README
¶
APIStrike
API security scanner for REST APIs.
Point it at an OpenAPI spec and a roles config. It scans your API automatically.
Key features:
- Implemented OWASP coverage: API1–API8 plus SSRF detection, with auto-generated templates
- Auth-type-aware testing (bearer/JWT, basic, API key, cookie)
- DAST fuzzing engine with 8 injection types (SQLi, XSS, SSTI, SSRF, NoSQLi, CMDi, open redirect, LFI)
- Customizable detection DSL for APIs with non-standard response patterns
- CI/CD gate with per-severity thresholds and exit codes
- Upload findings to external dashboards
- Self-update from GitHub releases
Install
# Go
go install github.com/RevoltSecurities/apistrike@latest
# Direct download (Linux)
curl -L https://github.com/RevoltSecurities/apistrike/releases/latest/download/apistrike_linux_amd64.tar.gz | tar xz
sudo mv apistrike /usr/local/bin/
# Docker (Docker Hub)
docker pull revoltsecurities/apistrike
docker run --rm -v $(pwd):/scan revoltsecurities/apistrike scan \
--spec /scan/openapi.yaml \
--config /scan/apistrike.yaml
# Docker (GHCR)
docker pull ghcr.io/revoltsecurities/apistrike
docker run --rm -v $(pwd):/scan ghcr.io/revoltsecurities/apistrike scan \
--spec /scan/openapi.yaml \
--config /scan/apistrike.yaml
Quick Start
# 1. Generate example config
apistrike init
# 2. Edit apistrike.yaml — set your target, roles, tokens
# 3. Run scan
apistrike scan --spec openapi.yaml --config apistrike.yaml
Zero-config mode — no config file needed:
# Unauthenticated scan (misconfig + rate limit + race condition)
apistrike scan --spec openapi.yaml --target https://api.example.com
# With auth (adds broken auth tests)
apistrike scan --spec openapi.yaml --target https://api.example.com --auth-token "$TOKEN"
# With DAST injection fuzzing
apistrike scan --spec openapi.yaml --target https://api.example.com --auth-token "$TOKEN" --dast
OWASP Coverage (Implemented)
| ID | Category | Detection Method |
|---|---|---|
| API1:2023 | BOLA | Role permutation x path ID params |
| API2:2023 | Broken Authentication | Auth-type-aware: JWT, Basic, API key, Cookie bypass tests |
| API3:2023 | Broken Object Property Level Auth | PATCH/PUT field-level access |
| API4:2023 | Rate Limit Absence | Burst testing on sensitive endpoints |
| API5:2023 | BFLA | Unprivileged roles calling admin functions |
| API6:2023 | Mass Assignment | Injecting privileged fields in request body |
| API7:2023 | Security Misconfiguration | CORS, headers, debug endpoints |
| API8:2023 | Injection | SQLi (error + blind time-delay), XSS, SSTI, SSRF, NoSQLi, CMDi, LFI |
| Additional | SSRF (URL/callback params) | Out-of-band callback detection |
Config — apistrike.yaml
The config file defines your API's roles, auth tokens, and parameter values. This is what makes BOLA and BFLA testing possible — the scanner needs to know which resources each role owns and how each role authenticates.
target: https://api.example.com
spec: ./openapi.yaml
roles:
admin:
privilege_level: 100
auth:
type: bearer
token: "${ADMIN_TOKEN}" # reads from env var
owns:
user_id: "usr_admin_001"
loan_id: "loan_admin_001"
user:
privilege_level: 50
auth:
type: bearer
token: "${USER_TOKEN}"
owns:
user_id: "usr_user_001"
loan_id: "loan_user_001"
unauthenticated:
privilege_level: 0
auth:
type: none
bola:
enabled: true
attacker_roles: [user, unauthenticated]
victim_roles: [admin, user]
injection:
enabled: true
types:
sqli:
enabled: true
xss:
enabled: true
ssrf:
enabled: true
output:
jsonl: findings.jsonl
fail_on: [critical, high]
Generate a full example: apistrike init
See CONFIG.md for the complete configuration reference.
CI/CD Integration
# .github/workflows/security.yml
- name: Install apistrike
run: |
curl -L https://github.com/RevoltSecurities/apistrike/releases/latest/download/apistrike_linux_amd64.tar.gz | tar xz
sudo mv apistrike /usr/local/bin/
- name: API Security Scan
env:
ADMIN_TOKEN: ${{ secrets.ADMIN_TOKEN }}
USER_TOKEN: ${{ secrets.USER_TOKEN }}
run: |
apistrike scan \
--spec ./openapi.yaml \
--config ./apistrike.yaml \
--exit-on-findings
Exit code 1 on critical/high findings — blocks the deploy.
Commands
apistrike scan Run full OWASP scan (implemented categories)
apistrike dast Run DAST-only fuzzing scan (injection, XSS, SQLi, SSTI, SSRF, etc.)
apistrike generate Generate security templates without scanning
apistrike validate Validate apistrike.yaml config
apistrike init Generate example config file
apistrike update Update apistrike to the latest version
How It Works
openapi.yaml + apistrike.yaml
|
v
Parse endpoints (kin-openapi)
|
v
Classify -> OWASP categories (implemented set) (per endpoint)
|
v
Generate templates (Go structs -> YAML)
|-- BOLA: attacker x victim x endpoint
|-- Broken Auth: no_token, invalid, expired, algo_confusion
|-- BFLA: unprivileged_role x admin_endpoint
|-- Injection: payload x param x injection_type
'-- Mass Assignment: extra_field x write_endpoint
|
v
Run scan engine (Go native, concurrent)
|
v
findings.jsonl + report.md + exit code
Self-Update
# Update to latest release
apistrike update
# Check latest release notes without updating
apistrike update --show-release
Documentation
- CONFIG.md — Complete configuration reference
- docs/DOCS.md — Full user documentation
- RELEASE.md — Release process and versioning
License
MIT — see LICENSE
Built by RevoltSecurities with Go.
Documentation
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.