APIDetector - Advanced Swagger Endpoint Testing and Vulnerability Analysis

APIDetector - Advanced Swagger Endpoint Testing and Vulnerability Analysis

APIDetector is a cutting-edge tool designed to help security professionals and developers test exposed Swagger endpoints across various subdomains.

With its advanced capabilities, it not only identifies vulnerabilities but also minimizes false positives, making it an essential resource for API testing and vulnerability analysis. 

This guide will walk you through everything you need to know about APIDetector, including installation, usage, features, and best practices.

What is APIDetector?

APIDetector is a tool specifically built for testing Swagger (OpenAPI) endpoints. It can scan single domains or lists of subdomains to identify vulnerable endpoints and generate proof-of-concept (PoC) images for detected vulnerabilities. It was showcased at BlackHat Arsenal 2024 as an advanced solution for API security testing.

What's New in Version 2?

The latest version, APIDetector v2, introduces the following features:

  • Automatic Vulnerability Detection: Identifies vulnerable Swagger versions with Cross-Site Scripting (XSS) issues.

  • PoC Generation: Automatically creates proof-of-concept images for detected vulnerabilities.

  • Enhanced Script: A new script file (apidetectorv2.py) has been added to the repository.

Features of APIDetector

  1. Flexible Input Options: Accepts single domains or lists of subdomains from a file.

  2. Protocol Support: Tests endpoints over both HTTP and HTTPS.

  3. Concurrency: Utilizes multi-threading for faster scanning.

  4. Customizable Output: Save results to a file or print them to the console.

  5. Verbose and Quiet Modes: Choose between detailed logs (default) or quiet mode.

  6. Custom User-Agent Support: Specify a custom User-Agent string for requests.

  7. False-Positive Detection: Smart algorithms minimize false positives.

  8. Automatic PoC Creation: Generates PoC images for detected vulnerabilities.

Getting Started with APIDetector

Prerequisites

Before using APIDetector, ensure the following:

  • Python 3.x is installed on your system.

  • pip (Python package manager) is installed.

Installation Steps

1.Clone the APIDetector repository:

git clone https://github.com/brinhosa/apidetector.git

cd apidetector

2.Install required Python packages:

pip install requests playwright nest_asyncio

3.Install Playwright:

playwright install

How to Use APIDetector

Run APIDetector from the command line using the following syntax:

Common Usage Examples

1.Scan a list of subdomains with 30 threads and save results to a file:

python apidetector.py -i list_of_company_subdomains.txt -o results_file.txt -t 30 -ua "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"

2.Scan a single domain:

python apidetector.py -d example.com

3.Scan multiple domains from a file:

python apidetector.py -i input_file.txt

4.Specify an output file for results:

python apidetector.py -i input_file.txt -o output_file.txt

5.Use a specific number of threads (e.g., 20):

python apidetector.py -i input_file.txt -t 20

6.Test both HTTP and HTTPS protocols:

python apidetector.py -m -d example.com

7.Run in quiet mode (suppress verbose output):

python apidetector.py -q -d example.com

8.Use a custom User-Agent string:

python apidetector.py -d example.com -ua "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

For Version 2, replace apidetector.py with apidetectorv2.py.

Command-Line Options

  • -d, --domain: Specify a single domain to test.

  • -i, --input: Provide an input file containing subdomains to scan.

  • -o, --output: Specify an output file to save results.

  • -t, --threads: Set the number of threads for scanning (default is 10).

  • -m, --mixed-mode: Test endpoints over both HTTP and HTTPS protocols.

  • -q, --quiet: Enable quiet mode (disable verbose output).

  • -ua, --user-agent: Use a custom User-Agent string.

Risks Associated with Exposed Endpoints

APIDetector identifies various types of Swagger endpoints, each with different risk levels:

1. High-Risk Endpoints (Direct API Documentation)

Examples: /swagger-ui.html, /api/docs, /swagger/index.html
Risk Level: High
These endpoints expose detailed API documentation, providing attackers with insights into API structure and potential vulnerabilities.

2. Medium-High Risk Endpoints (API Schema/Specification)

Examples: /swagger.json, /openapi.json, /api/swagger.yaml
Risk Level: Medium-High
These provide raw API specifications, revealing paths, parameters, and authentication methods.

3. Medium Risk Endpoints (Version-Specific Documentation)

Examples: /v2/api-docs, /v3/api-docs
Risk Level: Medium
These endpoints reveal version-specific API details that could help attackers understand functionality.

4. Lower Risk Endpoints (Configuration and Resources)

Examples: /swagger-resources, /swagger-resources/configuration/ui
Risk Level: Low
These provide auxiliary information but pose less risk compared to direct documentation.

Best Practices for Securing Swagger Endpoints

  1. Access Control: Restrict access to sensitive endpoints using authentication mechanisms.

  2. Environment Isolation: Expose detailed API documentation only in development or staging environments.

  3. Monitoring and Alerts: Track access patterns and set up alerts for unusual activity.

  4. Regular Audits: Periodically review exposed endpoints and remove unnecessary ones.

Contributing to APIDetector

Contributions are welcome! Fork the repository, make changes, and submit pull requests on GitHub.

Special thanks to contributors like Denis Lourenço and Bruno Francisco Cardoso for their valuable input in enhancing the tool.

Legal Disclaimer

APIDetector is intended strictly for lawful testing and educational purposes only. Unauthorized or unethical use is prohibited, and users are responsible for ensuring compliance with all applicable laws.

By using this tool, you agree that you have proper authorization to test the systems in question and assume full responsibility for its usage.

This guide provides a comprehensive overview of how to use APIDetector effectively while adhering to ethical guidelines—empowering developers and security professionals to safeguard their APIs against potential threats! You can learn more and Download APIDetector in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog