How it Works
Submit API test request via the UI form or invoke EthicalCheck API using cURL/Postman. Request input requires a public-facing OpenAPI Spec URL, API authentication token valid for at least 10 mins, an active license key, and an email.
EthicalCheck engine automatically creates and runs custom security tests for your APIs covering OWASP API Top 10 list
Automatically removes false positives from the results, creates a custom developer-friendly report, and emails it to you.
Thousands of organizations/developers trust EthicalCheck. It enables free & instant API penetration test reports for HIPAA, ISO, SOC 2, and PCI-DSS compliance requirements. It detected 1000+ hard-to-find security bugs.
According to Gartner, APIs are the most-frequent attack vector. Hackers/bots have exploited API vulnerabilities resulting in major breaches across thousands of organizations.
Only see real vulnerabilities; false positives are automatically separated.
Generate enterprise-grade penetration test reports. Confidently share it with developers, customers, partners, and compliance teams.
Instantly discover OAuth 2.0, JWT, BasicAuth, OWASP API-2, and broken authentication vulnerabilities in your REST APIs.
Using EthicalCheck is similar to running a private bug-bounty program. EthicalCheck saves you thousands of dollars on penetration testing and bug bounty cost.
Activate EthicalCheck's GitHub Action, API, and a CI/CD hook to enable DevSecOps and Shift left.
API Security Test Platform
Find out how to proactively security test your hundreds of public facing APIs across API Gateways and Postman for vulnerabilities.Request a Demo
|EthicalCheck Free||EthicalCheck Pro|
|OWASP API Top 10 Coverage|
#1 Broken Object Level Auth
(ABAC1, ABAC2, ABAC3)
#2 Broken User Auth
(Authentication Exploit(Empty), Authentication Exploit(SQL), Broken Authentication)
| #3 Excessive Data Exposure
(Incremental Ids, Sensitive Data Exposure)
| #4 Rate Limit
(ADOS, Rate Limit(Authenticated), Rate Limit(Unauthenticated))
| #5 Broken Function Level Auth
|#6 Mass Assignment|
| #7 Security Misconfiguration
(CORS Config Origin Reflection,TLS)
| #8 Injection
(NoSQL Injection, SQL Injection,Stored NoSQL Injection, Stored SQL Injection, XSS Injection)
| #9 Improper Assets Management
(OpenAPI Specification Standard)
| #10 Insufficient Logging
|Complicance Report (SOC2)|
|5 Min Testing time|
|3 Tests in 30 Days|
|Non Production APIs|
|GDPR CCPA Compliance|
Web vs API Penetration Testing Coverage
Frequently Asked Questions
No, penetration testing covers much more vulnerability types.
Use this IP for
Alternatively, you can temporarily host your OpenAPI spec file in a GitHub repository and submit the raw file link to get started with your scan. The spec should contain a valid and public-facing base URL for your APIs.
Are any of these
intrusive or affect my application adversely?
No, all tests are non-intrusive, and they won't affect your application.
No, bug bounty programs can uncover a lot more vulnerability types.
- How can I run a complete API penetration testing?
No, WAF blocks a lot more attack types in real-time.
Can I run the
against a production environment?
Yes, all tests are safe and recommended to run against the production environment.
No, Burp Suite can help you write and execute more security tests.
Can I test
Yes, you can run our scanner as a docker container locally.
SAST/DAST?Will this replace SAST/DAST?
No, SAST/DAST can cover many more vulnerability types.
When will I get
Within 2 minutes of submitting your API URL. If you do not receive your results, please contact us here
Secure your APIs
Use the Postman and APIsec EthicalCheck Integration for Better Security Practices
EthicalCheck from APIsec is a free and instant API penetration testing service. It is offered as self-service, fully automated, and requires no signup.Read More...
What is DAST, and Why Should Developers Use It?
DAST stands for Dynamic Application Security Testing. DAST is the process of testing web, mobile, and API applications to find...Read More...
Getting Started with EthicalCheck
Provide your OpenAPI specification or start with a public Postman collection URL. EthicalCheck instantly introspects your API and creates a map of API endpoints for security testing.Read More...
Valid Open API Spec URL
Valid open API URL yields to the large JSON string whereas invalid open API URL yields to the HTML .Read More...