 specs, or point our crawler at your base URL and let it discover endpoints automatically.
Why a dedicated API scanner
Web application scanners were designed to crawl HTML pages and follow links. APIs do not work that way. Endpoints are not discoverable through a browser, parameters are structured as JSON payloads, and authentication schemes vary wildly between services. Testing APIs with a traditional DAST tool produces incomplete coverage at best and false negatives at worst.
We built a scanner that understands API-specific attack vectors from the ground up. It speaks REST, handles GraphQL introspection, and knows how to chain requests for authentication flows.
What it tests
The API scanner covers the OWASP API Security Top 10 and goes further:
- Broken Object Level Authorization (BOLA) — tests whether users can access resources belonging to other users by manipulating IDs and references
- Broken Authentication — JWT signature bypass, token expiration issues, weak password policies, and missing rate limiting on auth endpoints
- Broken Function Level Authorization — checks whether regular users can access admin-only endpoints
- Mass Assignment — sends unexpected fields in POST/PUT requests to detect writable properties that should be protected
- Injection — SQL, NoSQL, command injection, and SSRF across all parameter types
- Excessive Data Exposure — flags responses that return more data than the client needs, including internal IDs, emails, and PII
How to get started
There are two ways to set up API scanning:
Option 1: Import your spec. Go to your target settings and upload your OpenAPI 3.x or Swagger 2.0 JSON/YAML file. The scanner will parse every endpoint, parameter, and schema definition and build a complete test plan.
Option 2: Endpoint discovery. Provide your API base URL and authentication credentials. The crawler will send requests, analyze response patterns, and build a map of your API surface. This works well for APIs without maintained specs.
Once configured, API scans run on the same schedule as your web application scans. Results appear in the same dashboard with the same severity ratings and remediation guidance.
Integration with CI/CD
API scans work with our existing CI/CD integrations. Add the --api-spec flag to your CLI command to include API testing in your pipeline scans:
sectests scan --target api.example.com --api-spec ./openapi.yaml --fail-on critical
The scan runs alongside your standard web checks. If a critical finding is detected, the CLI exits with a non-zero code and your pipeline stops.
Pricing
API security scanning is included in Pro and Enterprise plans at no additional cost. API endpoints count toward your target limit the same as web targets. Community plan users can upgrade to Pro for a 14-day free trial.
We have been testing this internally and with early-access customers for three months. The scanner has already found BOLA vulnerabilities in two production APIs that passed traditional DAST scans. If your application exposes an API, this is coverage you need.