The Tinfoil Security API Scanner is able to detect vulnerabilities in any API, including web-connected devices such as mobile backend servers, IoT devices, as well as any RESTful APIs. The few tools that are currently available lack coverage depth in API security, or are focused on acting as a firewall or unintelligent fuzzer. Vulnerabilities focused on authorization and access control concerns, or even web-like vulnerabilities, like XSS, manifest in different ways and with different exploitation vectors than they do for web applications. The security concerns for an API are fundamentally different from those for web applications. The Tinfoil Security API Scanner has been built, from the ground up, to focus on APIs specifically, rather than jury-rigging a web application scanner to be able to handle APIs half-well. Fast Blackbox Analysis We ingest API documentation to build a map of all the endpoints on the API and their parameters, including constraints. We fuzz all of the parameters with values generated by analyzing the constraints and validations specified. We can bypass server-side input validation and scan core business logic, and we can find authorization and authentication bypasses by fuzzing authentication workflows defined by the user. All of this in less than a minute, on average; we spend our time testing the parts of the API most likely to be vulnerable. Intelligent Payloads Payloads are generated based on the constraints defined in the documentation you provide. Because we can see the parameter definitions, we know, for example, if the input needs to be a string between 5 and 12 characters long, or if it needs to be of a specific format. Using this knowledge, we will automatically generate boundary tests that stress the application's ability to behave to specification. As a result, our payloads are mostly correct but malicious in some way; we do not fuzz using random garbage, making our scanning efficient, intelligent, and incredibly effective. Login Authenticators API authentication is complicated, including methods as diverse OAuth 2, JWT, and your run-of-the-mill authorization headers. A full authentication process for an API typically combines and layers multiple of these authentication methods on top of one another. Tinfoil Security allows you to specify these authenticators as building blocks, each performing one piece of an authentication workflow. We give you tools to expressively define workflows, which gives us a better understanding of the authentication and where it might be failing. This allows us to uniquely check for authentication edge-cases, including authorization bypass in ways that no other scanners can.