SkillVerified★ Featured
vulnapi-scanner
OWASP API Security Top 10:2023 vulnerability scanner. Scan any API for auth bypass, IDOR, SQLi, RCE, rate limiting gaps, JWT vulns, SSRF, and more.
Install
anvil skill install vulnapi-scannerDocumentation
# vulnapi-scanner
A comprehensive OWASP API Security Top 10:2023 vulnerability scanner built on top of the battle-tested [cerberauth/vulnapi](https://github.com/cerberauth/vulnapi) engine. Designed for developers, security engineers, and penetration testers who need fast, accurate API security assessments without leaving their Anvil workflow.
## What It Does
vulnapi-scanner performs automated security scans against REST APIs, GraphQL endpoints, and gRPC services. It detects vulnerabilities mapped to the OWASP API Security Top 10:2023 including:
- **API1 - Broken Object Level Authorization (BOLA/IDOR)**: Detects endpoints that expose other users' data by manipulating IDs
- **API2 - Broken Authentication**: Tests for weak JWT signing, missing expiry, algorithm confusion (RS256→HS256), and bearer token leakage
- **API3 - Broken Object Property Level Authorization**: Identifies mass assignment and over-exposed fields
- **API4 - Unrestricted Resource Consumption**: Rate limiting gap detection, resource exhaustion vectors
- **API5 - Broken Function Level Authorization**: Admin endpoint discovery, HTTP method fuzzing
- **API6 - Unrestricted Access to Sensitive Business Flows**: Workflow abuse detection
- **API7 - Server Side Request Forgery (SSRF)**: Internal network probing via URL parameters
- **API8 - Security Misconfiguration**: CORS misconfig, verbose errors, debug endpoints, missing security headers
- **API9 - Improper Inventory Management**: Shadow API discovery, deprecated endpoint detection
- **API10 - Unsafe Consumption of APIs**: Third-party integration security checks
The scanner covers **540+ endpoint patterns** and generates structured JSON reports suitable for CI/CD integration, ticketing systems, and compliance documentation.
## Installation
```bash
anvil skill install vulnapi-scanner
```
## Usage
### Basic Scan
```
/vulnapi https://api.example.com
```
### Authenticated Scan (Bearer Token)
```
/vulnapi https://api.example.com --auth bearer:YOUR_TOKEN_HERE
```
### Authenticated Scan (API Key)
```
/vulnapi https://api.example.com --auth apikey:x-api-key:YOUR_KEY
```
### Scan with OpenAPI Spec
```
/vulnapi https://api.example.com --spec ./openapi.yaml
```
### Targeted Scan (specific checks)
```
/vulnapi https://api.example.com --checks jwt,cors,ssrf --auth bearer:TOKEN
```
### CI/CD Mode (exit code on findings)
```
/vulnapi https://api.example.com --auth bearer:TOKEN --fail-on high
```
## Configuration Options
| Option | Description | Default |
|--------|-------------|---------|
| `--auth` | Authentication method (bearer, apikey, basic) | none |
| `--spec` | Path to OpenAPI/Swagger spec file | auto-discover |
| `--checks` | Comma-separated list of checks to run | all |
| `--fail-on` | Exit non-zero on: low, medium, high, critical | none |
| `--output` | Output format: json, sarif, html | json |
| `--timeout` | Request timeout in seconds | 10 |
| `--rate-limit` | Max requests per second | 20 |
| `--depth` | Crawl depth for endpoint discovery | 3 |
## Report Output
Reports include severity ratings (critical/high/medium/low/info), CWE IDs, CVSS scores, affected endpoints, evidence, and remediation guidance. JSON output is compatible with GitHub Security tab (SARIF format) and DefectDojo import.
## Requirements
- Active Anvil session with network access to target API
- For authenticated scans: valid credentials for the target API
- Target API must be reachable from the Anvil execution environment
A comprehensive OWASP API Security Top 10:2023 vulnerability scanner built on top of the battle-tested [cerberauth/vulnapi](https://github.com/cerberauth/vulnapi) engine. Designed for developers, security engineers, and penetration testers who need fast, accurate API security assessments without leaving their Anvil workflow.
