Documentation
Introduction

Introduction

Welcome to VulnAPI Documentation!

Demo


What is VulnAPI?

VulnAPI is an Open Source DAST that scans APIs for vulnerabilities and security risks. It provides reports on any vulnerabilities detected during the scan, including the risk level, vulnerability, description, and operation performed when the vulnerability has been found.

VulnAPI offers two methods for scanning APIs:

  • Using Curl-like CLI: This method involves directly invoking the CLI with parameters resembling curl commands.
  • Using OpenAPI Contracts: This method utilizes OpenAPI contracts to specify API endpoints for scanning.

Installation

Before making your first scan with VulnAPI, you have to download and install it. Please follow the instructions on the Installation page.

Documentation

Before scanning, you can discover target API useful information by using the discover command.

The Vulnerability Scanner CLI offers two methods for scanning APIs:

  • Using Curl-like CLI: This method involves directly invoking the CLI with parameters resembling curl commands.
  • Using OpenAPI Contracts: This method utilizes OpenAPI contracts to specify API endpoints for scanning.

Discover Command

To discover target API useful information, execute the following command:

vulnapi discover api [API_URL]

Example output:

| WELL-KNOWN PATHS |                URL                 |
|------------------|------------------------------------|
| OpenAPI          | http://localhost:5000/openapi.json |
| GraphQL          | N/A                                |
 
 
| TECHNOLOGIE/SERVICE |     VALUE     |
|---------------------|---------------|
| Framework           | Flask:2.2.3   |
| Language            | Python:3.7.17 |
| Server              | Flask:2.2.3   |

Using Curl-like CLI

To perform a scan using the Curl-like CLI, execute the following command:

vulnapi scan curl [API_URL] [CURL_OPTIONS]

Replace [API_URL] with the URL of the API to scan, and [CURL_OPTIONS] with any additional curl options you wish to include.

Example:

vulnapi scan curl http://localhost:8080 -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyfQ."

Using OpenAPI Contracts

To perform a scan using OpenAPI contracts, execute the following command:

echo "[JWT_TOKEN]" | vulnapi scan openapi [PATH_OR_URL_TO_OPENAPI_FILE]

Replace [PATH_OR_URL_TO_OPENAPI_FILE] with the path or the URL to the OpenAPI contract JSON file and [JWT_TOKEN] with the JWT token to use for authentication.

Example:

echo "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.e30." | vulnapi scan openapi ./test/stub/simple_http_bearer_jwt.openapi.json

Output

The CLI provides detailed reports on any vulnerabilities detected during the scan. Below is an example of the output format:

TECHNOLOGIE/SERVICEVALUE
FrameworkFlask:2.2.3
LanguagePython:3.11.9
ServerFlask:2.2.3

Advice: There are some low-risk issues. It's advised to take a look.

OPERATIONRISK LEVELCVSS 4.0 SCOREOWASPVULNERABILITY
GET /Medium5.1API8:2023 SecurityX-Frame-Options Header is
Misconfigurationmissing
Medium5.1API8:2023 SecurityCORS Headers are missing
Misconfiguration
Medium5.1API8:2023 SecurityCSP frame-ancestors policy is
Misconfigurationnot set
Info0.0API8:2023 SecurityX-Content-Type-Options Header
Misconfigurationis missing
Info0.0API8:2023 SecurityOperation May Accepts
MisconfigurationUnauthenticated Requests
Info0.0API8:2023 SecurityHSTS Header is missing
Misconfiguration
Info0.0API8:2023 SecurityCSP Header is not set
Misconfiguration
GET /books/v1Medium5.1API8:2023 SecurityCSP frame-ancestors policy is
Misconfigurationnot set
Medium5.1API8:2023 SecurityX-Frame-Options Header is
Misconfigurationmissing
Medium5.1API8:2023 SecurityCORS Headers are missing
Misconfiguration
Info0.0API8:2023 SecurityCSP Header is not set
Misconfiguration
Info0.0API8:2023 SecurityHSTS Header is missing
Misconfiguration
Info0.0API8:2023 SecurityX-Content-Type-Options Header
Misconfigurationis missing
Info0.0API8:2023 SecurityOperation May Accepts
MisconfigurationUnauthenticated Requests

In this example, each line represents a detected vulnerability, severity level (critical), vulnerability type, affected operation (GET http://localhost:8080/ (opens in a new tab)), and a description of the vulnerability.

Vulnerabilities Detected

All the vulnerabilities detected by the project are listed at this URL: API Vulnerabilities Detected.

More vulnerabilities and best practices will be added in future releases. If you have any suggestions or requests for additional vulnerabilities or best practices to be included, please feel free to open an issue or submit a pull request.

Proxy Support

The scanner supports proxy configurations for scanning APIs behind a proxy server. To use a proxy, set the HTTP_PROXY or HTTPS_PROXY environment variables with the proxy URL.

A command arg --proxy is also available to specify the proxy URL.

Additional Options

The VulnAPI may support additional options for customizing scans or output formatting. Run vulnapi -h or vulnapi help command to view available options and their descriptions.

Telemetry

The scanner collects anonymous usage data to help improve the tool. This data includes the number of scans performed, number of detected vulnerabilities, and the severity of vulnerabilities. No sensitive information is collected. You can opt-out of telemetry by passing the --sqa-opt-out flag.

Complete CLI Help

To view the complete CLI help, execute the following command:

vulnapi -h

Here is the output of the help command:

vulnapi
 
Usage:
  vulnapi [command]
 
Available Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  jwt         Generate JWT tokens
  scan        API Scan
  serve       Start the server
 
Flags:
  -h, --help          help for vulnapi
      --sqa-opt-out   Opt out of sending anonymous usage statistics and crash reports to help improve the tool
 
Use "vulnapi [command] --help" for more information about a command.

Disclaimer

This scanner is provided for educational and informational purposes only. It should not be used for malicious purposes or to attack any system without proper authorization. Always respect the security and privacy of others.