APIs: Still Easy Targets in 2025
APIs are the backbone of modern applications - and one of the most exposed parts of an organization’s infrastructure. This makes them a prime target for attackers.
One of the highest-profile examples was the Optus breach in 2022, where attackers stole millions of customer records through an unauthenticated API endpoint - costing the telecom company $140 million AUD in fallout.
Worryingly, vulnerabilities like this are so easy to exploit you could teach someone with no technical background to do it in a day. And three years on, Intruder’s security team is still finding the same issues in the APIs of major organizations - including members of the S&P 500.
That’s why we built Autoswagger - a free, open-source tool that scans APIs for broken authorization flaws. Read on to see how it works and some of the most surprising issues it uncovered when we put it to the test.
What is Autoswagger and How Does it Work?
Autoswagger scans domains to detect exposed API documentation - like OpenAPI or Swagger schemas - then parses them to generate a list of endpoints to test. It sends requests using valid parameters from the documentation and flags any endpoint that returns data without proper access control (i.e. no 401 or 403).
If a response includes sensitive data - like credentials or personally identifiable information (PII) - and the endpoint isn’t properly secured, it gets flagged in the output.
Autoswagger is free to download and install via GitHub.
For more advanced testing, Autoswagger can be run with the --brute flag to attempt to bypass validation checks. This helps uncover flaws in endpoints that reject generic input but accept specific data formats or values.
... continue reading