Autoswagger: easy accessibility check without authorization
October 23, 2025ยท320 views

๐Ÿ›  Autoswagger: easy accessibility check without authorization

Salute,

I came across the general description of Autoswagger by intruder.io a couple of times. I decided to look at a quick and lightweight tool.

The tool allows you to run along the protruding API handles on the outside of the product. That's why I wanted to share its features with you. License type: BSD 3-Clause License. Installation as python libraries for use in the CLI.

What functionality can:

- Scans domains to detect open API documentation, where it is possible to specify the OpenAPI specification separately

- Analysis of the specification and generation of a list of endpoints for testing. Sends requests with valid parameters from the documentation and flags any endpoints returning data without proper access control, i.e. no 401 or 403 errors

Example: it worked explicitly for a vector of 429 - Too Many Requests and made it clear that we need to look towards testing request limits (simple)

- Identifies sensitive data in the response, such as credentials, personal information PII

- Using the --brute flag to try to bypass checks, which helps identify vulnerabilities in endpoints that reject standard input but accept certain data formats, values

Application:

git clone git@github.com:intruder-io/autoswagger.git

pip install -r requirements.txt

python3 autoswagger.py -h

autoswagger--help

python3 autoswagger.py https://example.ru/api/users/swagger/v1/swagger.json -v -risk -all

Flags:

autoswagger.py [-h] [-v] [-risk] [-all] [-product] [-stats] [-rate RATE] [-b] [-json] [urls ...]

-h, --help # Show this help message and exit

-v, --verbose # Enable verbose output

-risk # Include non-GET requests in testing

-all # Include all HTTP status codes in results, excluding 401 and 403

-product # Output all endpoints in JSON format, marking those that contain PII or have large responses

-stats # Show scan statistics. Included in JSON when using -product or -json

-rate RATE # Set the rate limit in requests per second

-b, --brute # Enable exhaustive testing of parameter values

-json # Output results in JSON format in default mode

Scenarios:

1. Auto-discovery mode of the OpenAPI specification

- accepts a domain name - example.com

- scans the target domain, checking standard paths to OpenAPI/Swagger documentation like /openapi.json, /swagger.json, /api-docs, /v3/api-docs

- if a specification is found, the tool parses it and extracts all available endpoints

- for each endpoint, performs automated requests GET, POST, PUT, DELETE, etc., if specified, without authorization, analyzing responses: status codes, response body, headers

2. Operating mode with the provided specification

- the tool accepts as input one or more OpenAPI specifications in JSON/YAML format, local files or URL

- parses each specification, extracting all endpoints and supported HTTP methods

- for each endpoint, performs automated requests without authorization, recording deviations - 5xx errors, unexpected 200/403, data leaks, etc.

Total: the tool has a quick launch and minimal dependencies, is lightweight, does not require project assembly, works from sources, and is also superficial as an easy start and you can work with it without problems, just by checking the initial vector.

#toolchain #research #dast

#toolchain#reserch#dast
Open in Telegram