APIDetector: The Next-Gen Swagger Endpoint Vulnerability Scanner
APIDetector
APIDetector is a powerful and efficient tool designed for testing exposed Swagger endpoints in various subdomains with unique smart capabilities to detect false-positives. It’s particularly useful for security professionals and developers who are engaged in API testing and vulnerability scanning.
Features
- Flexible Input: Accepts a single domain or a list of subdomains from a file.
- Multiple Protocols: Option to test endpoints over both HTTP and HTTPS.
- Concurrency: Utilizes multi-threading for faster scanning.
- Customizable Output: Save results to a file or print to stdout.
- Verbose and Quiet Modes: Default verbose mode for detailed logs, with an option for quiet mode.
- Custom User-Agent: Ability to specify a custom User-Agent for requests.
- Smart Detection of False-Positives: Ability to detect most false-positives.
RISK DETAILS OF EACH ENDPOINT APIDETECTOR FINDS
Exposing Swagger or OpenAPI documentation endpoints can present various risks, primarily related to information disclosure. Here’s an ordered list based on potential risk levels, with similar endpoints grouped together APIDetector scans:
1. High-Risk Endpoints (Direct API Documentation):
- Endpoints:
'/swagger-ui.html'
,'/swagger-ui/'
,'/swagger-ui/index.html'
,'/api/swagger-ui.html'
,'/documentation/swagger-ui.html'
,'/swagger/index.html'
,'/api/docs'
,'/docs'
,'/api/swagger-ui'
,'/documentation/swagger-ui'
- Risk:
- These endpoints typically serve the Swagger UI interface, which provides a complete overview of all API endpoints, including request formats, query parameters, and sometimes even example requests and responses.
- Risk Level: High. Exposing these gives potential attackers detailed insights into your API structure and potential attack vectors.
2. Medium-High Risk Endpoints (API Schema/Specification):
- Endpoints:
'/openapi.json'
,'/swagger.json'
,'/api/swagger.json'
,'/swagger.yaml'
,'/swagger.yml'
,'/api/swagger.yaml'
,'/api/swagger.yml'
,'/api.json'
,'/api.yaml'
,'/api.yml'
,'/documentation/swagger.json'
,'/documentation/swagger.yaml'
,'/documentation/swagger.yml'
- Risk:
- These endpoints provide raw Swagger/OpenAPI specification files. They contain detailed information about the API endpoints, including paths, parameters, and sometimes authentication methods.
- Risk Level: Medium-High. While they require more interpretation than the UI interfaces, they still reveal extensive information about the API.
3. Medium Risk Endpoints (API Documentation Versions):
- Endpoints:
'/v2/api-docs'
,'/v3/api-docs'
,'/api/v2/swagger.json'
,'/api/v3/swagger.json'
,'/api/v1/documentation'
,'/api/v2/documentation'
,'/api/v3/documentation'
,'/api/v1/api-docs'
,'/api/v2/api-docs'
,'/api/v3/api-docs'
,'/swagger/v2/api-docs'
,'/swagger/v3/api-docs'
,'/swagger-ui.html/v2/api-docs'
,'/swagger-ui.html/v3/api-docs'
,'/api/swagger/v2/api-docs'
,'/api/swagger/v3/api-docs'
- Risk:
- These endpoints often refer to version-specific documentation or API descriptions. They reveal information about the API’s structure and capabilities, which could aid an attacker in understanding the API’s functionality and potential weaknesses.
- Risk Level: Medium. These might not be as detailed as the complete documentation or schema files, but they still provide useful information for attackers.
4. Lower Risk Endpoints (Configuration and Resources):
- Endpoints:
'/swagger-resources'
,'/swagger-resources/configuration/ui'
,'/swagger-resources/configuration/security'
,'/api/swagger-resources'
,'/api.html'
- Risk:
- These endpoints often provide auxiliary information, configuration details, or resources related to the API documentation setup.
- Risk Level: Lower. They may not directly reveal API endpoint details but can give insights into the configuration and setup of the API documentation.
Installation & Use
Copyright (c) 2024 Rafael