Vulnerability Detection in AppSentinels’ Platform
AppSentinels’ platform offers comprehensive detection of vulnerabilities, covering both the OWASP Top 10 and the OWASP API Top 10. The platform includes four core detection engines, each tailored to specific aspects of API security:
1. PassiveScan
The PassiveScan engine analyzes API traffic without sending any active requests. It detects vulnerabilities related to security misconfigurations that may expose users to browser-based risks such as:
- Cookie-related attacks (e.g., insecure flags, missing attributes)
- Cross-Origin Resource Sharing (CORS) misconfigurations
Configuration: Settings → Vulnerability Configuration → Passive Scan
2. Governance
This engine focuses on API governance and ensures adherence to organizational and security standards. It detects:
- Unauthenticated or open APIs
- Exposure of sensitive data
Configuration: Settings → Vulnerability Configuration → Governance
3. RuntimeScan
RuntimeScan identifies vulnerabilities based on real-time attack patterns observed in production environments. It detects critical issues that may require immediate developer attention, including:
- BOLA (Broken Object Level Authorization)
- SQL Injection and other input validation flaws
Developers can create actionable vulnerabilities directly from RuntimeScan findings.
Configuration: Settings → Vulnerability Configuration → Runtime Scan
4. ActiveScan
ActiveScan simulates the behavior of a security tester. It:
- Automatically generates test cases
- Injects crafted payloads into APIs
- Actively probes for vulnerabilities through controlled testing
Configuration: DAST → Configurations
These engines work together to provide layered, continuous security coverage across the full API lifecycle—from design and deployment to runtime protection.