apihunter 0.1.2

Async API security scanner with passive and active checks for CORS, CSP, GraphQL, JWT, OpenAPI, and API posture.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

// src/config.rs
//
// Unified configuration types consumed by every module in the scanner.

/// Top-level configuration produced by CLI arg parsing in `main.rs`.
#[derive(Debug, Clone)]
pub struct Config {
    /// Maximum number of URLs to scan.  `usize::MAX` means unlimited.
    pub max_endpoints: usize,

    /// Number of URLs scanned concurrently (semaphore width).
    pub concurrency: usize,

    /// Per-scanner enable / disable switches.
    pub toggles: ScannerToggles,

    /// Rate-limiting / retry knobs.
    pub politeness: PolitenessConfig,

    /// WAF-evasion settings.
    pub waf_evasion: WafEvasionConfig,

    /// Default headers applied to every request.
    pub default_headers: Vec<(String, String)>,

    /// Cookies applied to every request.
    pub cookies: Vec<(String, String)>,

    /// Optional HTTP/HTTPS proxy URL.
    pub proxy: Option<String>,

    /// Accept invalid TLS certificates (dangerous).
    pub danger_accept_invalid_certs: bool,

    /// Enable active (potentially invasive) checks.
    pub active_checks: bool,

    /// Do not send active-check mutation requests; emit informational "would test" findings.
    pub dry_run: bool,

    /// Enable streaming NDJSON findings (reports while scan is running).
    pub stream_findings: bool,

    /// Optional baseline NDJSON file for diffing (suppress known findings).
    pub baseline_path: Option<std::path::PathBuf>,

    /// Optional session cookie file (JSON) to load/save.
    pub session_file: Option<std::path::PathBuf>,

    /// Optional auth helpers.
    pub auth_bearer: Option<String>,
    pub auth_basic: Option<String>,

    /// Optional auth flow descriptor (loaded from --auth-flow file).
    pub auth_flow: Option<std::path::PathBuf>,

    /// Second credential set for cross-user IDOR checks (--auth-flow-b).
    pub auth_flow_b: Option<std::path::PathBuf>,

    /// Additional auth-like headers to strip for unauthenticated probes.
    pub unauth_strip_headers: Vec<String>,

    /// Enable per-host HTTP client pools.
    pub per_host_clients: bool,

    /// Enable adaptive concurrency.
    pub adaptive_concurrency: bool,

    /// Skip endpoint discovery and scan only provided seed URLs.
    pub no_discovery: bool,

    /// Suppress verbose progress output.
    pub quiet: bool,
}

/// Individual scanner toggle flags.
#[derive(Debug, Clone)]
pub struct ScannerToggles {
    pub cors: bool,
    pub csp: bool,
    pub graphql: bool,
    pub api_security: bool,
    pub jwt: bool,
    pub openapi: bool,
    pub mass_assignment: bool,
    pub oauth_oidc: bool,
    pub rate_limit: bool,
    pub cve_templates: bool,
    pub websocket: bool,
}

/// Network politeness knobs.
#[derive(Debug, Clone)]
#[allow(dead_code)]
pub struct PolitenessConfig {
    /// Minimum delay between requests per host (ms).
    pub delay_ms: u64,
    /// Maximum retry attempts on transient errors.
    pub retries: u32,
    /// Per-request timeout (seconds).
    pub timeout_secs: u64,
}

/// WAF evasion configuration.
#[derive(Debug, Clone)]
#[allow(dead_code)]
pub struct WafEvasionConfig {
    /// Master switch for WAF evasion heuristics.
    pub enabled: bool,
    /// User-Agent rotation pool.
    pub user_agents: Vec<String>,
}