WASViking Docs
⌘K
Capabilities

Modern API Security

GraphQL, SOAP/WSDL, WebSocket, and JWT analyzers in one platform, with shared discovery and shared session.

REST is the easy half of modern API coverage. WASViking® ships first-class analyzers for the protocols legacy DAST tools skip or sell as separate SKUs: GraphQL, SOAP/WSDL, WebSocket, and JWT.

GraphQL

15 detectors across three tiers.

Tier 1 surface

  • Introspection enabled (per environment policy).
  • Suggestion-mode information disclosure.
  • Verbose error responses.
  • Unbounded list arguments.
  • Deprecated field leakage.

Tier 2 authorization

  • BOLA (Broken Object-Level Authorization), CWE-639 critical.
  • Field-level authorization across sessions, CWE-863 high.
  • APQ allowlist bypass, CWE-863 critical.
  • Persisted-query bypass, CWE-639 high.

Tier 3 DoS (opt-in)

  • Depth attack with configurable threshold.
  • Alias attack.
  • Batching abuse.

DoS detectors are off by default; enable on the scan profile if your environment is safe to probe with depth and alias amplification.

SOAP / WSDL

Full WSDL 1.1 and 2.0 parser, type-aware envelopes, plus a SOAP-context extension to the rest of the analyzer catalog:

  • XXE (XML External Entity).
  • XML bomb / billion laughs.
  • XPath injection.
  • SOAPAction spoofing.
  • WS-Security bypass.
  • SOAP-context SQLi, CmdInj, SSRF through the injection-class engine.
  • WSDL information disclosure: leaks of internal endpoints, type hierarchies, and operation lists.
  • Verbose fault detection.

The WSDL parser produces a typed operation map; the analyzer generates envelopes that match the schema, not random payloads.

WebSocket

11 detection classes:

  • CSWSH (Cross-Site WebSocket Hijacking).
  • No-auth upgrade (handshake accepted without credentials).
  • Token in URL (auth material reachable via referrer / proxy logs).
  • Plaintext with cookies.
  • Subprotocol downgrade.
  • Verbose error in close frames.
  • XSS via message (server echoes message content into a DOM sink).
  • Message-level SQLi / CmdInj / SSRF / JSON / Path Traversal.
  • Compression bomb (opt-in).
  • Broadcast leak (one client receives another client's data).
  • Sensitive data leak (PII / secrets in regular messages).

Validated against the WASViking test target across all 11 classes.

JWT advanced

Wave 1 and Wave 2 attacks:

  • Algorithm confusion (alg: none, HS to RS swap).
  • Weak secret recovery (offline dictionary + targeted brute).
  • Kid confusion (path traversal in kid claim).
  • JWKS proprietary-path discovery.
  • Form-login JWT auto-discovery (detects JWT issuance on login).
  • Decoded-claim visibility (raw claim content surfaced in the finding; deliberate decision for enterprise visibility under contract).
  • WAF advisory when a target rejects probes uniformly.

Shared discovery

All four analyzers consume the shared Target Discovery:

  • Headless-browser SPA crawler for endpoints behind a JS shell.
  • OpenAPI 3.x and Swagger 2.x ingest.
  • GraphQL introspection if enabled.
  • WSDL parse from ?wsdl or operator-supplied URL.
  • Robots, sitemap, CSRF-aware login.

Discovery output feeds every analyzer, so a GraphQL endpoint discovered while crawling a REST API still gets the right tests.

Shared authenticated session

Authenticated runs establish one form-login session. The SQL Injection, XSS, JWT, GraphQL, SOAP, and WebSocket analyzers all consume the same session. One login, one session, every analyzer.

What it does not do

  • It does not generate clients (no SDK generation).
  • It does not act as a proxy to record real traffic.
  • It does not implement positive-security (allow-listing) testing.

For positive-security testing, run WASViking alongside a contract-first test suite. The combination is what mature API security looks like in practice.