tl;dr We released OpenAPI.security, an online tool that performs a dozen of security tests on any given OpenAPI/Swagger-based API, with no signup or email required
Our team at Escape is mainly focused on securing GraphQL APIs. For this, we developed a new approach called feedback-driven API exploration, basically inferring the right security test cases to run using the specification and a carefully crafted in-house graph traversal algorithm. – We published a more in-depth review of this algorithm in another post.
At Escape, we often organize internal hackathons. It’s a way to learn new things, but also to experiment with our internal tools and discover new applications. After the success of GraphQL.Security, this time, we wondered if our feedback-driven exploration could be applied to good old REST APIs as well and ended up creating OpenAPI.Security.
The concept is simple: anybody can enter an OpenAPI / Swagger specification, and OpenAPI.Security will run a bunch of security tests on it and give back a report. It’s designed to be fast and smart in the way it analyzes input specs.
Since it worked quite well we wanted to share it with the community as well. It’s a side project for now but we would love to have your feedback!