ApiPosturePro 1.0.18

ApiPosture Pro

Professional security extension for ASP.NET Core API security scanning

Extends the open-source ApiPosture CLI with advanced security rules, secrets detection, diff mode, historical tracking, and risk scoring.

🔒 100% Local Analysis - Your code never leaves your machine. All scanning is performed locally on your computer or CI/CD runner.

Features

🛡️ OWASP Top 10 Security Rules

Advanced detection combining endpoint metadata analysis with deep source code inspection of method bodies:

• AP101 - Broken Access Control (Critical) — missing [Authorize], database writes without auth, IDOR without ownership checks, GET endpoints performing destructive operations
• AP102 - Cryptographic Failures (High) — weak hashing (MD5/SHA1), hardcoded crypto keys, sensitive data logging
• AP103 - Injection Vulnerabilities (Critical) — ExecuteSqlRaw with interpolation/concatenation, BinaryFormatter, insecure TypeNameHandling, Process.Start
• AP104 - Insecure Design (High) — missing CSRF tokens, missing ModelState.IsValid, missing rate limiting
• AP105 - Security Misconfiguration (Medium) — XXE via DtdProcessing.Parse, XmlTextReader without DTD prohibition, permissive CORS, Swagger exposed in production, AllowedHosts: *, missing authentication services
• AP106 - Vulnerable Components (Medium) — legacy API patterns, deprecated frameworks, end-of-life .NET versions (below .NET 8.0)
• AP107 - Authentication Failures (High) — missing audit logging on DELETE, plaintext password comparison
• AP108 - SSRF Vulnerabilities (High) — HttpClient/WebClient with user input, URI construction from variables

📂 File-Level Scanning

Scans entire source files beyond just endpoint methods:

• Startup.cs / Program.cs — UseDeveloperExceptionPage() without environment guard, missing UseHttpsRedirection(), missing UseHsts(), Swagger/OpenAPI without environment guard, UseAuthorization() without AddAuthentication()
• Razor Views (*.cshtml) — @Html.Raw() XSS vulnerabilities, innerHTML assignments
• C# Source Files (*.cs) — Reversible encryption in password context, hardcoded encryption keys, BinaryFormatter, insecure TypeNameHandling
• appsettings.json — AllowedHosts wildcard (*) host header injection risk
• Project Files (*.csproj) — End-of-life .NET framework versions (below .NET 8.0)

🔑 Secrets Detection

• AP201 - Detects 30+ secret patterns in both source files and method bodies (Critical)
• AWS, Azure, GCP keys
• GitHub, Slack, Stripe tokens
• Database connection strings
• Private keys and certificates
• JWT secrets and API keys

📊 Diff Mode

Compare scans over time to track security improvements or regressions:

apiposture-pro diff baseline.json current.json

📈 Historical Tracking

Automatic scan history with SQLite storage:

apiposture-pro history list
apiposture-pro history trend -p /path/to/project

🎯 Risk Scoring

Automated risk assessment based on:

• Severity (40%)
• Exposure (25%)
• Sensitivity (25%)
• Finding density (10%)

Installation

For Pro Users (Recommended)

Install the standalone Pro tool - includes everything:

# Install Pro CLI (includes scanning + all rules)
dotnet tool install --global ApiPosturePro

# Activate your license
apiposture-pro activate XXXX-XXXX-XXXX-XXXX

# Verify activation
apiposture-pro status

That's it! Pro tool is fully standalone and includes both free and Pro rules.

For Free Users

If you only need basic rules, install the free CLI:

dotnet tool install --global ApiPosture

CI/CD Alternative

Set license via environment variable (no activation needed):

export APIPOSTURE_LICENSE_KEY=<your-jwt-token>

Usage

Scan Your API

Use the Pro CLI for scanning (includes both free and Pro rules):

# Basic scan
apiposture-pro scan /path/to/your/api

# Scan with JSON output
apiposture-pro scan /path/to/your/api --output json --output-file report.json

# Fail build on high/critical findings
apiposture-pro scan /path/to/your/api --fail-on high

# Filter by severity
apiposture-pro scan /path/to/your/api --severity medium

Manage Your License

# Check license status
apiposture-pro status

# Deactivate license (interactive)
apiposture-pro deactivate

# Deactivate without confirmation prompt (for scripts/CI)
apiposture-pro deactivate --yes

Example Output

$ apiposture-pro scan .

