API Security Scanner

This website was built by a fresher developer. Here is the URL and its vulnerabilities.
This is the URL for a multinational company's website, and a security review shows it currently has no vulnerabilities.

About the project

Inspiration

Most developers build APIs without thinking much about security until something goes wrong. I wanted to create a tool that makes API security testing accessible to everyone — not just security experts. The idea came from seeing how many real-world APIs have basic vulnerabilities that could be caught early with the right tooling.

What it does

API Security Scanner lets you enter any API URL and automatically scans it for common vulnerabilities including SQL injection, broken authentication, missing rate limiting, sensitive data exposure, and security misconfigurations. After the scan, an AI-powered chatbot (built on the ASI1 API) analyzes the results and answers your questions about the vulnerabilities found — explaining what they mean and how to fix them in plain language.

How I built it

The backend is a Python Flask application with a custom vulnerability scanning engine. I built six independent security check modules, each targeting a different OWASP API Security Top 10 category. The frontend is a single-page interface with a real-time scan progress bar and an integrated chat panel. The AI chatbot connects to the ASI1 API to provide context-aware responses based on the actual scan report.

Challenges I faced

The biggest challenge was reducing false positives. Early versions of the scanner flagged almost everything — any API response containing the word "sql" would trigger an injection alert. I had to rewrite the detection logic to only flag on actual database error messages, real shell output, and confirmed sensitive data patterns. Getting the balance right between catching real issues and not crying wolf took a lot of iteration.

What I learned

I learned a lot about how real vulnerability scanners work under the hood, the difference between heuristic-based detection and confirmed findings, and how to structure a Python package for extensibility. I also got hands-on experience integrating an AI API to make technical security output understandable to non-experts.