Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Welcome to The researcher’s desk – a content series where the Detectify security research team will conduct a technical autopsy on vulnerabilities that are particularly interesting, complex, or persistent. The goal here is not to report the latest research (for which you can refer to the Detectify release log); it is to take a closer look at certain vulnerabilities, regardless of their disclosure date, that still offer critical lessons.

TLDR: Excessive Data Exposure (leaking internal data via API responses) is the silent, pervasive threat that is more dangerous than single dramatic flaws like SQL Injection. It amplifies every other API vulnerability (like BOLA) and happens everywhere because developers prioritize speed over explicit data filtering. Fixing it means systematically checking hundreds of endpoints for unneeded PII and sensitive internal data.

Picture this: it’s 3 AM, and your message broker is acting up. Queue depths are climbing, consumers are dropping off, and your on-call engineer is frantically restarting pods in a Kubernetes cluster they barely understand. Sound familiar? For years, we lived this reality with our self-hosted RabbitMQ running on EKS.

Our API scanner can test for dozens of vulnerability types like prompt injections and misconfigurations. We’re excited to share today that we’re releasing vulnerability tests for OAuth API authorization for organizations that use JWT tokens. These JWT, or JSON Web Tokens, are meant to prove that you have access to whatever it is you are accessing. One of the most critical JWT vulnerabilities is algorithm confusion.

Two months since I joined Detectify and I’ve realized something: API security is a completely different game from web application security. And honestly? I think a lot of teams don’t see this yet.

We know the importance of staying ahead of threats. At Detectify, we’re committed to providing you with the tools you need to secure your applications effectively. This update covers our new Dynamic API Scanning feature, updates over the last few months, and the latest additions to our vulnerability testing capabilities.

What if we told you that our newly released API Scanner has 922 quintillion payloads for a single type of vulnerability test? A quintillion is a billion billion – an immense number that highlights the limitations of traditional API security testing. Old methods like relying on signatures, vulnerability-specific payloads, or a fixed set of fuzzing inputs just aren’t enough anymore, especially when dealing with custom-built software and unique API endpoints.

Intruder is a cloud-based vulnerability scanner that provides an automated overview of an organization’s attack surface. Its primary function is to proactively identify weaknesses across internet-facing infrastructure and applications before they are exploited. The platform’s scanning engine runs a set of checks for both infrastructure-level misconfigurations and application-layer vulnerabilities, like those in the OWASP Top 10. It leverages open-source engines like ZAP to execute its checks.

Application environments are more complex than ever, with APIs forming the critical connective tissue. But this proliferation has created a vast, often invisible, attack surface. Security teams are caught in a difficult position: compliance frameworks like PCI and SOC 2 demand API scanning, but offer little guidance. Meanwhile, you’re grappling with incomplete API inventories, and the market is a confusing mix of expensive, hard-to-instrument niche tools.

Navigating the complex and ever-changing compliance landscape is difficult for many companies and organizations. With many regulations, selecting the appropriate security tooling that aligns with the compliance needs of your business becomes a significant challenge.