API Posture Scan Results
========================

Findings:
  [AP101] Critical: Endpoint '/api/entries' performs database writes without authorization
  [AP102] High: Endpoint '/api/users/hash' uses weak hashing algorithm (MD5/SHA1)
  [AP103] Critical: Endpoint '/api/comments' uses ExecuteSqlRaw with string interpolation
  [AP105] Critical: Endpoint '/api/rss' enables DTD processing which allows XXE attacks
  [AP105] High: UseDeveloperExceptionPage() is used without an environment check
  [AP103] High: @Html.Raw() used in Show.cshtml at line 12
  [AP201] Critical: AWS Access Key detected in appsettings.json

Summary:
  Total Findings: 7
  Critical: 4 | High: 3 | Medium: 0 | Low: 0

Scanned 42 endpoints + 18 files in 2.3s

Automatic History Tracking

Every scan is automatically saved to your local history database (~/.apiposture/history.db):

$ apiposture-pro scan /path/to/api
[scan output...]
Scan saved to history: a1b2c3d4e5f6

# View your scan history
$ apiposture-pro history list

# Show trend for your project
$ apiposture-pro history trend -p /path/to/api

Compare Scans (Diff Mode)

Track security improvements over time:

# Save baseline
apiposture-pro scan /path/to/api --output json --output-file baseline.json

# Make security improvements...

# Scan again
apiposture-pro scan /path/to/api --output json --output-file current.json

# Compare results
apiposture-pro diff baseline.json current.json

View History

Pro automatically records scan history:

# List recent scans
apiposture-pro history list

# View trends over time
apiposture-pro history trend -p /path/to/api

# Show specific scan
apiposture-pro history show <scan-id>

CI/CD Integration

Use ApiPosture Pro in your CI/CD pipeline:

GitHub Actions

name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install ApiPosture Pro
        run: dotnet tool install --global ApiPosturePro

      - name: Run security scan
        run: apiposture-pro scan . --output json --output-file results.json
        env:
          APIPOSTURE_LICENSE_KEY: ${{ secrets.APIPOSTURE_LICENSE_KEY }}

      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: security-scan-results
          path: results.json

Azure DevOps

steps:
  - task: DotNetCoreCLI@2
    displayName: 'Install ApiPosture Pro'
    inputs:
      command: 'custom'
      custom: 'tool'
      arguments: 'install --global ApiPosturePro'

  - script: apiposture-pro scan . --output json --output-file $(Build.ArtifactStagingDirectory)/results.json
    displayName: 'Security Scan'
    env:
      APIPOSTURE_LICENSE_KEY: $(ApiPostureLicenseKey)

GitLab CI

security_scan:
  script:
    - dotnet tool install --global ApiPosturePro
    - apiposture-pro scan . --output json --output-file results.json
  variables:
    APIPOSTURE_LICENSE_KEY: $APIPOSTURE_LICENSE_KEY
  artifacts:
    paths:
      - results.json

Security Rules Reference

AP101: Broken Access Control

Severity: Critical

Detects missing authorization on sensitive operations, IDOR vulnerabilities, mass assignment risks, privilege escalation endpoints, and GET endpoints performing destructive database operations. Source code analysis detects database writes (.Add(), .SaveChangesAsync()) on public endpoints and data access by ID without ownership verification.

Recommendation: Use [Authorize] attributes with appropriate roles/policies. Verify resource ownership before returning data.

AP102: Cryptographic Failures

Severity: High

Detects sensitive data in URLs, weak hashing algorithms (MD5.Create(), SHA1.Create()), hardcoded cryptographic keys (Convert.FromBase64String("...")), reversible encryption used for passwords, and sensitive data logged via .ToString() or string interpolation.

Recommendation: Use SHA-256+ for hashing, bcrypt/Argon2 for passwords. Store keys in secure configuration. Never log sensitive objects.

AP103: Injection Vulnerability

Severity: Critical

Detects SQL injection via ExecuteSqlRaw/FromSqlRaw with string interpolation or concatenation, insecure deserialization (TypeNameHandling.Auto/All), BinaryFormatter usage, Process.Start command injection, and XSS via @Html.Raw() in Razor views.

Recommendation: Use ExecuteSqlInterpolated or parameterized queries. Use System.Text.Json instead of BinaryFormatter. Avoid @Html.Raw() with user data.

AP104: Insecure Design

Severity: High

Detects missing rate limiting on auth endpoints, [HttpPost] actions without [ValidateAntiForgeryToken], POST/PUT methods without ModelState.IsValid checks, and bulk operations without limits.

