Service, continuous
Continuous automated security analysis of your REST and GraphQL APIs. We send the OpenAPI spec or a live endpoint to our own scanning engines and surface what a pentester would have found: broken authentication, leaking introspection, broken CORS policies, missing rate limits, error messages that leak the framework.
Mapped against OWASP API Security Top 10:2023 and RFC 7519 (JWT). Daily report plus immediate Telegram/email alert on new critical findings.
What we test
The classes below map directly to OWASP API Top 10. Each is run by one or more native plugins we maintain ourselves. No third-party black boxes.
A mutation matrix against your authenticated endpoint: alg=none, kid path traversal, stripped signature, expired exp, audience swap, HS256-vs-RS256 confusion. Classical JWT misconfigurations frameworks still accept.
We fingerprint the engine (Apollo, Hasura, Ariadne and others), test whether introspection is enabled in production, and try to reconstruct the schema via "did you mean" field suggestions even when introspection is off (clairvoyance technique).
We read your OpenAPI spec and generate test cases for every endpoint with a path parameter: empty string, very long string, negative int, null byte, SQL marker, XSS marker, path traversal. We flag 5xx responses (handler exceptions), unescaped reflection and spec drift.
Wildcard CORS origins on token-authenticated endpoints are a classic credential theft surface. We test every endpoint with an attacker origin and flag those that return Access-Control-Allow-Credentials: true with mirrored origin.
GraphQL alias amplification (50 aliases of the same field in one request), REST batched-query support that shares the auth check, and path-canonicalization bypass (e.g. /endpoint/ vs /endpoint on rate-limit counters).
Backend errors reaching the wire: gorm "record not found", django DoesNotExist, sqlalchemy IntegrityError, Go panic, Python traceback. Each leaks your data layer stack outright and tends to lead to targeted follow-on attacks.
How it works
You give us your OpenAPI spec (if you have one) or just the hostname. We set up an authentication bootstrap so our plugins can reach protected endpoints.
We run the full plugin suite once, typically 100-300 requests depending on spec size, and calibrate against your normal 4xx rate.
Lightweight scan every day. Delta findings show up in the dashboard. Critical findings go straight to Telegram or email without waiting for the report.
On critical or multi-step findings, one of us reviews before the report is released to you. False positives get caught before you see them.
Where it fits in
This service does not replace a manual application pentest. A human still finds logic flaws, business-rule bypasses and creative attack chains that tools cannot automate.
It catches the other half of the problem: regressions and misconfigurations that show up after the pentest. Between two annual manual tests there are 360 days where API security can drift unnoticed. That is where this service belongs.
Strategic overview: Strategic Security Assessment. Manual pentest on request via Adminor.
FAQ
Not mandatory but strongly recommended. With the spec we run schemathesis-equivalent fuzzing on every documented endpoint. Without it we run reduced: endpoint discovery, JWT matrix, GraphQL audit, CORS, headers.
No. Default is read-only: GET methods, schema queries, header probes. We only accept POST/PUT/PATCH/DELETE if you have explicitly approved a sandbox environment and given us a separate scope agreement.
One of three paths: (1) you give us a test user JWT, (2) we build an OTP bootstrap flow against your staging environment, (3) you give us a client_credentials token via a separate OAuth app. All credentials are stored encrypted and purged on cancellation.
From 199 EUR/month for continuous daily scanning of one API host. Larger APIs (>200 endpoints) or multiple hosts priced individually. Operator review of critical findings is included.
Each finding has an OWASP category field (e.g. API2:2023 Broken Authentication, API4:2023 Unrestricted Resource Consumption) and a CWE reference. The report shows distribution and a gap analysis mapped directly against Top 10:2023.
All scan data is stored on Adminor AB infrastructure in Sweden. Nothing is exposed to the US Cloud Act. GDPR Art. 30 record-of-processing is available on request.
Onboarding takes about one working day. The first deep scan is delivered before the week is out.