Installation

Open Claude Code and run this command:

/plugin install api-security-scanner@claude-code-plugins-plus

Use --global to install for all projects, or --project for current project only.

What It Does

Scan APIs for OWASP API Security Top 10 vulnerabilities with remediation guidance.

Features

OWASP API Top 10 checks
Authentication testing
Authorization flaws
Injection vulnerabilities
Security misconfiguration

Skills (1)

scanning-api-security SKILL.md View full skill →

Detect API security vulnerabilities including injection, broken auth, and data exposure.

ReadWriteEditGrepGlobBash(api:security-*)

Scanning API Security

Overview

Detect API security vulnerabilities by scanning endpoint implementations, authentication flows, and data handling against the OWASP API Security Top 10. Identify injection vectors, broken authentication, excessive data exposure, mass assignment, and missing rate limiting through static analysis of route handlers, middleware chains, and request validation logic.

Prerequisites

API source code with route definitions and controller/handler implementations accessible
OpenAPI specification for cross-referencing documented vs. implemented security controls
OWASP API Security Top 10 (2023) checklist familiarity
Security scanning tools: OWASP ZAP, Burp Suite, or nuclei for dynamic testing
Dependency vulnerability scanner: npm audit, safety (Python), or govulncheck

Instructions

Scan all route definitions using Grep to build a complete inventory of endpoints, HTTP methods, and middleware chains applied to each route.
Audit authentication middleware to verify every mutation endpoint (POST, PUT, PATCH, DELETE) has auth enforcement and that no endpoints accidentally bypass auth through route ordering.
Check for Broken Object Level Authorization (BOLA) by verifying that resource access checks compare the authenticated user's ID/role against the requested resource ownership, not just valid authentication.
Identify excessive data exposure by comparing response serialization against API contracts -- flag endpoints returning full database records instead of explicit field whitelists.
Detect mass assignment vulnerabilities by checking whether request bodies are passed directly to ORM create/update calls without field-level allowlisting.
Verify input validation exists on all request parameters, query strings, headers, and body fields, checking for SQL injection, NoSQL injection, and command injection patterns.
Audit rate limiting configuration to ensure all public-facing and authentication endpoints have per-IP and per-user rate limits applied.
Check security headers (CORS, CSP, HSTS, X-Content-Type-Options) and verify CORS Access-Control-Allow-Origin is not set to wildcard * on authenticated endpoints.
Scan dependencies for known CVEs and generate a prioritized remediation report with severity ratings and fix recommendations.

See ${CLAUDESKILLDIR}/references/implementation.md for the full implementation guide.

Output

${CLAUDESKILLDIR}/reports/security-scan.json - Machine-readable vulnerability report with severity ratings
${CLAUDESKILLDIR}/reports/security-scan.md - Human-readable report with remediation guidance
${CLAUDESKILL



      
      
          How It Works
          
/scan-api-security

        

      
      

      
      

      
      
  Ready to use api-security-scanner?
  
    
    
  




      
      
          Related Plugins
          
            
                api-authentication-builder
                Build authentication systems with JWT, OAuth2, and API keys
              
                api-batch-processor
                Implement batch API operations with bulk processing and job queues
              
                api-cache-manager
                Implement caching strategies with Redis, CDN, and HTTP headers
              
                api-contract-generator
                Generate API contracts for consumer-driven contract testing
              
                api-documentation-generator
                Generate comprehensive API documentation from OpenAPI/Swagger specs
              
                api-error-handler
                Implement standardized error handling with proper HTTP status codes
              
          
        

      
      
          Tags
          
            securityapiowaspvulnerability