Learnings After 400 API Security Testing

Learnings After 400 API Security Testing_628d5d20eb40d.png

We recently launched EthicalCheck, a free and instant API security testing DAST (Dynamic Application Security Testing) web tool on GitHub.

Here is the GitHub URL for the tool:

What kind of vulnerabilities does EthicalCheck find?
Most automated scanners would find vulnerabilities like SQL Injections, NoSQL Injections, XSS, etc.
EthicalCheck performs different checks, including OAuth 2.0, JWT, BasicAuth, OWASP API #2, and broken authentication defects in web, mobile, and public-facing APIs.

How EthicalCheck work?
It requires two inputs:
API (OpenAPI Spec/Swagger) documentation URL.
Email address for receiving security testing report


We only did a soft launch across a couple of developer forums in the past three months. We weren’t hoping that we would get anywhere close to 400 tests.

Here are the stats:
Start Date: Feb 2022 – Apr 2022 (3 months)
Total APIs Tested: 400
Total APIs with Vulnerabilities: 164
Total APIs with 10+ Vulnerabilities: 16
Max vulnerabilities found in an API: 65
Total Vulnerabilities Found: 948
Total Bug Bounty Savings: $1,896,000 (Based on HackerOne’s payout model)
Total API Penetration Test Savings: $343,000 (Based on avg penetration testing cost)
Percentage of APIs with Vulnerabilities: 47.9%

On average, close to 50% of the tested public-facing APIs had security vulnerabilities. These vulnerabilities can easily be picked up by automated bots and hackers alike. Security breaches are expensive and can cost exponentially upwards of $8.64m to startups and large organizations alike.

Your public-facing mobile/web API has a close to 50% chance of having security vulnerabilities. You can instantly test your public-facing APIs for vulnerabilities:

What do you think?

Silver 1

Written by yulica

Leave a Reply

Your email address will not be published.

      Introducing DigitalOcean Functions: A powerful serverless computing solution_628d5d2b47156.png

      Introducing DigitalOcean Functions: A powerful serverless computing solution

      Assigning IPv6 addresses to pods and services – Part 1_628d5d0fb0adf.png

      Assigning IPv6 addresses to pods and services – Part 1