Invalid License Key for
Make sure you are using the correct license key. In case of any issue please reach out to ethicalcheck@apisec.ai.
Invalid OpenAPI
Invalid OpenAPI Specification URL/File, Here is how you can fix it https://www.ethicalcheck.dev/valid-open-api-spec.html
Internal Server Error
Make sure you providing a valid OpenAPISpec url, Here is how you can fix it https://www.ethicalcheck.dev/valid-open-api-spec.html.
Missing Base URL in
Please refer to How to use postman collection with ethicalcheck for more details.
Request Timeout for
Please check your OAS URL is valid, and the API is not too large.
Result for
Result for
How it Works

Submit API test request via the UI form or invoke EthicalCheck API using cURL/Postman. Request input requires a public-facing OpenAPI Spec URL, API authentication token valid for at least 10 mins, an active license key, and an email.
EthicalCheck engine automatically creates and runs custom security tests for your APIs covering OWASP API Top 10 list
Automatically removes false positives from the results, creates a custom developer-friendly report, and emails it to you.
Awards

EthicalCheck™
Features
Thousands of organizations/developers trust EthicalCheck. It enables free & instant API penetration test reports for HIPAA, ISO, SOC 2, and PCI-DSS compliance requirements. It detected 1000+ hard-to-find security bugs.
Most Targetted
According to Gartner, APIs are the most-frequent attack vector. Hackers/bots have exploited API vulnerabilities resulting in major breaches across thousands of organizations.
Reporting
Generate enterprise-grade penetration test reports. Confidently share it with developers, customers, partners, and compliance teams.
Security Bugs
Instantly discover OAuth 2.0, JWT, BasicAuth, OWASP API-2, and broken authentication vulnerabilities in your REST APIs.
Bug Bounty Savings
Using EthicalCheck is similar to running a private bug-bounty program. EthicalCheck saves you thousands of dollars on penetration testing and bug bounty cost.
Shift Left
Activate EthicalCheck's GitHub Action, API, and a CI/CD hook to enable DevSecOps and Shift left.
API Security Test Platform
Find out how to proactively security test your hundreds of public facing APIs across API Gateways and Postman for vulnerabilities.
Request a DemoPricing Plans
EthicalCheck Free | EthicalCheck Pro | |
Plans | Free |
Request a Quote ethicalcheck@apisec.ai |
OWASP API Top 10 Coverage | ||
#1 Broken Object Level Auth
(ABAC1, ABAC2, ABAC3)
|
||
#2 Broken User Auth
(Authentication Exploit(Empty), Authentication Exploit(SQL), Broken
Authentication)
|
||
#3 Excessive Data Exposure
(Incremental Ids, Sensitive Data Exposure)
|
||
#4 Rate Limit
(ADOS, Rate Limit(Authenticated), Rate Limit(Unauthenticated))
|
||
#5 Broken Function Level Auth
(RBAC,SBAC)
|
||
#6 Mass Assignment | ||
#7 Security Misconfiguration
(CORS Config Origin Reflection,TLS)
|
||
#8 Injection
(NoSQL Injection, SQL Injection,Stored NoSQL Injection, Stored SQL
Injection, XSS Injection)
|
||
#9 Improper Assets Management
(OpenAPI Specification Standard)
|
||
#10 Insufficient Logging
(Log4j Injection)
|
||
Features | ||
Complicance Report (SOC2) | ||
Rest APIs | ||
Postman Collection | ||
Production APIs | ||
GitHub Action | ||
5 Min Testing time | ||
Non-Intrusive/Non-disruptive | ||
3 Tests in 30 Days | ||
Non Production APIs | ||
GDPR CCPA Compliance | ||
Web vs API Penetration Testing Coverage
F.A.Q
Frequently Asked Questions
-
Will this
replace
my
penetration testing?
No, penetration testing covers much more vulnerability types.
-
Use this IP for
whitelisting: 5.161.93.150.
Alternatively, you can temporarily host your OpenAPI spec file in a GitHub repository and submit the raw file link to get started with your scan. The spec should contain a valid and public-facing base URL for your APIs.
-
Are any of these
tests
intrusive or affect my application adversely?
No, all tests are non-intrusive, and they won't affect your application.
-
Will this
replace
my bug
bounty program?
No, bug bounty programs can uncover a lot more vulnerability types.
- How can I run a complete API penetration testing?
-
Will this
replace
my
WAF?
No, WAF blocks a lot more attack types in real-time.
-
Can I run the
scan
against a production environment?
Yes, all tests are safe and recommended to run against the production environment.
-
Will this
replace
the
Burp Suite?
No, Burp Suite can help you write and execute more security tests.
-
Can I test
internal
APIs?
Yes, you can run our scanner as a docker container locally.
-
Will this
replace
SAST/DAST?Will this replace SAST/DAST?
No, SAST/DAST can cover many more vulnerability types.
-
When will I get
my
results?
Within 2 minutes of submitting your API URL. If you do not receive your results, please contact us here
Secure your APIs
Blogs
Use the Postman and APIsec EthicalCheck Integration for Better Security Practices
EthicalCheck from APIsec is a free and instant API penetration testing service. It is offered as self-service, fully automated, and requires no signup.
Read More...Get Started
Help
Getting Started with EthicalCheck
Provide your OpenAPI specification or start with a public Postman collection URL. EthicalCheck instantly introspects your API and creates a map of API endpoints for security testing.
Read More...