Full Report
Exposed API documentation is a gift-wrapped roadmap for threat actors. The free Autoswagger tool from Intruder scans for exposed docs and flags endpoints with broken access controls—before attackers find them. [...]
Analysis Summary
# Tool/Technique: Autoswagger
## Overview
Autoswagger is a free, open-source tool developed by Intruder's security team designed to scan domains for exposed API documentation (like OpenAPI or Swagger schemas) and subsequently test the discovered endpoints for broken authorization flaws. Its purpose is to help organizations identify critical API weaknesses that could lead to data exposure.
## Technical Details
- Type: Tool
- Platform: Web APIs (tested against targets from Bug Bounty programs, including APIs running on Azure Functions)
- Capabilities: Scans for exposed API documentation, parses schemas to map endpoints, tests for lack of access control (401/403 responses), can leverage `--brute` flag for validation bypass attempts, flags endpoints returning sensitive data without proper security.
- First Seen: Context suggests recent development/release coinciding with the article date (circa 2025).
## MITRE ATT&CK Mapping
- T1528 - Access Token Manipulation
- T1528.001 - Token Impersonation
* *Note: While Autoswagger primarily tests for Broken Authorization (which maps well to T1078/T1134), the core issues exploited are often **Broken Object Level Authorization (BOLA)** or **Broken Function Level Authorization (BFLA)**, fitting under the general umbrella of Access Control weakness.*
- T1078 - Valid Accounts
- T1078.004 - Cloud Accounts
* *Note: The findings exploit reliance on broken access control rather than stolen credentials, but proper authorization failure grants unauthorized access.*
- T1592 - Gather Victim Identity Information
- T1592.001 - Credentials
* *Example: Exposure of Microsoft MPN credentials.*
## Functionality
### Core Capabilities
- **Documentation Discovery:** Scans domains to detect exposed API documentation schemas (OpenAPI/Swagger).
- **Endpoint Mapping:** Parses discovered schemas to generate a comprehensive list of endpoints to test.
- **Authorization Testing:** Sends requests using valid parameters derived from the documentation and checks if endpoints return unauthorized responses (401/403), flagging those that return data without proper access control.
- **Sensitive Data Flagging:** Raises alerts if an endpoint returns sensitive data (PII, credentials) while unsecured.
### Advanced Features
- **Brute Force Flag:** The `--brute` flag allows the tool to attempt to bypass input validation checks on endpoints that reject generic inputs but might accept specific data formats or values.
- **In-depth Vulnerability Identification:** Identified real-world flaws including mass data extraction (Salesforce records via parameter incrementation) and unauthenticated SQL injection against internal resources.
## Indicators of Compromise
- File Hashes: N/A (Tool, not malware)
- File Names: N/A (Tool, not malware)
- Registry Keys: N/A
- Network Indicators: N/A (Tool used for testing, not C2 communication)
- Behavioral Indicators: Repeated requests to API endpoints resulting in HTTP 200 responses containing:
* Microsoft MPN credentials/API keys.
* Salesforce customer/PII records (names, contact details, orders).
* Internal staff names and email addresses from internal training applications.
* Active Directory user information enumeration (related to CVE-2025-0589).
## Associated Threat Actors
- Intruder Security Team (Tool developer/user for security testing)
- Adversaries exploiting **Broken Authorization (IDOR/BOLA/BFLA)** in exposed APIs.
## Detection Methods
- Signature-based detection: Low utility against an ethical testing tool.
- Behavioral detection: Monitoring for automated, systematic enumeration of API paths derived from schema files (e.g., `/1/dashboard/mpn/program/api/config/`). Scanning for repetitive parameter manipulation (e.g., incrementing "ByDate" parameters).
- YARA rules: N/A
## Mitigation Strategies
- **Restrict Documentation Exposure:** Do not publicly expose API schemas (OpenAPI/Swagger) for internal or unauthorized APIs.
- **Implement Robust Access Control:** Ensure strong authorization checks (BOLA/BFLA) are enforced on *every* endpoint, regardless of how deeply nested the path is.
- **Input Validation:** Validate all input received from API requests, especially when using parameters like 'ByDate'.
- **Principle of Least Privilege:** Ensure that even if an endpoint is reachable, it only returns data strictly necessary for the authenticated user's context.
- **API Security Scanning:** Routinely use tools like Autoswagger (or commercial solutions) to actively test authentication mechanisms.
## Related Tools/Techniques
- OpenAPI Schema Exploitation: Attackers leveraging exposed documentation as a blueprint.
- Unauthenticated SQL Injection: (Found in the "soda company" example).
- Active Directory Enumeration via Application Integration: (Related to CVE-2025-0589 via Octopus Deploy integration).