Modern API Security

REST is the easy half. The other half is where your money lives.

WASViking® tests GraphQL, SOAP/WSDL, WebSocket, and JWT-protected APIs in the same scan as your REST endpoints. One platform, one license, one finding format.

Start free trial Why this matters
REST · OpenAPI GraphQL SOAP · WSDL 1.1/2.0 WebSocket JWT
Modern API Security
Coverage

Four engines, built for protocols legacy DAST tools skip or sell separately.

GraphQL · 15 detectors

Introspection abuse, BOLA (CWE-639 critical), field-level authorization across sessions (CWE-863 high), APQ allowlist bypass, persisted-query bypass, depth/alias/batching DoS (opt-in). Validated baselines 26/30/48/36 on mock.

See DAST core

SOAP / WSDL

WSDL 1.1 and 2.0 parser, type-aware envelopes, XXE, XML bomb, XPath, SOAPAction spoof, WS-Security bypass, SOAP-context SQLi/CmdInj/SSRF, WSDL information disclosure, verbose faults.

WebSocket

CSWSH, no-auth upgrade, token in URL, plaintext with cookies, subprotocol downgrade, verbose error, XSS via message, message-level SQLi/CmdInj/SSRF/JSON/Path Traversal, compression bomb (opt-in), broadcast leak, sensitive data leak. 101 findings across 11 classes on validation baseline.

JWT advanced

Wave 1 + Wave 2 attacks, form-login JWT auto-discovery, JWKS proprietary-path discovery, decoded-claim visibility, WAF advisory. Architectural reference for any JWT extension.

Discovery

Find the surface before you scan it.

A shared Target Discovery Engine feeds every analyzer: Playwright for SPAs, OpenAPI and Swagger parsing, GraphQL introspection, robots and sitemap, CSRF-aware login. Consumed by SQLi, XSS, and the modern API analyzers, foundation for future ones.

  • Playwright SPA crawler with auth-aware navigation
  • OpenAPI 3.x and Swagger 2.x ingest
  • GraphQL introspection with operation-level mapping
  • Robots, sitemap, and CSRF-aware login discovery
  • Per-host Environment Profile published as ContextVar to every analyzer
Why this matters

Coverage that finds money paths, not just login pages.

In production today, REST is rarely where the dangerous data lives. GraphQL endpoints expose entire object graphs. SOAP carries financial integrations. WebSocket carries real-time state. A scanner that only sees REST tells you a comforting story about a small part of your surface.

See WASViking® on your own stack.

Start a 14-day trial or talk to our team about an enterprise evaluation. No credit card required for the trial.

Start free trial Talk to sales