Skip to content

Autonomous API Security with Aptori

Aptori's proprietary Semantic Reasoning Technology leverages NLP and reinforcement learning to autonomously interrogate API sequences -- modeling how both legitimate users and attackers interact with APIs. Unlike traditional security tools that assess APIs individually, Aptori analyzes entire API workflows, identifying vulnerabilities that would otherwise go undetected.

This automated approach enables rapid interrogation of thousands of API sequence permutations, a task impossible for developers to scale manually. By understanding the API specification, Aptori builds a resource dependency graph to intelligently determine which sequences require analysis. This capability ensures comprehensive security testing without human intervention, allowing security teams to conduct deep API analysis early in development.

Comprehensive API Security Analysis

Aptori autonomously detects security vulnerabilities and functional defects in API implementations, covering known attack patterns and business logic flaws. It includes vulnerability analyzers aligned with OWASP API Security Top 10, MITRE, and SANS guidelines.

Key Security Checks

  • OpenAPI Conformance: The Conformance Analyzer dynamically validates API behavior against its definition, preventing mismatches that cause system errors, data leaks, and development slowdowns.
  • Broken Object Level Authorization (BOLA): Automatically detects improper access control when API endpoints interact with object IDs. Developers receive precise guidance on fixing these vulnerabilities.
  • Broken User Authentication: Checks for weak authentication mechanisms, such as credential stuffing, brute force attacks, incorrect token validation, and weak JWT configurations.
  • Excessive Data Exposure: Identifies when APIs return more data than necessary, potentially exposing sensitive information to attackers. Aptori notifies developers early in the SDLC to prevent data leaks.
  • Lack of Resources & Rate Limiting: Ensures APIs enforce proper rate limiting to prevent DoS attacks by verifying rate-limiting headers and enforcement mechanisms.
  • Broken Function Level Authorization: Detects misconfigured access controls that allow unauthorized users to execute privileged actions, even through simple method changes (e.g., GET to PUT).
  • Security Misconfiguration: Identifies weaknesses in API configurations, from network to application layers, reducing the risk of exposure to automated attacks.
  • Injection Attacks: Simulates SQL, NoSQL, OS command, XML, and ORM injection attacks using an evolving library of malicious payloads, including deep-layer request body analysis.

Semantic API Testing with Sift

Aptori’s Sift is a cross-platform CLI tool designed for semantic intelligent fuzz testing. Powered by Semantic Reasoning Technology, Sift generates and executes stateful API request sequences that emulates real-world user workflows.

Key Features

  • Executes context-aware test cases with both valid and malicious inputs.
  • Identifies deep security flaws in business logic.
  • Runs autonomously in CI pipelines or local development environments (Mac, Linux, Windows).
  • Customizable to prioritize specific security tests.

Sift provides developers with an automated, scalable, and efficient way to uncover vulnerabilities early, ensuring API security is integrated into the development lifecycle without disrupting innovation.

How It Works

Sift operates in a series of stages designed to uncover both functional and security issues in APIs. The process goes beyond single-endpoint testing by modeling workflows, generating intelligent requests, and validating application behavior across multiple user roles.

1. Understanding the API

Sift begins by analyzing the target API from available sources such as OpenAPI specifications, GraphQL schemas, or recorded traffic. This semantic analysis creates a Semantic Model of endpoints, parameters, and data relationships between operations.

2. Building Workflows

Instead of testing endpoints in isolation, Sift chains requests into meaningful workflows. For example, it may log in, create a resource, and then attempt to access or delete it. This enables effective testing of stateful and business-logic issues that require discovered state from the application.

3. Generating Intelligent Tests

Using the Semantic Model, Sift generates request sequences that reflect valid usage. Baseline requests are issued to the target application with field value that are populated with context-aware values (e.g., user identifiers, tokens) to maximize test coverage across security and functional dimensions.

On top of the baseline requests, Sift applies multiple analyzers to construct attack scenarios in order to detect vulnerabilities such as broken authorization, authentication flaws, data exposure, injection, misconfigurations, and missing rate limits.

4. Collecting and Reporting Results

Results from each run are collected and reported to the Aptori Platform for triage and collaboration. Findings can also be exported in machine-readable formats (e.g., JSON, SARIF) to integrate the results into CI/CD and SIEM systems.

Virtual Users and Authorization

Since modern APIs require authorization for requests, Sift can make requests on behalf of one or more virtual users, configured through the authorization configuration. Virtual users represent distinct roles or identities within the target application. Sift repeats the testing process for each configured virtual user, ensuring that application behavior is tested across multiple user roles.

The order in which testing with virtual users is performed is determined by the sorted order of the user-specified names for virtual users. This systematic approach allows Sift to surface authorization and role-based access control issues, such as whether a lower-privileged user can perform actions intended only for administrators.