Recommendation: Add CSRF protection, validate input models, implement rate limiting and CAPTCHA.

AP105: Security Misconfiguration

Severity: Medium

Detects exposed debug endpoints, XXE vulnerabilities (DtdProcessing.Parse, XmlTextReader without DTD prohibition), permissive CORS (AllowAnyOrigin()), UseDeveloperExceptionPage() without environment guard, missing UseHttpsRedirection()/UseHsts(), Swagger/OpenAPI exposed in production, AllowedHosts wildcard in appsettings.json, and UseAuthorization() without AddAuthentication().

Recommendation: Set DtdProcessing.Prohibit. Guard dev middleware with IsDevelopment(). Enforce HTTPS and HSTS. Restrict AllowedHosts. Configure authentication services.

AP106: Vulnerable Components

Severity: Medium

Detects legacy API patterns, deprecated frameworks, outdated web service endpoints, and end-of-life .NET versions (below .NET 8.0) in project files.

Recommendation: Keep components updated. Migrate legacy services to modern patterns. Upgrade to supported .NET versions.

AP107: Authentication Failures

Severity: High

Detects weak auth patterns, basic auth usage, missing audit logging on DELETE endpoints, plaintext password comparison (== password), and improper session/token management.

Recommendation: Use bcrypt/Argon2 for password verification. Log all destructive operations. Use MFA and secure session handling.

AP108: SSRF Vulnerability

Severity: High

Detects endpoints accepting URL parameters, HttpClient.GetAsync()/WebClient.DownloadString() with user input, new Uri(variable) construction, webhooks, and proxy functionality.

Recommendation: Validate URL inputs against allowlists. Block internal IP ranges. Use typed HTTP clients.

AP201: Secrets in Code

Severity: Critical

Detects 30+ hardcoded secret patterns in both source files and endpoint method bodies, including cloud keys, service tokens, database credentials, and private keys.

Recommendation: Never hardcode secrets. Use environment variables or secure vaults.

Privacy & Security

🔒 Your code stays on your machine

• All analysis is performed 100% locally
• No code, findings, or project data is uploaded to external servers
• No telemetry or usage tracking
• SQLite history database is stored locally on your machine (~/.apiposture/history.db)

License Tiers

Pro License

• OWASP Top 10 rules (AP101-AP108)
• Secrets detection (AP201)
• Diff mode
• Historical tracking
• Risk scoring
• Standard support

Enterprise License

• All Pro features
• Priority support
• Custom rule development
• Site licenses available

Links

• Free ApiPosture CLI: GitHub | NuGet
• ApiPosture.Core Library: NuGet
• ApiPosture Pro: NuGet
• Documentation: https://docs.apiposture.com
• Support: support@apiposture.com

Changelog

1.0.10 (2025-02-09)

• AP101: detect GET endpoints performing destructive database operations (unsafe method violation)
• AP105: detect Swagger/OpenAPI exposed without environment guard in Startup.cs/Program.cs
• AP105: detect AllowedHosts: * wildcard in appsettings.json (host header injection)
• AP105: detect UseAuthorization() without AddAuthentication() (ineffective auth middleware)
• AP106: detect end-of-life .NET framework versions (below .NET 8.0) in .csproj files
• File-level scanner now discovers appsettings*.json and *.csproj files

1.0.7 (2025-02-07)

• Source code analysis engine: rules now inspect method bodies, not just route metadata
• File-level scanning for Startup.cs, Program.cs, Razor views, and all C# files
• AP101: detect database writes without auth, IDOR without ownership checks
• AP102: detect weak hashing (MD5/SHA1), hardcoded crypto keys, sensitive data logging
• AP103: detect SQL injection in ExecuteSqlRaw, insecure deserialization, BinaryFormatter, XSS in Razor
• AP104: detect missing CSRF tokens and ModelState validation
• AP105: detect XXE, permissive CORS, missing HTTPS/HSTS, unguarded dev exception page
• AP107: detect missing audit logging on DELETE, plaintext password comparison
• AP108: detect HttpClient/WebClient SSRF patterns
• AP201: secrets detection now scans method bodies

1.0.0 (2025-01-15)

• Initial release
• OWASP Top 10 security rules (AP101-AP108)
• Secrets detection (AP201)
• Diff mode for comparing scans
• Historical tracking with SQLite
• Risk scoring analysis

---

Copyright © 2025 ApiPosture. All rights reserved. | License Terms