Once considered a niche form of web interface used primarily within internal networks and screened data feeds, web APIs have seen explosive growth in recent years. The increase in public and openly accessible APIs for developer and partner integration services, and as backends for a new wave of Single Page Applications (SPAs) means that, as of 2021, API calls now represent 80 percent of all web traffic, eclipsing standard web application traffic volume.
APIs require different security approaches, different techniques, and different security knowledge than traditional web applications. Ensuring that APIs are suitably secured and covered with robust, API-specific vulnerability scanning should be a key priority for any organisation that operates a modern web presence. AppCheck has been developed by expert penetration testers to assess APIs intelligently in the same context-aware manner as a penetration tester would and using the same methodologies.
Leverages proprietary technology developed in-house by penetration testers to perform API-specific vulnerability scanning, not simply applying legacy scanning techniques that fail to address API-specific security issues.
Sophisticated and versatile scan logic that natively understands diverse API variants including REST (JSON), XML (SOAP) and GraphQL based APIs.
Intelligent schema discovery and parsing support for API definition/specification formats including WSDL (XML), Swagger/OpenAPI (JSON, YAML) and GraphQL Introspection queries.
Ability to authenticate against private APIs using multiple security definitions and authentication methods including API access keys.
Performs function and method-specific API scanning that uses adaptive and heuristic fuzzing techniques to intelligently probe for weaknesses in API handling of parameters, headers, data types, structures, and formats.
Supports testing of all key OWASP Top 10 API Security Threats, including Broken Object level Authorization/IDOR, Broken Function Level Authorization, and commonly seen Injection vulnerabilities.
Web API scanners such as AppCheck work by checking your APIs for common pitfalls and security issues that could be prone to attack. Rather than use a database of static signatures of known weaknesses, the AppCheck platform applies a rigorous test methodology to tease out even previously unknown weaknesses in the same way a hacker or penetration tester would.
AppCheck does this by using schema definitions and other gathered intelligence to build an internal reference model of the API that can then be used to leverage advanced heuristic testing techniques. This methodology of building up custom and specific test cases for each API from “first principles” reveals security issues within your API that scanners using static or legacy testing techniques simply cannot uncover. AppCheck provides suggestions for how any discovered vulnerabilities can be solved, based on best practice guidance from organisations including OWASP and MITRE, as well as in-house experts.
Discover zero days, plus 100,000+ known security flaws (CVEs), plus full OWASP vulnerability coverage including injection, XSS, RCE and more…
Intelligent and versatile configuration means you can launch scans in seconds
Save time with a practical workflow management system
Thoroughly scan and test your APIs including WSDL, Swagger and Graph QL end points for security flaws
Conduct checks throughout the application life cycle, from development to production
Compatible with Jira and TeamCity, as well as other development tools
Crawls modern complex applications such as SPAs
Flex key user journeys and complete multi-stage authentication via a scriptable browser interface