OpenAPI · OWASP API Top 10

API Security Scan

Audit an OpenAPI / Swagger contract against the OWASP API Security Top 10 (2023). Give us a spec URL (we probe well-known paths like /openapi.json) or paste the spec, and we analyse authentication, function- and object-level authorization, mass assignment, resource limits and transport — statically, with no traffic to your endpoints.

Pro feature

API Security Scan is a Pro tool

Specialized scans are part of ONEROXE Pro. Sign in and upgrade to run the api security scan.

What you'll unlock

Authentication schemes & global security requirement (API2)
Operations exposed without authentication (API5)
Object-level authorization (BOLA) candidate endpoints (API1)
Mass-assignment risk in request bodies — additionalProperties / unconstrained schemas (API3)

ExampleIllustrative — not your results

mediumOWASP Top 10CWE

Authentication schemes & global security requirement (API2)

https://example.com/ — sample finding evidence

View Pro plans Sign in

Pro from ₹349/mo ($12/mo).

What this assesses

Authentication schemes & global security requirement (API2)

Operations exposed without authentication (API5)

Object-level authorization (BOLA) candidate endpoints (API1)

Mass-assignment risk in request bodies — additionalProperties / unconstrained schemas (API3)

Unrestricted resource consumption — collection endpoints lacking pagination (API4)

Transport & misconfiguration — HTTP servers, query API keys, spec exposure, deprecated ops (API8)

Full API inventory (paths, operations, schemes)

How it works

Read-only· static review of your API contract

You give us an OpenAPI / Swagger spec (paste, upload or URL); we parse it statically.
We audit it against the OWASP API Top 10 — missing authentication, BOLA/object-authz candidates, mass-assignment, unbounded pagination and insecure transport.
It reviews the contract itself; with a spec URL the only request is to fetch that document.

What it doesn’t do: JSON specs are fully supported; it is a static contract review, not live authenticated API fuzzing.

Why it matters

APIs are now the primary attack surface, and most API breaches trace back to weaknesses that are visible in the contract itself — missing authorization, over-permissive request bodies, endpoints served over HTTP. Catching them in the spec is the cheapest possible point to fix them.

Frequently asked questions

Does this attack my API?

No. It is a static analysis of the OpenAPI/Swagger document. It does not send requests to your live endpoints — for exploitation-confirmed testing, use the Active or Deep scan with credentials.

It says BOLA “candidates” — why not confirmed?

Broken Object Level Authorization depends on server-side ownership checks that a spec cannot describe. We surface the operations most likely to be affected (id-parameterised reads/writes) so you can verify each one.

Why JSON only?

The tool ships without a YAML parser dependency. Most API tooling can export an OpenAPI document as JSON, or you can convert YAML to JSON before pasting.

More specialized scans

Compliance Report SSL/TLS Deep Audit Repo Secrets + SCA LLM / AI Pentest Mobile APK Scan WordPress Security Scanner GraphQL Security Scan Cloud Bucket Scanner