ApiHunter - Async API Security Scanner in Rust

#security #api #opensource #rust

🎯 ApiHunter

Async API security scanner built in Rust for baseline testing and regression detection.
https://github.com/Teycir/ApiHunter

What It Does

Scans APIs for common vulnerabilities:

CORS/CSP misconfigurations with bypass detection
GraphQL introspection + sensitive schema fields
JWT vulnerabilities (alg=none, weak secrets, expiry)
IDOR/BOLA with 3-tier testing (unauth/range/cross-user)
Secret exposure (AWS keys, tokens, credentials)
168 CVE templates with Nuclei YAML import support
Active checks (mass assignment, OAuth/OIDC, rate limits, WebSocket)

Why ApiHunter?

✅ False positive filtering - SPA detection, body validation, context-aware secrets

✅ CI/CD native - Baseline diffing, SARIF output, exit code control

✅ Production-safe - Adaptive concurrency (AIMD), rate limiting, politeness controls

✅ Stealth - UA rotation, jitter, per-host delays, no scanner fingerprints

✅ Dual extensibility - TOML templates (no code) + Rust modules (full control)

Quick Start

Install

git clone https://github.com/Teycir/ApiHunter cd ApiHunter cargo build --release

Scan

./target/release/apihunter \ --urls targets.txt \ --format ndjson \ --min-severity medium

With active checks

./target/release/apihunter \ --urls targets.txt \ --active-checks \ --auth-bearer "your-token"

DEV Community