API Spyder

API Spyder is an API Attack Surface Discovery Tool that gives you an outside-in view of your exposed resources – effectively showing you what the attacker may see. It uncovers the API servers and some of the most common API endpoints they host. What API Spyder discovers is really the “tip of the iceberg”, a starting point for the security teams, on where to start the API Security journey. It complements the inside-out view that API Sentinel gives you by collecting data from your API management infrastructure. The ideal solution is one that gives you both views.

API Spyder uses a predictive crawling technique on your public domain to discover exposed resources, similar to what Google does when they update their search algorithms. In order to discover your API attack surface, all you need to provide is a top-level domain (e.g. exampledomain.com), and API Spyder will use that to uncover API servers under that domain.

API Spyder will show you your publicly visible API servers and associated resources including:  

• Public cloud hosted and non-production API servers (e.g. api.exampledomain.com)
• Hosting providers on which these API servers are hosted (e.g. CDN, IaaS, or WAF providers)
• REST and GraphQL type of endpoints
• Internal API endpoints like health/monitoring endpoint and Swagger/OpenAPI specifications visible publicly

You do not need to install or deploy any software on your premises for API Spyder to work, nor do you need to make any network changes. You simply enter the top-level domain you wish to crawl with API Spyder and it will then discover the API servers and endpoints under that domain.

API Spyder gives you an outside-in view of your exposed resources – effectively showing you what an attacker may see from outside your enterprise environment. This will help you discover and manage your attack surface, showing you the API servers and hosting providers that you may know of, and those that you don’t. API Spyder can also uncover Log4j and LoNg4j vulnerabilities in your API servers without requiring any code to be added to the servers.

You may request a limited time trial account for API Spyder. Open a browser window to Cequence API Spyder Signup. See Getting Started: First Steps The free trial will enable you to discover the attack surface for up to 2 top-level domains, with API Spyder crawling those domains exactly once. You may request an upgrade to a paid subscription to discover your attack surface for additional domains and for continuous discovery, management and notifications of the discovered attack surface.

API Spyder typically generates a few hundred API requests per API server when doing API server and endpoint crawling. The default crawling is benign and is similar to a Google Bot crawl impact. Each domain can be configured to be scanned for Log4j vulnerabilities. This is also not a high impact crawl but could trigger WAF responses if a WAF is configured to look for Log4j scans.

No. Your work email root domain is automatically configured as a crawl target. Cequence technical staff reviews all requests for other domains and approve only those that are associated with your work email root domain. Cequence will not permit a crawl by one corporate group or individual targeting another company’s online assets and domains.

API Spyder typically generates a few hundred API requests per API server when crawling a domain. The crawling is benign and is similar to a Google Bot crawl impact. Each domain can also be configured to be scanned for Log4j vulnerabilities. This is also not a high impact crawl but could trigger WAF responses if a WAF is configured to look for Log4j scans.