London-based attack surface management leader, Intruder, has released Autoswagger, a new free and open-source tool designed to scan OpenAPI-documented APIs for prevalent broken authorization vulnerabilities. These flaws remain common, even within large enterprises possessing mature security teams, and are particularly dangerous due to their ease of exploitation with minimal technical skill. Autoswagger is now available on GitHub.Autoswagger automates the detection of authorization weaknesses in APIs and identifies sensitive endpoints that fail to require authentication or validate API tokens. According to Verizon’s 2025 Data Breach Investigations Report, API-related breaches increased by nearly 40% year-over-year, with broken authorization cited as a frequently exploited flaw. While various API scanning tools exist, most options for detecting broken authorization are either costly, inefficient, or necessitate manual labor from penetration testers. Autoswagger is positioned as the first freely available tool proven effective in detecting these potentially dangerous vulnerabilities.Chris Wallis, CEO and founder of Intruder, commented, “These vulnerabilities are so easy to exploit, you could teach someone with no technical background how to do it in a day. When you consider how common these issues are and how frequently companies release new code or expose new endpoints, it’s clear this is a critical gap. That’s why we’re making Autoswagger available for free—to help teams find and fix these flaws before attackers do.”The proliferation of APIs has established them as the backbone of modern applications, creating an expanded attack surface for organizations. This is especially true for those heavily reliant on third-party APIs for services like payments, analytics, or social logins, which may introduce risks beyond their direct control. When broken authorization vulnerabilities are discovered and exploited, the consequences can be significant, as demonstrated by the 2022 Optus data breach, which resulted in the Australian telecommunications company incurring $140 million AUD in related costs after sensitive customer data was extracted via a simple API authorization flaw. Despite the attention this attack brought to such vulnerabilities, Intruder’s research indicates that even members of the S&P 500 still exhibit exposure three years later. During Intruder’s research and testing of Autoswagger, its security team detected exposed Salesforce records containing personally identifiable information (PII) at a large multinational tech company, and an exposed internal staff training application at a multinational soda company that could have allowed potential attackers to run queries against its database. The majority of vulnerabilities discovered during this research were for APIs intended for internal use.Autoswagger operates by first detecting API schemas across common formats and locations, beginning with an organization’s list of domains. It scans for OpenAPI and Swagger documentation pages, sending requests to each host to locate valid schemas. Once identified, the tool parses the API specifications and automatically generates a list of endpoints for testing, accounting for each endpoint’s definition, required parameters, and expected data types. From there, Autoswagger executes targeted scans to identify broken authorization flaws by sending requests to each endpoint using valid parameters pulled from the documentation. It then flags endpoints that return a valid response instead of the expected HTTP 401 or 403 errors, which would typically indicate proper access control. The tool also highlights endpoints where authentication is either missing or ineffective. For more advanced use cases, Autoswagger can be run with the –brute flag to simulate bypassing validation checks, assisting in uncovering flaws in endpoints that require specific data formats or values which might otherwise reject generic input. Finally, the tool analyzes any successful responses for signs of exposed sensitive data, such as PII, credentials, or internal records, including any endpoint missing proper authentication and returning sensitive information in its output report.Dan Andrew, Head of Security at Intruder, stated, “Exposing documentation for your API effectively increases your attack surface, and as a defence in depth measure, you should not expose API documentation unless it’s a business requirement. The lesson here is, in addition to regular API scanning after each development iteration, that you shouldn’t publicly document your APIs unless you can’t avoid it. Without a ‘map,’ this kind of vulnerability becomes much harder for attackers to exploit.”More information about deploying Autoswagger and the team’s development journey can be found on Intruder’s company blog. Autoswagger is free to download and install via GitHub.Intruder, founded in 2015 by Chris Wallis, a former ethical hacker, offers an exposure management platform designed to help security teams proactively discover attack surface weaknesses. The platform unifies attack surface management, cloud security, and continuous vulnerability management, aiming to simplify security by reducing complexity. Intruder currently protects over 3,000 companies globally.