Introducing OpenAPI.Security, a free tool to quickly check the security of REST APIs

tl;dr We released OpenAPI.security, an online tool that performs a dozen of security tests on any given OpenAPI/Swagger-based API, with no signup or email required

Our team at Escape is mainly focused on securing GraphQL APIs. For this, we developed a new approach called feedback-driven API exploration, basically inferring the right security test cases to run using the specification and a carefully crafted in-house graph traversal algorithm. - We published a more in-depth review of this algorithm in another post.

At Escape, we often organize internal hackathons. It’s a way to learn new things, but also to experiment with our internal tools and discover new applications. After the success of GraphQL.Security, this time, we wondered if our feedback-driven exploration could be applied to good old REST APIs as well and ended up creating OpenAPI.Security.

The concept is simple: anybody can enter an OpenAPI / Swagger specification, and OpenAPI.Security will run a bunch of security tests on it and give back a report. It’s designed to be fast and smart in the way it analyzes input specs.

Since it worked quite well we wanted to share it with the community as well. It’s a side project for now but we would love to have your feedback!

https://openapi.security/

Food for thoughts

💡 Wanna learn about GraphQL testing? Read our blog article "How to test your GraphQL API?".