## What It Does
vulnapi-scanner performs automated security scans against REST APIs, GraphQL endpoints, and gRPC services. It detects vulnerabilities mapped to the OWASP API Security Top 10:2023 including:
- **API1 - Broken Object Level Authorization (BOLA/IDOR)**: Detects endpoints that expose other users' data by manipulating IDs
- **API2 - Broken Authentication**: Tests for weak JWT signing, missing expiry, algorithm confusion (RS256→HS256), and bearer token leakage
- **API3 - Broken Object Property Level Authorization**: Identifies mass assignment and over-exposed fields
- **API4 - Unrestricted Resource Consumption**: Rate limiting gap detection, resource exhaustion vectors
- **API5 - Broken Function Level Authorization**: Admin endpoint discovery, HTTP method fuzzing
- **API6 - Unrestricted Access to Sensitive Business Flows**: Workflow abuse detection
- **API7 - Server Side Request Forgery (SSRF)**: Internal network probing via URL parameters
- **API8 - Security Misconfiguration**: CORS misconfig, verbose errors, debug endpoints, missing security headers
- **API9 - Improper Inventory Management**: Shadow API discovery, deprecated endpoint detection
- **API10 - Unsafe Consumption of APIs**: Third-party integration security checks
The scanner covers **540+ endpoint patterns** and generates structured JSON reports suitable for CI/CD integration, ticketing systems, and compliance documentation.
## Installation
```bash
anvil skill install vulnapi-scanner
```
## Usage
### Basic Scan
```
/vulnapi https://api.example.com
```
### Authenticated Scan (Bearer Token)
```
/vulnapi https://api.example.com --auth bearer:YOUR_TOKEN_HERE
```
### Authenticated Scan (API Key)
```
/vulnapi https://api.example.com --auth apikey:x-api-key:YOUR_KEY
```
### Scan with OpenAPI Spec
```
/vulnapi https://api.example.com --spec ./openapi.yaml
```
### Targeted Scan (specific checks)
```
/vulnapi https://api.example.com --checks jwt,cors,ssrf --auth bearer:TOKEN
```
### CI/CD Mode (exit code on findings)
```
/vulnapi https://api.example.com --auth bearer:TOKEN --fail-on high
```
## Configuration Options
| Option | Description | Default |
|--------|-------------|---------|
| `--auth` | Authentication method (bearer, apikey, basic) | none |
| `--spec` | Path to OpenAPI/Swagger spec file | auto-discover |
| `--checks` | Comma-separated list of checks to run | all |
| `--fail-on` | Exit non-zero on: low, medium, high, critical | none |
| `--output` | Output format: json, sarif, html | json |
| `--timeout` | Request timeout in seconds | 10 |
| `--rate-limit` | Max requests per second | 20 |
| `--depth` | Crawl depth for endpoint discovery | 3 |
## Report Output
Reports include severity ratings (critical/high/medium/low/info), CWE IDs, CVSS scores, affected endpoints, evidence, and remediation guidance. JSON output is compatible with GitHub Security tab (SARIF format) and DefectDojo import.
## Requirements
- Active Anvil session with network access to target API
- For authenticated scans: valid credentials for the target API
- Target API must be reachable from the Anvil execution environment
Reviews
No reviews yet. Be the first!
Related Skills
SkillVerified★ Featured
v1.0.0api-gateway
Generate API gateway configurations for Kong, Traefik, nginx, and Apache from OpenAPI specs or conversational descriptions.
apigatewaykongtraefik
AnvilHub - Official
0Apr 3, 2026
SkillVerified★ Featured
v1.0.0commit-review
Analyze staged git changes, generate semantic commit messages, identify issues in diffs, and auto-format conventional commits.
gitcommitreviewconventional-commits
AnvilHub - Official
0Apr 3, 2026