Attack surface management company Intruder Solutions Ltd. today announced the launch of AutoSwagger, a free, open-source tool that scans OpenAPI-documented application programming interfaces for broken authorization vulnerabilities.

AutoSwagger automatically detects authorization weaknesses in APIs and discovers sensitive endpoints not requiring authentication where the application fails to check for a valid API token.

The new tool seeks to address the increasing issue of API-related data breaches, which according to a report from Verizon Communications Inc., are up nearly 40% year-over-year. Though there are existing tools that scan APIs, Intruder argues that options to detect broken authorization are either costly, inefficient, or require manual labor from penetration testers to uncover. AutoSwgger, on the other hand, is the first freely available tool that is proven effective in detecting dangerous API vulnerabilities, the company says.

“These vulnerabilities are so easy to exploit, you could teach someone with no technical background how to do it in a day,” said founder and Chief Executive Chris Wallis. “When you consider how common these issues are and how frequently companies release new code or expose new endpoints, it’s clear this is a critical gap. That’s why we’re making AutoSwagger available for free, to help teams find and fix these flaws before attackers do.”

Though only launching today, the tool has already been found to be effective. During Intruder’s research and testing of AutoSwagger, the company’s security team detected exposed Salesforce Inc. records with personally identifiable information at a large multinational tech company and an exposed internal staff training application. That would have allowed potential attackers to run queries against the database at a multinational soda company.

The data could have been used to mount a phishing campaign against employees, with real information that could gain the staff member’s trust. The majority of the vulnerabilities discovered during the research process were for APIs intended for internal use.

AutoSwagger works by identifying API schemas across various formats and locations, using a list of an organization’s domains as a starting point. The tool searches for OpenAPI and Swagger documentation pages, sending requests to each host to locate valid API specifications. Once a schema is found, AutoSwagger parses the documentation to generate a comprehensive list of endpoints for testing, factoring in the endpoint definitions, required parameters and expected data types.

The tool then undertakes targeted scans to detect broken authorization vulnerabilities before then sending requests to each endpoint using valid parameters derived from the documentation and flags any endpoints that return a successful response instead of the expected HTTP 401 or 403 errors, which would indicate proper access control. AutoSwagger also highlights endpoints where authentication is either missing or ineffective, helping teams pinpoint and fix critical access control flaws.

The tool analyzes any successful responses for signs of exposed sensitive data, such as personally identifiable information, credentials or internal records. Any endpoint missing proper authentication and returning sensitive information is included in the output report.

“Exposing documentation for your API effectively increases your attack surface and as a defense in depth measure, you should not expose API documentation unless it’s a business requirement,” said Dan Andrew, head of security at Intruder. “The lesson here is, in addition to regular API scanning after each development iteration, that you shouldn’t publicly document your APIs unless you can’t avoid it. Without a ‘map,’ this kind of vulnerability becomes much harder for attackers to exploit.”

Image: SiliconANGLE/Reve