API Security Scanning

APIs require different security approaches, different techniques, and different security knowledge than traditional web applications. Ensuring that APIs are suitably secured and covered with robust, API-specific vulnerability scanning should be a key priority for any organisation that operates a modern web presence. AppCheck has been developed by expert penetration testers to assess APIs intelligently in the same context-aware manner as a penetration tester would and using the same methodologies.

Get in touch to discuss your requirements

Complete Coverage

Are you confident your current solution can test your APIs effectively?

SPA crawling, endpoint discovery and GraphQL Introspection

Automatic fixture data generation from swagger and GraphQL

Detailed diagnostic output showing errors for manual review

Benefits of AppCheck

Contextual probing of individual API methods

Performs function and method-specific API scanning that uses adaptive and heuristic fuzzing techniques to intelligently probe for weaknesses in API handling of parameters, headers, data types, structures, and formats.

Support for REST, SOAP & GraphQL APIs

Sophisticated and versatile scan logic that natively understands diverse API variants including REST (JSON), XML (SOAP) and GraphQL based APIs.

API Schema & Introspection support

Intelligent schema discovery and parsing support for API definition/specification formats including WSDL (XML), Swagger/OpenAPI (JSON, YAML) and GraphQL Introspection queries.

Customisable API authentication

Ability to authenticate against private APIs using multiple security definitions and authentication methods including API access keys.

Simulates manual penetration testing

Leverages proprietary technology developed in-house by penetration testers to perform API-specific vulnerability scanning, not simply applying legacy scanning techniques that fail to address API-specific security issues.

Full OWASP Top10 Coverage

Supports testing of all key OWASP Top 10 API Security Threats, including Broken Object level Authorization/IDOR, Broken Function Level Authorization, and commonly seen Injection vulnerabilities.

Get a Free Vulnerability Scan

How does API Scanning work?

Web API scanners such as AppCheck work by checking your APIs for common pitfalls and security issues that could be prone to attack. Rather than use a database of static signatures of known weaknesses, the AppCheck platform applies a rigorous test methodology to tease out even previously unknown weaknesses in the same way a hacker or penetration tester would.

AppCheck does this by using schema definitions and other gathered intelligence to build an internal reference model of the API that can then be used to leverage advanced heuristic testing techniques. This methodology of building up custom and specific test cases for each API from “first principles” reveals security issues within your API that scanners using static or legacy testing techniques simply cannot uncover. AppCheck provides suggestions for how any discovered vulnerabilities can be solved, based on best practice guidance from organisations including OWASP and MITRE, as well as in-house experts.

AppCheck gives us the ability to quickly identify vulnerabilities and zero days, and to provide assurance to the business. – Rail Delivery Group (National Rail)

WHY CHOOSE APPCHECK?

Web Application Scanner Features

Discover zero days, plus 100,000+ known security flaws (CVEs), plus full OWASP
vulnerability coverage including injection, XSS, RCE and more…

Intelligent and versatile configuration means you can launch scans in seconds

Save time with a practical workflow management system

Thoroughly scan and test your APIs including WSDL, Swagger and Graph QL end points for
security flaws

Conduct checks throughout the application life cycle, from development to production

Compatible with Jira and TeamCity, as well as other development tools

Crawls modern complex applications such as SPAs

Flex key user journeys and complete multi-stage authentication via a scriptable browser
interface