DEV Community: Cory Sorel The latest articles on DEV Community by Cory Sorel (@uncommoncarp). https://dev.to/uncommoncarp https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3920420%2F01a4e546-f856-4f96-a2df-af35105a212f.jpeg DEV Community: Cory Sorel https://dev.to/uncommoncarp en I Built An API Security Scanner That Won't Shoot You in the Foot Cory Sorel Mon, 22 Jun 2026 16:00:00 +0000 https://dev.to/uncommoncarp/i-built-an-api-security-scanner-that-wont-shoot-you-in-the-foot-28oa https://dev.to/uncommoncarp/i-built-an-api-security-scanner-that-wont-shoot-you-in-the-foot-28oa <p>Four years into a career focused on APIs and developer tooling, I kept running into the same gap: security scanning options were either too heavy (stand up a platform, configure a workspace, wait for results) or too risky to run in CI without careful guardrails. I wanted a lightweight, CLI-first tool that gave a clear first pass without the danger of destructive side effects.</p> <p>That's Sentinel: a spec-aware API security scanner built for developers and CI pipelines. Out of the box it sends only GETs, keeps burst probes conservative, and requires an explicit opt-in, plus an OpenAPI spec, before it touches anything injection-related. Safety isn't a feature, it's the default.</p> <p>Here's how that show's up in the implementation:</p> <h3> Architecture </h3> <p><strong>Spec first endpoint selection</strong></p> <p>When an OpenAPI spec is provided, Sentinel resolves the full set of endpoints to test once, before any suite runs, and passes them down via <code>ctx.selectedEndpoints</code>. Suites call <code>resolveEndpoints(ctx.selectedEndpoints)</code> to get that list, it's never re-computed. The spec's <code>servers[0].url</code> base path is extracted and normalized into every endpoint path at selection time, so suites never have to think about it.</p> <p>The fallback is deliberate too: no spec, no scope config, or filters that exclude everything all collapse to GET /. Suites will always get a valid list.</p> <p><strong>Finding metadata as a manifest</strong></p> <p>In the headers suite, finding definitions live in a static REQUIRED_HEADERS array: each entry carries the finding ID, title, severity, description, remediation, and OWASP reference. The detection logic is a separate loop that iterates that manifest and checks for each header. Adding a new required header check means adding one entry to the array; there's no detection logic to write.</p> <p>This pattern keeps two concerns from drifting apart over time: what a finding is versus what triggers it.</p> <p><strong>Errors aren't findings</strong></p> <p>RunResult has three distinct fields: <code>findings</code>, <code>suiteErrors</code>, and <code>reporterErrors</code>. That separation is enforced at the type level: <code>suiteErrors</code> and <code>reporterErrors</code> are required fields, not optional. TypeScript won't let you construct a RunResult without accounting for both. The intent is that if a suite throws unexpectedly mid-scan, that failure surfaces in its own field with its own exit code (1) rather than being folded into security findings or silently dropped.</p> <p>A finding has severity, remediation, affected endpoints, evidence. An operational error has none of that. Conflating them would make the output untrustworthy in exactly the situation where you need to trust it most: when something goes wrong.</p> <h3> Targeted Testing </h3> <p>During the process of building Sentinel I discovered I needed a way to guarantee findings. I built Anemone: a small, configurable, vulnerable API that became a permanent part of Sentinel's testing story. It hosts a series of endpoints designed to trigger at least one finding from every suite:</p> <ul> <li> <strong>Headers</strong>: security headers absent by default; triggers <code>missing_hsts</code>, <code>missing_xcto</code>, <code>missing_referrer_policy</code> </li> <li> <strong>CORS</strong>: reflects arbitrary origins with credentials by default; a second mode tests wildcard + credentials</li> <li> <strong>Auth</strong>: /api/v2/auth returns a JWT with <code>alg:none</code>, a ~27h TTL, and no enforcement on protected routes</li> <li> <strong>Inventory</strong>: <code>/debug</code>, <code>/swagger</code>, <code>/openapi.json</code>, and <code>/graphql</code> all exposed; <code>/api/v1/</code> still responds alongside the declared v2 spec</li> <li> <strong>Injection</strong>: <code>/api/v2/search</code> reflects SQL errors on quote characters; <code>/api/v2/greet</code> evaluates <code>{{expr}}</code> in query params</li> </ul> <p>Each misconfiguration is individually toggleable via env var, so you can fix one issue, re-run Sentinel, and verify that specific finding disappears. It's a useful sanity check when writing new suites.</p> <p>Moving Anemone from a testing fixture to a publicly hosted API required some thought, especially around the injection suite. The <code>{{7*7}} → 49</code> behavior that triggers Sentinel's template injection probe had to work without enabling real RCE. safeEval() handles this: a hand-rolled arithmetic evaluator that resolves simple expressions and returns a fake <code>TemplateError</code> for anything else. No <code>eval()</code>, no execution.