Autoswagger: Open-source tool to expose hidden API authorization flaws

Autoswagger is a free, open-source tool that scans OpenAPI-documented APIs for broken authorization vulnerabilities. These flaws still affect even large enterprises with mature security teams and pose a serious threat because attackers can exploit them with little technical skill.

Autoswagger begins by detecting API schemas across a range of common formats and locations, starting with a list of an organization’s domains. It scans for OpenAPI and Swagger documentation pages, sending requests to each host to locate valid schemas. Once identified, it parses the API specifications and automatically generates a list of endpoints to test, taking into account each endpoint’s definition, required parameters, and expected data types.

From there, Autoswagger executes targeted scans to identify broken authorization flaws by:

• Sending requests to each endpoint using valid parameters pulled from the documentation.
• Flagging endpoints that return a valid response instead of expected HTTP 401 or 403 errors, which would normally indicate proper access control.
• Highlighting endpoints where authentication is missing or ineffective.
• For more advanced use cases, Autoswagger can be run with the --brute flag to simulate bypassing validation checks. This helps uncover flaws in endpoints that require specific data formats or values, which may reject generic input.

The tool analyzes any successful responses for signs of exposed sensitive data, such as PII, credentials or internal records. The tool adds any endpoint that lacks proper authentication and exposes sensitive information to the output report.

“Daniel Andrew, Head of Security at Intruder, warned that exposing API documentation increases your attack surface. He advised teams to avoid publishing API documentation unless absolutely required as part of a defense-in-depth strategy. “The lesson here is, in addition to regular API scanning after each development iteration, that you shouldn’t publicly document your APIs unless you can’t avoid it. Without a ‘map,’ this kind of vulnerability becomes much harder for attackers to exploit.”

Autoswagger is available for free on GitHub.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!