APIs scanned the way they should be

Intelligently protect mobile backends, IoT devices, and web services

What makes us different?

The Tinfoil API Scanner is able to detect vulnerabilities in any API, including web-connected devices such as mobile backend servers, IoT devices, as well as any RESTful APIs. The few tools that are currently available lack coverage depth in API security, or are focused on acting as a firewall or unintelligent fuzzer.

Vulnerabilities focused on authorization and access control concerns, or even web-like vulnerabilities, like XSS, manifest in different ways and with different exploitation vectors than they do for web applications. The security concerns for an API are fundamentally different from those for web applications. The Tinfoil API Scanner has been built, from the ground up, to focus on APIs specifically, rather than jury-rigging a web application scanner to be able to handle APIs half-well.

Fast Blackbox Analysis

We ingest API documentation to build a map of all the endpoints on the API and their parameters, including constraints. We fuzz all of the parameters with values generated by analyzing the constraints and validations specified. We can bypass server-side input validation and scan core business logic, and we can find authorization and authentication bypasses by fuzzing authentication workflows defined by the user. All of this in less than a minute, on average; we spend our time testing the parts of the API most likely to be vulnerable.

Intelligent Payloads

Payloads are generated based off of the constraints defined in the documentation you provide. Because we can see the parameter definitions, we know, for example, if the input needs to be a string between 5 and 12 characters long, or if it needs to be of a specific format. Using this knowledge, we will automatically generate boundary tests which stress the application's ability to behave to specification. As a result, our payloads are mostly correct, but malicious in some way; we do not fuzz using random garbage, making our scanning efficient, intelligent, and incredibly effective.

Login Authenticators

API authentication is complicated, including method as diverse OAuth 2, JWT, and your run-of-the-mill authorization headers. A full authentication process for an API typically combines and layers multiple of these authentication methods on top of one another. The Tinfoil API Scanner allows you to specify these authenticators as building blocks, each performing one piece of an authentication workflow. We give you tools to expressively define workflows, which gives us a better understanding of the authentication and where it might be failing. This allows us to uniquely check for authentication edge-cases, including authorization bypass in ways that no other scanners can.

Incorporate security into your development and DevOps workflow

Our dedicated focus on building products that are thorough, easy to use, and effortless to integrate allows us to empower your developers, regardless of their prior security training. Security teams become more empowered to focus on strategic initiatives, rather than becoming distracted by constantly fighting fires, as they can now collaborate with your developers when they are using Tinfoil! Our API Scanner can still be used by your security teams and pentesters to find vulnerabilities in the APIs they are testing, but the developers themselves can be the first line of defense.

Your DevOps team can find and fix vulnerabilities in APIs they’re building as a seamless part of their current development process, with no additional burden. DevOps teams become the critical first line of defense, increasing bandwidth for security teams to focus on strategic security initiatives.

We integrate with your existing toolsets like Jira for issue tracking, or Jenkins for your build pipeline / CI process. We also make it trivial to replay attacks, by providing a cURL command that simply replays the precise request that exploited the vulnerability, including any signatures or required authentication that needs to be in place.

See our developer docs.

Extend your web scanning to include web services

Building web applications has evolved significantly over the last decade or two; no longer are we dealing with HTML and CSS alone, and instead, applications are built on top of complicated microservice architectures using RESTful APIs. Protect your APIs today by using the Tinfoil API Scanner. Many of our customers use our API Scanner alongside our Web Application Scanner, in order to protect their entire application, and establish "defense in depth". You can also use our API Scanner to perform vendor assessments, provided you have their documentation and permission!

Scan any IoT device and the APIs that power it

APIs aren’t only useful for web applications, but IoT devices as well. We’ve helped secure some of the world’s most popular and important IoT devices, whether they are wearable devices, or power plants and windmills. Anything that utilizes Internet connectivity, and doesn’t have a web frontend, typically uses an API, and is a prime use case for our API scanning technology. Don’t rely solely on security checklists or threat modeling; actively check your devices’ connectivity for vulnerabilities and confirm what you believe to be true, in real-time.

Scan your mobile applications as you build them

Today’s mobile security solutions focus on one thing: the client, but this isn’t where the majority of mobile attacks come from. Businesses that build and utilize mobile applications almost always have a backend API from which the mobile application retrieves data and interacts with a server. Using the Tinfoil API Scanner, you can ensure the consistency and security of your backend APIs, so your mobile applications don’t break, and attackers don’t have a way to leak or retrieve all of your customer data.