← Back to Tools

🔓 API Exposure Checker

Probe a website for publicly accessible API endpoints, CORS misconfigurations, unauthenticated data, and exposed documentation. Use this to find vulnerabilities in your own APIs before attackers do.

⚠️

Authorised use only. Only scan sites you own or have explicit written permission to test. This tool makes passive HTTP requests — no exploits are attempted.

Website or API base URL

Authenticated scan — paste your token to check for BOLA / authorization issues

Bearer token (Authorization: Bearer …) Session cookie (Cookie: session=…) API key header (X-API-Key: …)

Token / cookie value

🔒 Token is used only for this request and is never stored. Get it from DevTools → Network → copy the Authorization header value of any API call.

📚 What is API exposure and why does it happen?

Modern web apps are built as a frontend + API. The frontend (React, Vue, mobile app) calls a REST or GraphQL API to fetch data. Developers often build the API first — open and unauthenticated for ease of testing — and plan to "add auth later." Sometimes later never comes.

The most common mistakes:

→Authentication only on the frontend, not the API — intercepting traffic bypasses it entirely
→CORS set to * during development and never tightened for production
→Swagger or GraphiQL left enabled — a complete map of every endpoint handed to attackers
→No rate limiting — the entire database can be exported in a loop
→GraphQL resolvers returning all rows instead of filtering by the current user — any authenticated member can dump everyone's workout plans, diet plans, and media (BOLA / OWASP API1)

This tool probes 42 common paths and checks CORS headers, authentication responses, and documentation exposure. When a token is provided, it also sends GraphQL BOLA queries (findAllWorkoutPlans, users, exercises, etc.) to detect missing ownership filters. It makes only passive GET requests plus one introspection POST and targeted GraphQL queries. No exploits are attempted.