OpenAPI / Swagger Analyzer

What is OpenAPI / Swagger Analyzer?

OpenAPI / Swagger Analyzer reads the spec the developers already wrote and turns it into a security review. Every endpoint, every parameter, every request body is checked against the patterns that drive the OWASP API Top 10 — and the output is a graded findings list plus a curl collection you can paste straight into Burp.

Parsing happens entirely in your browser — paste the JSON or drop a swagger.json file and nothing is uploaded. There is no token cost, no rate limit, no sign-in required.

It supports OpenAPI 3.x and Swagger 2.0. YAML is not parsed in-browser today; export your spec as JSON first (every modern editor does) or run it through the JSON Workbench.

What it flags

No-auth endpoints — operations with no security requirement (high for writes, medium for reads). The classic “they forgot a decorator” bug.
BOLA / IDOR candidates — object-returning routes keyed by id, uuid, userId, accountId and friends. Test ownership, not just the token.
Mass-assignment surface — request bodies that accept role, isAdmin, price, owner, permission and other privileged-looking fields.
Open schemas — additionalProperties: true on request bodies (undocumented fields accepted = wider attack surface).
API key in query string — keys passed as ?api_key= leak into logs, history, referrers and proxies.
Plaintext server URLs — any http:// server in the servers block.
Deprecated endpoints — often still live, often less monitored.
curl request collection — every endpoint rendered as a runnable curl line with a sane example body, ready to paste into Burp or a shell loop.

Where it fits in your workflow

→Open every API engagement here first — five minutes on the spec saves an hour of clicking endpoints.
→Take the curl collection into Burp Repeater to start hand-testing the no-auth and IDOR candidates first.
→Re-run after a fix: a clean grade A on the spec is one part of the story — the tool tells you what to verify against the live API.

Want more?

This one is free in your browser. Sign up for server-side recon, scan history, and projects.

Create free account Sign in

At a glance

CategoryWeb Security Audit

RunsIn your browser

Token cost Free — no tokens

Access No login needed

Status● Live

Frequently asked questions

Does this send anything to the API?

No. Analysis is 100% in-browser. The spec never leaves your device, and no curl from the “Request collection” tab fires until you copy it into your own terminal.

My spec is YAML. What do I do?

Convert it to JSON first. Most editors export JSON directly; if not, paste the YAML into the JSON Workbench tool here, switch to YAML→JSON, and feed the output back into this tool. We may add native YAML parsing later — feedback welcome.

A finding says “no auth” but the API does require a token. Why?

The tool reads the spec, not the live API. If the spec is missing the security requirement on an operation, that’s a documentation drift bug worth fixing — and worth probing, because servers sometimes drift too.

Why does it call out IDOR / BOLA candidates instead of confirming them?

BOLA is fundamentally a runtime check (“does the server verify object ownership?”). A spec can only tell you which endpoints are obvious candidates. Use the generated curl with two different users’ tokens to confirm.

What is OpenAPI / Swagger Analyzer?

What it flags

Where it fits in your workflow

At a glance

Frequently asked questions

Other free tools you might like