Tinfoil API Security Testing

Detect API security risks in your web, mobile, and IoT apps and services

Modern application architectures are built on distributed apps and services that communicate through APIs. Tinfoil API Scanner™ makes it easy for developers to identify security defects in the APIs they implement.

AppSec testing optimized for the needs of API developers

APIs provide open, flexible interfaces that enable applications and services to talk to each other. But these characteristics can also make it difficult to build secure software—and even more difficult for traditional AppSec tools to test it.

Tinfoil API Scanner’s deep analysis and contextually aware fuzzing helps development teams proactively protect their REST and GraphQL APIs and ensure that they are secure, correct, and behave to specification.

Context-aware analysis of RESTful and GraphQL APIs


RESTful APIs

Using OpenAPI/Swagger or an HTTP Archive (HAR) export, Tinfoil API Scanner builds a map of the entire API, including endpoints, parameters, type signatures, and specifications, as well as authentication and other required information to develop a deep understanding of the API and how to interact with it.


GraphQL APIs

When pointed to a GraphQL endpoint, Tinfoil API Scanner uses introspection (a GraphQL feature) and patent-pending graph reduction algorithms to build a traversable representation of the entire GraphQL API and a full representative set of queries used for auditing. Tinfoil API Scanner is the only tool that can fully audit GraphQL APIs for vulnerabilities and correctness.

Intelligent API security testing

Tinfoil API Scanner comprehensively tests your APIs for:

Vulnerabilities and correctness

Automatically test every identified endpoint, fuzzing parameters with values generated through constraint and validation analysis to ensure the implementation doesn’t deviate from the specification.

Business logic flaws

Bypass server-side input validation to test the functionality of your APIs with payloads that are intelligently generated to test the boundaries of your validation.

Authorization and authentication bypasses

Combine and test authentication methods, including OAuth2, JWT, and authorization headers, all within an easily defined workflow.

Testing at the speed of development

fast api scans


Fast scans

Tinfoil API Scanner runs in minutes, so your DevOps/CI pipeline isn’t slowed down.
single-play replay attacks


Single-click replay attacks

Reduce fix/test cycle time. Replay attacks easily using built-in cURL commands, which contain the precise request and payload that exploited the vulnerability.

Automated testing integrated with the tools you use today

ci/cd integration


CI/CD integration

Tinfoil API Scanner integrates directly with Jenkins and other CI/CD pipeline tools, so you can build API security into your DevOps pipelines.
automation API


Automation API

Tailor and automate any aspect of API scanning and issue reporting using the Tinfoil API. If you can do it in the UI, you can do it with the API.
issue tracker integration


Issue tracker integration

Test results are integrated directly into Jira or your issue-tracking tool of choice using simple API calls. And they’re automatically closed when the vulnerabilities are fixed, or reopened as regressions if they reoccur. Never again be inundated with the same vulnerabilities day after day.

Related content

Sign up for a live demo


250 / 250