Coverage
API Scanning detects over 25 vulnerability types across injection, authentication, authorization, and configuration categories. This page lists the full coverage and provides details on payload depth.
Vulnerability Types
Injection Vulnerabilities
| Vulnerability | Description |
|---|---|
| SQL Injection (SQLi) | Detects SQL injection in query parameters, request bodies, and headers |
| NoSQL Injection | Tests for injection in NoSQL databases such as MongoDB |
| Server-Side Template Injection (SSTI) | Identifies template injection in server-side rendering engines |
| Command Injection | Tests for operating system command injection through API inputs |
| LDAP Injection | Detects injection in LDAP query construction |
| JSON Injection | Tests for injection through malformed JSON payloads |
| CRLF Injection | Identifies carriage return / line feed injection in headers and responses |
| XML External Entity (XXE) | Tests for XXE vulnerabilities in XML-accepting endpoints |
| Cross-Site Scripting (XSS) | Detects reflected and stored XSS through API responses |
| Path Traversal | Tests for directory traversal to access files outside the intended scope |
| Server-Side Request Forgery (SSRF) | Detects SSRF where the API can be tricked into making requests to internal services |
| Edge Side Includes (ESI) Injection | Tests for ESI injection in caching layers |
| Prompt Injection | Detects prompt injection in AI/LLM-powered endpoints |
Configuration and Transport
| Vulnerability | Description |
|---|---|
| SSL/TLS Issues | Identifies weak cipher suites, expired certificates, and protocol misconfigurations |
Payload Depth
API Scanning draws from a combined payload library with a large number of variations across all vulnerability types. This depth comes from combinatorial generation — payloads are constructed from multiple dimensions (injection techniques, encoding variations, bypass methods, language variations) producing a large search space that the scanner samples from within each scan run.
Payload Rotation
Not all payloads are sent in a single scan run. API Scanning uses payload rotation to distribute payloads across multiple scan runs:
- Each scan run tests a different subset of payloads
- The scanner tracks which payloads have been sent to each target
- Subsequent runs prioritize untested payloads
- Over multiple runs, cumulative coverage approaches the full payload library
This design keeps individual scan runs fast while building coverage over time.
Maximizing Coverage
- Document all endpoints in your OpenAPI spec. The scanner tests every endpoint defined in the spec, so thorough documentation means better coverage.
- Keep your spec accurate and complete — the scanner uses your spec’s schemas and parameter definitions to generate effective test payloads.