How Escape’s agentless API discovery technology works

Alexandra Charikova -

What's the most challenging aspect of securing the APIs? You can't secure what you can't see.

What's the most challenging aspect of API security - by Director of Information Security & Privacy at the US tech company

As an Application Security Engineer, your first challenge is gaining visibility into the services exposed by your company's developers. Traditional solutions like Noname (now part of Akamai) and Salt Security help to build API inventory but come with significant drawbacks. These solutions typically require access to API traffic through the deployment of agents or integration with API gateways and proxies. This setup not only involves handling sensitive data but also presents challenges in configuration and maintenance.

We discussed these issues with many AppSec engineers, VP of Application/Product Security, and CISOs, and based on their personal experience or discussions with their peers, they strongly doubt that current API Security solutions could meet their needs. This feedback was crucial for us to get started on solving the problem.

So, we built Escape's agentless technology. Designed to address the common issues faced by security professionals, Escape provides comprehensive API discovery that is quick to deploy, does not require access to customer data, and ensures visibility even for APIs outside traditional security layers such as API gateways, WAFs, or proxies.

In this article, you can discover how it's done.

Escape’s unique agentless technology

Escape’s unique agentless technology reinvents API discovery by addressing the limitations of traditional methods. Unlike conventional solutions that rely on intrusive traffic monitoring and complex setups, Escape uses a sophisticated combination of techniques to identify and inventory APIs by scanning exposed source code.

Subdomain enumeration

Escape begins by performing subdomain enumeration. This process involves scanning for all subdomains associated with the main domain you previously entered into the platform. Subdomains often host APIs or services that may not be immediately apparent. By identifying these subdomains, Escape can uncover additional endpoints that might otherwise be missed. This initial step lays the foundation for a comprehensive discovery process.

AI-powered fingerprinting

Once subdomains are identified, Escape employs AI-powered fingerprinting to recognize and classify the APIs. Fingerprinting involves analyzing various characteristics of the APIs, such as their structure, endpoints, and response patterns. The AI algorithms used by Escape can detect and categorize different API types (REST, GraphQL, gRPC) with high accuracy. This machine learning-based approach ensures that APIs are identified and classified correctly, even if they have unique or non-standard configurations.

OSINT techniques

Escape also leverages Open Source Intelligence (OSINT) techniques. OSINT involves gathering and analyzing publicly available information to enhance the discovery process. By examining code repositories, documentation, and other public resources, Escape can identify additional API endpoints and services. This technique helps in discovering APIs that are not directly exposed but can still be found through public information.

The advantages of Escape's API discovery

Simplicity and speed

One of the key advantages of Escape’s technology is its simplicity. To get started, you only need to provide your domain name. From there, Escape handles the rest, drawing up a detailed inventory of your APIs in just a few minutes. This eliminates the need for extensive configuration or manual intervention, making the process straightforward and efficient.

Non-intrusiveness

Escape’s agentless approach means that it does not require any installation or access to live API traffic. Traditional solutions often need to be integrated into your environment and may involve capturing and analyzing traffic, which can be intrusive and raise privacy concerns. Escape’s method avoids these issues by working entirely from the outside, reducing the risk of impacting your systems or accessing sensitive data.

Detection of APIs even outside of API gateways, WAFs or proxies

Another significant benefit of Escape’s technology is its ability to detect Shadow APIs. Shadow APIs are those that are exposed but not documented or actively managed. Traditional API security solutions rely on observing API traffic, often through agent deployment, API Gateway, or proxy integration. Shadow APIs, deployed outside gateways and proxies, may go unnoticed, creating blind spots. Escape’s approach, however, can identify these APIs through its comprehensive scanning and fingerprinting techniques.

Comprehensive API Inventory

Escape not only discovers and classifies APIs but also provides a thorough inventory that includes detailed information about each API's endpoints, types, and associated risks.

This inventory is continuously updated, ensuring that you have a current view of all your exposed APIs. Integration with development tools and cloud providers further enriches this data, offering insights into the APIs’ environments and configurations. You can find a complete list of details included in the inventory in the next sections .

Automated API schema generation in API inventory

We understand that not all APIs have an available specification, and even when they do, ensuring its validity can be challenging. We also recognize that manually authoring a specification is not a task most developers enjoy. However, having one is crucial for providing more context to the API service and its schema. That's why we've integrated automated specification generation into Escape.

In our current approach, we focused on two things:

  • Semantic Analysis: We identify key code fragments using custom rules (for example, using a specific Semgrep pattern), reducing the data sent to the LLM while improving prompt quality.
  • Specification Generation: Each identified fragment is processed individually by the LLM to generate OAS methods. Contextualization ensures accurate results by resolving dependencies and references within the code. Learn more about our research on this topic here (featured in tldr;sec)
💡
This approach helps Escape not only to generate API schemas but also continuously monitor for and detect any changes or versions in the API schema over time. This capability allows teams to track how their APIs evolve and ensure that all changes are documented and understood, reducing the risk of inconsistencies or integration issues.
Specification generated from the frontend code on the Escape platform

Benefits:

  • Efficiency: Focus on relevant code parts reduces processing time and costs compared to traditional methods.
  • Accuracy: Improved detection of endpoints and parameters enhances the quality of generated specifications without revealing proprietary algorithms.

You can learn more about Escape's schema generation tool here.

To sum up, Escape's spec gen feature allows you to generate your API schema, view all your up-to-date API schemas in the API inventory, and start scanning vulnerabilities immediately, reducing the time it takes to derive full value from Escape.

To use it, simply insert your domain name or, if your API service doesn't have a front-end, connect your account to your organization's GitHub, GitLab, or Bitbucket. This feature works seamlessly with any code repository.

What information can you access in Escape's API inventory?

In addition to providing a full view of all exposed API endpoints and associated API schemas in its API inventory, Escape also offers visibility and a deep understanding of various API characteristics:

The characteristics of the API and its environment

  • Production, staging, or development API
  • API type and framework: REST, GraphQL, SOAP, WebSocket, gRPC...
  • Cloud hosting: AWS, Azure, OVH...
  • Associated firewall: Cloudflare, AWS ELB, Azure WAF..

The risks associated with each exposed API

  • Leakage of sensitive data
  • External exposure
  • Disclosure of API schema
  • Lack of authentication or authorization
  • Critical vulnerabilities

The business logic of the API

  • Automatic generation of the Schema (OpenAPI) by generative AI
  • Detection of API creation date, API versions, and schema changes
  • Detection of Shadow, Zombie, Legacy APIs
  • Detection of similar or duplicate APIs

The API owner, including Business unit & Code owners

Conclusion

Our top priority was to achieve complete visibility and conduct detailed, valuable analysis. That’s exactly what the product delivers.” - Claude-Alain Sabatier, Director of IT Governance and Security.

In summary, Escape’s agentless technology stands out due to its use of subdomain enumeration, AI-powered fingerprinting, and OSINT techniques to provide a comprehensive and non-intrusive API discovery solution. Its simplicity, speed, and ability to detect hidden and outdated APIs make it an invaluable tool for maintaining visibility and security in complex digital environments.

With Escape, organizations can significantly reduce risk and enhance their API management and security strategies.

💡Want to learn more? Discover the following articles:

Discover your APIs in minutes

Get a complete inventory of your APIs and start fixing your vulnerabilities with detailed solutions for developers.

🚀 Get started now