Home
Softono
apiscanner

apiscanner

Open source Python
GitHub
12
Stars
3
Forks
0
Issues
1
Watchers
1 month
Last Commit
API Tools Vulnerability Scanning

About apiscanner

APISCAN is a Swagger-driven API security tool for security specialists and auditors, focused on OWASP API Top 10 coverage and evidence-based reporting.

Platforms

Web Self-hosted

Languages

Python

Links

Source Code
p
Published by
perrym
Visit View Profile

README.md

View on GitHub
## **APISCAN OWASP 4.0 APIscanner by Perry Mertens**

Author: Perry Mertens ([email protected])
Year: 2026 Perry Mertens
Version: 4.0 (Release)
License: GNU Affero General Public License v3.0 (AGPL-v3.0)

APISCAN is an API vulnerability scanner that proactively identifies security risks by testing against the OWASP API Security Top 10 (2023). It uses your OpenAPI/Swagger specification to generate realistic attack payloads and detect issues such as Broken Object Level Authorization (BOLA), Broken Authentication, Excessive Data Exposure, and other critical API vulnerabilities. It understands OpenAPI/Swagger, supports multiple authentication flows, provides a plan/verify workflow, includes a generic sanitizer/rewrites, and writes HTML artifacts.

APISCAN: AI-assisted API security for specialists. APISCAN is not a scanner that guesses; it proves. It tests. It observes. Then models explain the risk with evidence attached. That’s how you make AI useful in security.

License

APISCAN is licensed under the AGPL-v3.0.

If you modify APISCAN and make it available as a hosted service, you must make the complete corresponding source code available under the same license.

What is APISCAN

APISCAN focuses on API-specific risks instead of generic web scanning.
It is built for testing APIs against the OWASP API Security Top 10 (2023), with one module per risk area and HTML reporting suitable for auditors and developers.

What is new in v4.0

APISCAN v4.0 dashboard

  • Beter scanner and new reporting
  • Generic sanitizer
  • Universal header overrides
  • ID and sample generation
  • Improved planning and verification workflow
  • Adaptive retry logic
  • SQLite evidence database
  • Optional AI-assisted analysis (API11)

Install

python -m venv .venv
source .venv/bin/activate     # Linux/macOS
# .venv\Scripts\activate    # Windows

pip install -r requirements.txt

Setup and environment

Before running APISCAN, configure your environment and optional AI tooling.

Environment setup

python setup.py
# Validates Python dependencies and environment
# Creates/updates .env.example and requirements.txt

LLM / AI providers (optional)

python llmsetup.py
# Configure Ollama / OpenAI / Anthropic / DeepSeek
# Saves settings and writes apiscan_env.sh / apiscan_env.ps1 helper scripts

Quick start

python apiscan.py --url https://api.example.com --swagger openapi.json --flow token --token "<ACCESS_TOKEN>" --verify-plan

Quick mode and full scan

API10 (Unsafe Consumption of APIs) runs in quick mode by default. This keeps normal scans fast by limiting Phase 2 to the most promising endpoints and capping quick SQL testing.

Defaults:

  • APISCAN_API10_QUICK=1
  • APISCAN_API10_QUICK_MAX_ENDPOINTS=20
  • APISCAN_API10_QUICK_SQL_MAX_TESTS=10
  • APISCAN_API10_QUICK_DIRTRAV_MAX_TESTS=8
  • APISCAN_API10_QUICK_HPP_MAX_PARAMS=3
  • APISCAN_API10_QUICK_REDIRECT_MAX_TESTS=6
  • APISCAN_RATE_LIMIT=0

PowerShell:

# Default quick mode
$env:APISCAN_API10_QUICK="1"

# Optional quick tuning
$env:APISCAN_API10_QUICK_MAX_ENDPOINTS="20"
$env:APISCAN_API10_QUICK_SQL_MAX_TESTS="10"

# Full API10 scan
$env:APISCAN_API10_QUICK="0"

# Deep scan, slower and more intensive
$env:APISCAN_DEEP_SCAN="1"

Bash/Linux/macOS:

# Default quick mode
export APISCAN_API10_QUICK=1

# Optional quick tuning
export APISCAN_API10_QUICK_MAX_ENDPOINTS=20
export APISCAN_API10_QUICK_SQL_MAX_TESTS=10

# Full API10 scan
export APISCAN_API10_QUICK=0

# Deep scan, slower and more intensive
export APISCAN_DEEP_SCAN=1

Usage examples

Bearer token

python apiscan.py --url https://api.example.com --swagger openapi.json --flow token --token "<ACCESS_TOKEN>"

API key

python apiscan.py --url https://api.example.com --swagger openapi.json --flow none --apikey "<KEY>" --apikey-header "X-API-Key"

OAuth2 Client Credentials

python apiscan.py --url https://api.example.com --swagger openapi.json --flow client --client-id "<ID>" --client-secret "<SECRET>" --token-url "https://idp/token"

Proxy / Burp

python apiscan.py --url https://api.example.com --swagger openapi.json --flow token --token "<TOKEN>" --proxy 127.0.0.1:8080 --insecure

Plan-only

python apiscan.py --url https://api.example.com --swagger openapi.json --plan-only

Advanced usage

Extra headers

--extra-header "x-tenant-id: acc"
--extra-header "x-feature-flag: beta"

IDs file

--ids-file ids.json

Sanitizer and rewrites

--no-sanitize
--rewrite "/identity/api/v2=>/identity/api/v7/"
--normalize-version

AI-assisted analysis

export LLM_PROVIDER=openai_compat
export LLM_MODEL=gpt-4o-mini
export LLM_API_KEY=sk-...

python apiscan.py --url https://api.example.com --swagger openapi.json --api11

Output and reports

  • review.html
  • combined_report.html
  • Per-risk HTML reports
  • SQLite database results.db
  • Logs apiscan_*.log

Notes

  • Only test APIs you are authorized to test.
  • Start with --plan-only to avoid accidental traffic.
  • Use retry options for unstable endpoints.

Links

© 2026 Perry Mertens [email protected]. Released under the AGPL-v3.0 License.