</p> <h3> Running a demo </h3> <p>You can see Sentinel in action in under a minute from your command line:</p> <p><code>npm install -g @uncommon-carp/sentinel</code></p> <p>Then point it at Anemone:</p> <p><code>sentinel scan -u https://target.barbel.dev</code></p> <p>Sentinel outputs both a human readable Markdown doc and machine readable JSON. Here's a sample from hitting Anemone:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Sentinel Report</span> <span class="p"> -</span> <span class="gs">**Target:**</span> <span class="sb">`https://target.barbel.dev`</span> <span class="p">-</span> <span class="gs">**Scanned:**</span> 2026-06-22T08:48:39.931Z <span class="p">-</span> <span class="gs">**Finished:**</span> 2026-06-22T08:48:44.344Z <span class="p">-</span> <span class="gs">**Duration:**</span> 4413ms <span class="p">-</span> <span class="gs">**Version:**</span> 0.3.1 <span class="gu">## Summary</span> | Severity | Count | | --- | --- | | Critical | 2 | | Medium | 10 | | Low | 6 | | <span class="gs">**Total**</span> | <span class="gs">**18**</span> | <span class="gu">## OWASP Coverage</span> | Category | Findings | | --- | --- | | API2: Broken Authentication | 5 | | API4: Unrestricted Resource Consumption | 2 | | API8: Security Misconfiguration | 8 | | API9: Improper Inventory Management | 3 | <span class="gu">## Findings</span> <span class="p"> --- </span> <span class="gu">### [Critical] JWT with alg:none detected in response</span> <span class="sb">`auth.jwt_alg_none`</span> | Suite: auth | API2: Broken Authentication A JWT using the "none" algorithm was found in a response. Tokens with alg:none carry no cryptographic signature; servers that accept them can be trivially bypassed. <span class="gt"> &gt; **Why it matters:** An attacker can forge arbitrary JWT claims — including elevated roles — and gain unauthorized access to any endpoint that trusts the token, with no cryptographic barrier.</span> <span class="gs">**Remediation:**</span> Reject JWTs with alg:none server-side and enforce an explicit algorithm allowlist. <span class="p"> --- </span> <span class="gu">### [Medium] Missing Strict-Transport-Security (HSTS)</span> <span class="sb">`headers.missing_hsts`</span> | Suite: headers | API8: Security Misconfiguration HSTS helps enforce HTTPS by telling browsers to only connect over TLS for a period of time. <span class="gt"> &gt; **Why it matters:** Without HSTS, browsers may connect over plain HTTP on subsequent visits, enabling downgrade attacks that allow credential and session token interception on the local network.</span> <span class="gs">**Remediation:**</span> Add a Strict-Transport-Security header on HTTPS responses (e.g. max-age=31536000; includeSubDomains). </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"meta"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"startedAt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-06-22T08:45:30.542Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targetBaseUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://target.barbel.dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.3.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"finishedAt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-06-22T08:45:35.978Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"durationMs"</span><span class="p">:</span><span class="w"> </span><span class="mi">5433</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"target"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"baseUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://target.barbel.dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"openapi"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://target.barbel.dev/openapi.json"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"findings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"headers.missing_hsts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Missing Strict-Transport-Security (HSTS)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"severity"</span><span class="p">:</span><span class="w"> </span><span class="s2">"medium"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HSTS helps enforce HTTPS by telling browsers to only connect over TLS for a period of time."</span><span class="p">,</span><span class="w"> </span><span class="nl">"whyItMatters"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Without HSTS, browsers may connect over plain HTTP on subsequent visits, enabling downgrade attacks that allow credential and session token interception on the local network."</span><span class="p">,</span><span class="w"> </span><span class="nl">"remediation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Add a Strict-Transport-Security header on HTTPS responses (e.g. max-age=31536000; includeSubDomains)."</span><span class="p">,</span><span class="w"> </span><span class="nl">"owasp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"API8: Security Misconfiguration"</span><span class="p">,</span><span class="w"> </span><span class="nl">"suite"</span><span class="p">:</span><span class="w"> </span><span class="s2">"headers"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"headers"</span><span class="p">,</span><span class="w"> </span><span class="s2">"http"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"evidence"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"header"</span><span class="p">:</span><span class="w"> </span><span class="s2">"strict-transport-security"</span><span class="p">,</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"probed"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"affected"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/v2/auth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://target.barbel.dev/api/v2/auth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/v2/greet"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://target.barbel.dev/api/v2/greet"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/v2/users"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://target.barbel.dev/api/v2/users"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/v2/health"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://target.barbel.dev/api/v2/health"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/v2/search"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://target.barbel.dev/api/v2/search"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> What's Next </h3> <p>Next up: Anemone will be expanded with richer auth and rate limiting scenarios, there's deduplication work to be done for findings, and the injection suite is ready for deeper SSRF/Interactsh exploration.</p> <p>All it takes to get started is <code>npx @uncommon-carp/sentinel scan --url &lt;your-api&gt;</code>. Stars and issues are welcome on <a href="https://github.com/uncommon-carp/sentinel" rel="noopener noreferrer">GitHub</a>: bug reports, false positives, or suite ideas especially.</p> cybersecurity api cli