aftra
Back to blogs

Introducing Aftra’s new API scanner: Take control of your hidden attack surface

May 06, 2025

API security is often the weakest link in a company’s cybersecurity strategy. It’s also often overlooked, making it an attractive target for hackers. In fact, Cloudflare found in their API security report that about one third of APIs are “shadow APIs”, meaning organizations aren’t even aware of them. 

We believe securing your APIs (and any other part of your digital environment) should be straightforward and actionable. That’s why we’re excited to launch our new API Scanner, which is designed to help you identify and fix hidden API risks before attackers do.

What is an API and how does Aftra scan it?

REST APIs (Application Programming Interfaces) are used for system communication through predefined endpoints that handle requests and responses between systems. A large portion of a company’s network consists of APIs. Aftra’s API scanner assesses each endpoint to see how your APIs respond to different requests, and identifies if vulnerabilities or any configuration issues exist allowing someone to bypass security measures.

It’s like a stress test for your APIs — one that runs automatically and reports findings clearly, so your team can act fast.

The hidden security threat resting in your APIs

APIs are attractive targets for hackers especially because of how many of them are shadow APIs. When you add an API it gets deep into your code and gets hard to find and update. You might deprecate it, but forget to remove it.

Not only that, but many of the APIs we use are from 3rd parties. We have to trust that they’re relatively secure. But if there’s a vulnerability in one of them, it introduces a weakness into your own system, making it critical to be aware of all your APIs, keep them up to date, and know if they’ve become vulnerable. 

Organizations heavily rely on REST APIs on a daily basis to connect services, share data, and enable customer experiences. But as your API landscape grows, so does your attack surface. Old endpoints stick around. Permissions change. Vulnerabilities creep in unnoticed.

Hackers know this and know how to find them. Those outdated or forgotten endpoints can silently create a backdoor into your systems and expose sensitive data. 

For example, in 2022, an API vulnerability allowed a hacker to breach Optus, the second largest mobile operator in Australia, and steal data from 11 million of their customers.

What’s new? Deeper, smarter API scanning

In order to help our customers take control of this hidden attack surface and strengthen their web applications, we recently launched our new API scanner. It provides users with more detailed scanning of their API endpoints.

Aftra’s new API scanning is here to help. By providing dynamic, automated scanning of your API endpoints, Aftra helps your security team stay one step ahead and spot weaknesses before they become breaches.

Aftra’s API scanner goes beyond a one-time scan or penetration test. It gives you real-time, actionable insights into your API security so you can fortify your defenses.

Screenshot of add new API scanner view in Aftra

Here’s what it covers:

  • Endpoint scanning and authentication bypass
    Tests all of your endpoints to check if data can be retrieved, modified, or created without proper authorization to access sensitive data without authorization.
  • Malicious input testing
    Sends malformed or incorrect data to examine if the API correctly processes it or if security bypasses are possible.
  • Malicious file upload
    Assesses whether malicious files (e.g., malware) can be uploaded through the API—a critical security risk often overlooked.
  • Error handling & information leakage
    Examines API responses for potential leaks, such as 401 (Unauthorized) or 403 (Forbidden) errors, which might indicate exposed endpoints.
  • Payload manipulation
    Tests if specially crafted or malicious payloads can trigger unintended behavior or data leakage.
  • Behavioral analysis
    Evaluates whether the API operates as expected or if it exposes valuable information to potential attackers.

Add user credentials to your Aftra scans

Alongside the new API scanner, we’re adding the ability to add user credentials to all of your scans. What does this mean? It means that you’ll be able to see what people with various levels of access would be able to see. This includes: a user without permission, read permission, admin credentials, and a logged in user. 

Get started today

This API scanner is now available for all Aftra customers. Simply log into your account and visit the Scans page at app.aftra.io to get started. There you’ll find easy-to-follow instructions to set up your first API scan. 

Not yet an Aftra customer?

Book a demo and see how Aftra makes cybersecurity simple, proactive, and effective by empowering leadership and IT to understand and take control of their entire attack surface, including hidden APIs.

Book a demo

Stay ahead, stay secure.
Book a demo
Made by Aftra
We use cookies to personalize your browsing experience, analyze site traffic, and improve your interaction with our site. By continuing to browse or interact with our website, you agree to our use of cookies. You can adjust your cookie settings in your browser at any time.