Invalid License Key for
Make sure you are using the correct license key. In case of any issue please reach out to ethicalcheck@apisec.ai.
Invalid URL
Please provide the valid JSON url and try again.A valid JSON url looks like http://netbanking.apisec.ai:8080/v2/api-docs
Missing Base URL in
Please refer to How to use postman collection with ethicalcheck for more details.
Result for
Endpoints
Security Tests
Total Test Executed
Passed Tests
Failed Tests
Test Duration
Delivered 2500+ API Penetration Tests
How it Works
Submit API test request via the UI form or invoke EthicalCheck API using cURL/Postman. Request input requires a public-facing OpenAPI Spec URL, API authentication token valid for at least 10 mins, an active license key, and an email.
EthicalCheck engine automatically creates and runs custom security tests for your APIs covering OWASP API Top 10 list
Automatically removes false positives from the results, creates a custom developer-friendly report, and emails it to you.
EthicalCheck™
Features
Thousands of organizations/developers trust EthicalCheck. It enables free & instant API penetration test reports for HIPAA, ISO, SOC 2, and PCI-DSS compliance requirements. It detected 1000+ hard-to-find security bugs.
Most Targetted
According to Gartner, APIs are the most-frequent attack vector. Hackers/bots have exploited API vulnerabilities resulting in major breaches across thousands of organizations.
Reporting
Generate enterprise-grade penetration test reports. Confidently share it with developers, customers, partners, and compliance teams.
Security Bugs
Instantly discover OAuth 2.0, JWT, BasicAuth, OWASP API-2, and broken authentication vulnerabilities in your REST APIs.
Bug Bounty Savings
Using EthicalCheck is similar to running a private bug-bounty program. EthicalCheck saves you thousands of dollars on penetration testing and bug bounty cost.
Shift Left
Activate EthicalCheck's GitHub Action, API, and a CI/CD hook to enable DevSecOps and Shift left.
Pricing
Pricing Plans
| EthicalCheck Free | EthicalCheck Pro | |
| Plans | Free |
$99
$999 Buy License ethicalcheck@apisec.ai |
| OWASP API Top 10 Coverage | ||
| #1 Broken Object Level Auth | ||
| #2 Broken User Auth | ||
| #3 Excessive Data Exposure | ||
| #4 Rate Limiting | ||
| #5 Broken Function Level Auth | ||
| #6 Mass Assignment | ||
| #7 Security Misconfiguration | ||
| #8 Injection | ||
| #9 Improper Assets Management | ||
| #10 Insufficient Logging | ||
| Features | ||
| Complicance Report (SOC2) | ||
| Rest APIs | ||
| Postman Collection | ||
| Production APIs | ||
| GitHub Action | ||
| 5 Min Testing time | ||
| Non-Intrusive/Non-disruptive | ||
| 3 Tests in 30 Days | ||
| Non Production APIs | ||
| GDPR CCPA Compliance | ||
Web vs API
Web vs API Penetration Testing Coverage
F.A.Q
Frequently Asked Questions
-
Will this
replace
my
penetration testing?
No, penetration testing covers much more vulnerability types.
-
Use this IP for
whitelisting: 5.161.93.150.
Alternatively, you can temporarily host your OpenAPI spec file in a GitHub repository and submit the raw file link to get started with your scan. The spec should contain a valid and public-facing base URL for your APIs.
-
Are any of these
tests
intrusive or affect my application adversely?
No, all tests are non-intrusive, and they won't affect your application.
-
Will this
replace
my bug
bounty program?
No, bug bounty programs can uncover a lot more vulnerability types.
- How can I run a complete API penetration testing?
-
Will this
replace
my
WAF?
No, WAF blocks a lot more attack types in real-time.
-
Can I run the
scan
against a production environment?
Yes, all tests are safe and recommended to run against the production environment.
-
Will this
replace
the
Burp Suite?
No, Burp Suite can help you write and execute more security tests.
-
Can I test
internal
APIs?
Yes, you can run our scanner as a docker container locally.
-
Will this
replace
SAST/DAST?Will this replace SAST/DAST?
No, SAST/DAST can cover many more vulnerability types.
-
When will I get
my
results?
Within 2 minutes of submitting your API URL. If you do not receive your results, please contact us here
Secure your APIs
Blogs
Use the Postman and APIsec EthicalCheck Integration for Better Security Practices
EthicalCheck from APIsec is a free and instant API penetration testing service. It is offered as self-service, fully automated, and requires no signup.
Read More...