Jake Abendroth
Back to Blog
December 18, 2025
3 min

Building Doppel: A Real-Time API Security Scanner

APIs are the backbone of modern applications, but they're also one of the largest attack surfaces. Misconfigured endpoints, missing authentication, excessive data exposure — these vulnerabilities are everywhere, and they're consistently in the OWASP API Security Top 10.

The problem is that most teams don't test their APIs for security until it's too late. Traditional scanners focus on web application vulnerabilities (XSS, SQL injection) but miss API-specific issues like broken object-level authorization, excessive data exposure, and missing rate limiting.

I built Doppel to catch these issues in real time.

What Doppel Does

Doppel is a real-time API security detector that:

  1. Flags insecure endpoints: Identifies API endpoints with missing or weak authentication, exposed debug routes, and overly permissive CORS configurations
  2. Exposes data leaks: Detects endpoints that return more data than the client needs (excessive data exposure — OWASP API4)
  3. Automates OWASP detection: Scans for common OWASP API Security Top 10 vulnerabilities with automated alerts

Architecture

Doppel operates as an intercepting proxy that analyzes API traffic in real time:

struct SecurityScanner {
    rules: Vec<Box<dyn SecurityRule>>,
    alerts: Vec<SecurityAlert>,
}

trait SecurityRule: Send + Sync {
    fn name(&self) -> &str;
    fn check(&self, request: &ApiRequest, response: &ApiResponse) -> Option<SecurityAlert>;
}

struct SecurityAlert {
    severity: Severity,
    rule: String,
    endpoint: String,
    description: String,
    remediation: String,
}

Each security rule is an independent checker that examines request/response pairs. This modular design makes it easy to add new detection rules without modifying the core scanning engine.

OWASP API Security Detection

Doppel includes detection rules for the most common API vulnerabilities:

Broken Authentication (API2)

Detects endpoints that accept requests without valid authentication tokens, or that use weak authentication schemes:

struct BrokenAuthRule;

impl SecurityRule for BrokenAuthRule {
    fn check(&self, req: &ApiRequest, res: &ApiResponse) -> Option<SecurityAlert> {
        if req.auth_header().is_none() && res.status().is_success() {
            Some(SecurityAlert {
                severity: Severity::High,
                rule: "API2:Broken-Authentication".into(),
                endpoint: req.url().to_string(),
                description: "Endpoint returns success without authentication".into(),
                remediation: "Require valid authentication for all API endpoints".into(),
            })
        } else {
            None
        }
    }
}

Excessive Data Exposure (API3)

Flags responses that contain fields commonly associated with sensitive data — internal IDs, email addresses, password hashes, or debug information that shouldn't be exposed to clients.

Missing Rate Limiting (API4)

Monitors request patterns and alerts when endpoints don't enforce rate limits, leaving them vulnerable to brute-force attacks and resource exhaustion.

Automated Alerting

Doppel generates structured alerts with severity levels, affected endpoints, and specific remediation guidance. This reduces the time from detection to fix:

[HIGH] API2:Broken-Authentication
  Endpoint: POST /api/admin/users
  Description: Endpoint returns success without authentication
  Remediation: Require valid authentication for all API endpoints

[MEDIUM] API3:Excessive-Data-Exposure
  Endpoint: GET /api/users/123
  Description: Response contains fields: password_hash, internal_id, ssn_last4
  Remediation: Filter response to only include fields needed by the client

Reducing Attack Surfaces

The goal of Doppel isn't just to find vulnerabilities — it's to reduce the overall attack surface of an API. By running Doppel against your API during development and in CI/CD, you catch security issues before they reach production.

Common attack surface reductions Doppel enables:

  • Identifying and removing unnecessary endpoints (debug routes, test endpoints left in production)
  • Ensuring every endpoint enforces authentication and authorization
  • Detecting excessive data exposure before sensitive data leaks
  • Verifying rate limiting is in place on sensitive operations

Why Build This?

AppSec tooling is critical but underserved. Most security scanners are expensive commercial products, and the open-source alternatives focus on traditional web vulnerabilities rather than API-specific issues. Doppel fills that gap with focused, automated API security detection.

Back to All Posts