Autoswagger – Automated discovery and testing of OpenAPI & Swagger endpoints

Autoswagger is a command-line tool from Intruder that automates the discovery, parsing, and testing of Swagger/OpenAPI specifications to reveal unauthenticated endpoints and data exposure risks. It locates spec files, extracts paths and methods, exercises endpoints at scale, and flags outputs that contain personally identifiable information or secrets. The tool combines multiple discovery phases with concurrent testing, Presidio-based PII detection, and regex-driven secret heuristics to surface API telemetry that deserves manual review.

Key features

Multi-phase discovery — Direct spec parsing, Swagger UI scraping, and common-spec bruteforce lookups to find OpenAPI documents.
Concurrent endpoint testing — Multi-threaded requests with configurable rate limiting to scale scans while controlling load.
Optional brute-force parameter testing — Fills parameters with test values to bypass naive validations and reveal hidden responses.
Presidio PII detection — Contextual detection for names, emails, phone numbers, and addresses to reduce false positives.
Secret regexes — TruffleHog-like patterns to flag API keys, tokens, and debugging artifacts in responses.
Flexible output — Human-friendly Rich table output or machine-readable JSON, with a product mode to filter only interesting results.

Installation

Autoswagger is a Python utility compatible with Python 3.7+. Installation is standard: clone the repository, create a virtual environment, and install dependencies. The following steps are taken directly from the project documentation.

git clone git@github.com:intruder-io/autoswagger.git

cd autoswagger

python3 -m venv venv

source venv/bin/activate

pip install -r requirements.txt

Validate installation and view built-in help:

python3 autoswagger.py -h

Usage and CLI

The tool supports a compact but expressive set of switches. The repository’s help text is reproduced verbatim to avoid errors or invented flags.

usage: autoswagger.py [-h] [-v] [-risk] [-all] [-product] [-stats] [-rate RATE] [-b] [-json] [urls ...]

Autoswagger: Detect unauthenticated access control issues via Swagger/OpenAPI documentation.

positional arguments:

urls Base URL(s) or spec URL(s) of the target API(s)

options:

-h, --help show this help message and exit

-v, --verbose Enable verbose output

-risk Include non-GET requests in testing

-all Include all HTTP status codes in the results, excluding 401 and 403

-product Output all endpoints in JSON, flagging those that contain PII or have large responses.

-stats Display scan statistics. Included in JSON if -product or -json is used.

-rate RATE Set the rate limit in requests per second (default: 30). Use 0 to disable rate limiting.

-b, --brute Enable exhaustive testing of parameter values.

-json Output results in JSON format in default mode.

Example usage:

python autoswagger.py https://api.example.com -v

Discovery phases explained

Autoswagger finds API specs using three methods. First, if you supply a direct spec URL ending with .json, .yaml or .yml it parses that file. Second, it probes known Swagger UI locations and extracts the spec from HTML or JavaScript includes. Third, if the two prior attempts fail, it bruteforces standard spec endpoints such as /swagger.json and /openapi.json. This multi-pronged approach increases coverage and reduces blind spots when a single discovery method is insufficient.

Endpoint testing model

By default, Autoswagger tests GET endpoints to avoid high-risk interactions. Use the -risk flag to include non-GET methods where authorized. The tool fills path and query parameters with default or supplied test values, constructs request bodies when the spec provides schemas, and executes tests concurrently while honoring the configured requests-per-second limit via -rate. Responses are parsed and then analysed for PII, secrets, and size-based interest flags.

PII and secret detection

Autoswagger integrates Microsoft Presidio for contextual PII detection, reducing naive false positives by looking for structured indicators such as CSV headers or key-value patterns. Secrets detection relies on curated regexes that mimic standard token and key formats. Significant responses and collections are also flagged so that reviewers can prioritise impactful exposures.

Attack scenario (offensive use case)

The following is a purely offensive scenario for a red team exercise. Only run these steps in authorized test environments.

Objective: Identify unauthenticated endpoints that leak customer identifiers or API keys in a public staging environment.

Recon: Run Autoswagger against the target base URL to discover an OpenAPI spec exposed at /openapi.json.
Extraction: Autoswagger parses all /customers/{id} endpoints and enumerates query parameters and optional fields.
Bruteforce: Enable -b to insert test values into query and body parameters. The tool discovers a GET /customers/export endpoint returning CSV content containing email addresses and phone numbers.
Credential leakage: A response contains a debugging field that matches a token regex, indicating a leaked internal key. Flag and capture this output with -product for review.
Post-exploitation testing: Use the uncovered parameter combinations in manual Burp Suite replay to confirm reproducibility and to measure impact for reporting.

Defensive guidance

For defenders, Autoswagger is valuable for attack surface discovery and hardening. Practical mitigations include:

Do not expose production OpenAPI specs publicly. If specs must be available, restrict access and gate via authentication.
Audit all API responses for PII and accidental debug output that may contain tokens or credentials.
Monitor anomalous access patterns against spec endpoints and Swagger UI assets. Treat programmatic retrievals from /swagger.json or /openapi.json as high-interest telemetry when originating from unknown hosts.
Use schema validation and response filtering to remove debug headers and internal fields from production responses.

How Autoswagger fits with other tools

Autoswagger focuses on automation around OpenAPI discovery and response analysis. For broader API fuzzing and CI integration, consider Astra for automated API security testing and OWASP APICheck for DevSecOps-oriented API chains. Autoswagger complements these tools by quickly identifying unauthenticated spec-driven endpoints and producing targeted outputs suitable for manual verification and replay in proxy tools such as Burp Suite or OWASP Zed Attack Proxy.

Reporting and output

Run with -product to generate JSON filtered to only endpoints that contain PII, secrets, or significant responses. The -stats flag provides scan metrics, including requests sent, hosts with findings, and average requests-per-second. Use the JSON output for automated ingestion into bug trackers or triage pipelines.

Caveats and ethics

Only run Autoswagger against hosts and environments where you have explicit authorization. False positives are possible, and flagged endpoints must be manually validated. The initial release may not fully support some specs or UI implementations; extend detection regexes and parsers as needed.

Conclusion

Autoswagger is a practical, focused utility for uncovering unauthenticated API endpoints and response-based exposures derived directly from OpenAPI and Swagger documentation. It reduces the effort required to find high-impact data leaks and secret disclosures, fitting well into red team reconnaissance and blue team validation workflows. Use it responsibly and integrate it into a repeatable auditing pipeline for API security.

You can read more or download Autoswagger here: https://github.com/intruder-io/autoswagger