Intruder this week made available an open-source tool that scans application programming interfaces (APIs) for broken authorization vulnerabilities.

Autoswagger is specifically designed to scan APIs that comply with the OpenAPI specification, previously known as Swagger.

Intruder CEO Chris Wallis said cybersecurity teams and application developers alike can now use AutoSwagger to automatically detect authorization weaknesses in APIs and discover sensitive endpoints where the application fails to check for a valid API token.

Specifically, Autoswagger detects API schemas across a range of common formats and locations, starting with a list of an organization’s domains. It scans for OpenAPI and Swagger documentation pages, sending requests to each host to locate valid schemas. Once identified, it parses the API specifications and automatically generates a list of endpoints to test, taking into account each endpoint’s definition, required parameters, and expected data types.

Autoswagger executes targeted scans to identify broken authorization flaws by sending requests to each endpoint using valid parameters pulled from the documentation, flagging endpoints that return a valid response instead of expected HTTP 401 or 403 errors, and highlighting endpoints where authentication is missing or ineffective. It can also simulate bypassing validation checks to uncover flaws in endpoints that require specific data formats or values, which may reject generic input.

Finally, Autoswagger analyzes any successful responses for signs of exposed sensitive data, such as personally identifiable information (PII), credentials or internal records. Any endpoint missing proper authentication and returning sensitive information is then identified in a report that is generated.

In general, cybercriminals are increasingly targeting vulnerable APIs, with broken authorization now being one of the easiest and most often flaws being exploited flaws, said Wallis. Those attacks go well beyond simple data exfiltration as cybercriminals become more adept at actually manipulating business logic to compromise processes and workflows.

API are, of course, now everywhere, but it’s not always clear who is responsible for securing them. In theory, they should be secured by the application development teams that create them, but many of them lack cybersecurity expertise. As a result, responsibility for securing them often falls to cybersecurity teams that are often unaware that an API has been exposed. Autoswagger makes it simpler for penetration testing teams to discover and assess the security of those APIs, said Wallis.

Theoretically, at least, APIs are essentially just another type of endpoint that needs to be secured. Unfortunately, responsibility for application security hasn’t been all that clear-cut, with APIs receiving even less attention. A survey of 110 security leaders conducted by the Futurum Group does find, however, that nearly all organizations are now investing in software supply chain security, with application security posture management (ASPM) and DevSecOps automation and orchestration topping the priority list, followed closely by security composition analysis (SCA) tools, API security and dynamic application security testing (DAST) tools. That level of investment suggests there is now a much greater appreciation for application security, including the APIs used to access them, that is arguably long overdue.