Safeguard
AppSec

API Security Scanning: What Good Tools Actually Catch

API security scanning explained in terms of the specific failure classes it catches, from broken object-level authorization to shadow endpoints, and why generic web scanners miss most of them.

Safeguard Research Team
Research
Updated 5 min read

API security scanning is the practice of testing API endpoints, using their schema definitions rather than a browser crawl, for authorization flaws, data exposure, and abuse conditions that generic web scanners are structurally unable to find. The distinction matters because most modern applications are API-first: the browser or mobile client is a thin layer over a set of REST or GraphQL endpoints, and generic DAST scanning tools built for HTML pages never see the actual attack surface. This post walks through the specific failure classes a good API scanner catches and why they're hard to find any other way.

What is broken object-level authorization, and why does it dominate the findings?

Broken object-level authorization (BOLA) happens when an API checks that a user is authenticated but doesn't verify they're authorized to access the specific object requested, so changing an ID in the request URL or body returns another user's data. It sits at the top of the OWASP API Security Top 10 for a reason: it's the single most common real-world API vulnerability class, and it's invisible to tools that don't actually authenticate as two different users and compare responses. A good API scanner runs authenticated flows as multiple distinct identities and flags responses where one user's session can read or modify another user's resource. This requires understanding the API's data model, not just its surface syntax, which is why schema-aware tools catch it and generic crawlers largely don't.

What does excessive data exposure look like in practice?

Excessive data exposure happens when an endpoint returns a full internal object, including fields like password hashes, internal IDs, or PII that the client never displays but the response body still contains. Developers commonly rely on the frontend to filter which fields get shown, forgetting that the raw API response is inspectable by anyone with browser developer tools or an intercepting proxy. A capable scanner diffs the full response payload against what the documented schema says should be returned, and flags any field that leaks beyond the intended contract. This is a purely structural check, no exploit chain needed, which makes it one of the highest-signal, lowest-effort findings a scanner can produce.

Can a scanner find endpoints that were never documented?

Yes, and this is one of the more valuable things modern API scanners do: they discover shadow and zombie endpoints by combining traffic observation, gateway logs, and code-level route extraction, rather than relying solely on a submitted OpenAPI spec. Shadow endpoints are routes that exist in the running service but were never added to the documented schema, often left behind by a feature that shipped without updating the spec. Zombie endpoints are old versions of an API still reachable in production after clients migrated to a newer version. Both categories are invisible to schema-only scanning and require traffic or code correlation to surface, which is part of what Safeguard's SAST/DAST integration does by tying discovered routes back to the source repository that defines them.

How do good tools handle rate limiting and resource-consumption abuse?

Good API scanners test for unrestricted resource consumption by sending sequences of requests designed to detect missing rate limits, unbounded pagination, and expensive query patterns, particularly in GraphQL where a single query can be crafted to fan out into an enormous number of backend calls. GraphQL's flexible query structure makes this category especially important: a naive scanner testing only fixed REST paths will miss query-depth and query-complexity abuse entirely, since the vulnerability lives in how the query is shaped rather than which endpoint is hit. A scanner needs GraphQL-aware logic, not generic HTTP fuzzing, to catch this class reliably.

What's the difference between scanning against a spec and scanning against traffic?

Scanning against a spec (OpenAPI/Swagger, GraphQL introspection) gives structured, fast coverage of every documented parameter and response type, while scanning against observed traffic catches real usage patterns and undocumented behavior the spec doesn't describe. The two approaches are complementary rather than competing: spec-based scanning is systematic and repeatable, traffic-based scanning catches drift between what's documented and what's actually deployed. Programs that only do one or the other end up with either total coverage of a stale spec, or partial coverage of what happened to be exercised in the traffic sample. Combining both, which is the direction most mature API security scanning products have moved, closes that gap.

FAQ

Does API security scanning replace a web application firewall?

No. Scanning finds vulnerabilities before or during development so they can be fixed; a WAF is a runtime mitigation layer that blocks known-bad request patterns. Relying on a WAF alone leaves the underlying flaw in place and only filters the exploitation attempts a WAF's rules happen to recognize. Dynamic scanning tools and a WAF are complementary, not interchangeable — one closes the flaw, the other buys time while it's fixed.

How does API security scanning relate to API security posture management?

Scanning finds vulnerabilities in individual endpoints; posture management is the broader practice of inventorying every API across an organization, including undocumented ones, and tracking their security state over time. Scanning is one input into a posture management program, not a substitute for it.

Can API scanning be run in CI/CD?

Yes, and it should be. Schema-aware scanners can run against a staging deployment on every merge to a release branch, catching authorization regressions before they reach production, in the same way SAST catches code-level issues on pull requests.

Do REST and GraphQL APIs need different scanning approaches?

Largely yes. REST scanning works from defined paths and methods; GraphQL scanning has to understand query structure, depth, and introspection to catch abuse patterns unique to a single flexible endpoint. A tool strong at one doesn't automatically transfer that strength to the other.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.