Skip to content

GlitchOrb/APISecurityEngine

Repository files navigation

APISecurityEngine

@GlitchOrb

An API security testing automation tool that ingests OpenAPI/GraphQL/gRPC definitions, generates automated test plans, executes them with safety controls, and produces evidence-based reports mapped to OWASP API Top 10:2023.

스크린샷 2026-02-26 125214

Requirements

  • Python 3.12+
  • uv (recommended) or pip

Installation & Setup

Using uv:

# Clone the repository
git clone https://github.com/GlitchOrb/APISecurityEngine.git
cd APISecurityEngine

# Install dependencies and sync environment
uv sync

# Run the CLI
uv run ase --help

Development

# Install pre-commit hooks
uv run pre-commit install

# Run tests
uv run pytest

# Type checking
uv run mypy apisecurityengine/ tests/

# Linting & Formatting
uv run ruff check .
uv run ruff format .

CLI Usage

APISecurityEngine is designed with safety first. It requires explicit flags to perform invasive tests.

# Get help
ase --help

# Scan a target safely (Dry Run)
# --dry-run parses the specification and looks for structural vulnerabilities 
# but DOES NOT send any mutative traffic to the target server.
ase scan --target https://api.example.com --dry-run

# Execute full destructive tests
# --proof-mode removes safety guards and executes real mutative payloads 
# (e.g., Mass Assignment POSTs, DELETE requests) against the target.
ase scan --target https://api.example.com --openapi schema.yaml --proof-mode

Try it now in your browser

Want to see the engine in action without installing anything locally? Spin up a safe, sandboxed Cloud Shell environment with a pre-configured dangerously vulnerable mock API.

Open in Cloud Shell

Security Posture & Incident Patterns

APISecurityEngine includes checks and guidance for common real-world API incident patterns, such as:

  • Authorization bypass patterns (BOLA/IDOR) and role boundary violations
  • Weak authentication and token handling pitfalls
  • Unrestricted resource consumption (rate limiting / cost amplification)
  • SSRF-style URL fetch misuse
  • Security misconfiguration signals (CORS/headers/debug endpoints)
  • Improper API inventory exposure and forgotten endpoints
  • Secrets hygiene: preventing API keys/tokens from leaking into source control

Note: APISecurityEngine is a testing and validation tool. It does not “patch” CVEs automatically; it helps identify risky patterns and provides recommended defenses.

OWASP API Top 10:2023 Heuristic / Execution Check CWE Relevance Defense Snippet Guide
API1: BOLA Cross-profile parameter swapping (/users/{id} vs Profile B) CWE-284 Object-Level Auth Defenses
API2: Broken Auth Unauthenticated execution on routes mapping requires_auth=True CWE-306 Secrets Hygiene Scanners
API3: BOPLA Permissive payload insertions ("is_admin": true) CWE-915 Explicit DTO Serialization Models
API4: Resource Consumption Enumerating missing limits/page schemas on collections CWE-770 Implement Upper bounds pagination
API5: BFLA Profile A executions against isolated admin/dashboard domains CWE-285 Function-Level Auth Guards
API6: Sensitive Flows Tracing business heuristics (checkout, transfer) CWE-799 Rate Limits & Bot Defenses
API7: SSRF Metadata IPs/Localhost pinging injected via URL query parameters CWE-918 SSRF & Rebinding Protections
API8: Misconfigurations Trace/OPTIONS header evaluations and CORS misalignments CWE-16 Enforce Global Proxies Security Headers
API9: Improper Inventory Routing bypass attempts natively against version shifting (e.g. /v2/) CWE-1059 Deprecate and 404 old environments
API10: Unsafe Consumption Unprotected webhook validations mapping omitted signature parameters CWE-300 Always demand HMAC Webhook Signatures

About

API security testing engine for detecting OWASP API vulnerabilities and business logic flaws.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors