API Security Testing
API Scanning tests REST APIs for exploitable vulnerabilities. It uses your OpenAPI specification to identify endpoints, then sends real payloads to detect exploitable vulnerabilities.
How It Works
The scanning engine is shared with Application Scanning, meaning your APIs benefit from the same fuzzing technology and vulnerability research that powers web application testing. See How It Works for the full scanning methodology.
Key Capabilities
| Capability | Description |
|---|---|
| Spec-driven testing | Scans are built from your OpenAPI specification, so every documented endpoint is tested |
| Payload rotation | Rotates through extensive payload libraries per target, covering edge cases and bypass techniques |
| Authentication support | Supports OAuth 2.0, Basic Auth, and API key authentication schemes |
| Continuous monitoring | Schedule recurring scans to catch regressions as your API evolves |
| Prompt injection testing | Detects prompt injection vulnerabilities in AI and LLM-powered endpoints |
Coverage
API Scanning covers over 25 vulnerability types, including SQL injection, server-side template injection, command injection, SSRF, and prompt injection. See Coverage for the full list.
Getting Started
To begin testing your APIs:
- Prepare your OpenAPI specification
- Upload it to Detectify
- Configure authentication
- Run your first scan
See the Getting Started guide for detailed instructions.
Related Resources
- How It Works — Detailed scanning methodology
- OpenAPI Specs — Supported specification formats
- Configuration — Authentication, scheduling, and rate limiting
- Coverage — Full list of detected vulnerability types
Last updated on