Map Any API Attack Surface — No Documentation Required

Penetration testers know the problem: the client says "test our APIs" but hands you a login and nothing else. No OpenAPI spec. No Postman collection. No documentation. Vespasian — now open source — solves this. It captures live traffic from web applications, classifies API calls, and generates structured specifications for REST (OpenAPI 3.0), GraphQL (SDL), and SOAP (WSDL) — giving you a complete map of the API attack surface from nothing but a URL.

How It Works

Vespasian uses a two-stage pipeline that separates traffic capture from specification generation:

1. Capture — Drive a headless browser through the target application with full JavaScript execution and authentication injection. Every HTTP request the frontend makes is recorded. Alternatively, import existing traffic from Burp Suite XML, HAR archives, or mitmproxy captures.

2. Generate — Classify captured requests as API calls using content-type, path heuristics, HTTP methods, and response structure. Auto-detect the API type — or specify it explicitly. Probe discovered endpoints for enrichment. Output structured specifications in the native format for each type.

This separation means you capture once, generate many. Run different generators against the same capture without re-scanning. The capture file is inspectable JSON you can review and debug.

Three Output Formats

• OpenAPI 3.0 for REST — Path normalization (/users/42 becomes /users/{id}), schema inference from response bodies, parameter extraction from query strings.

• GraphQL SDL — Tiered introspection with 3 query levels to bypass WAF-protected servers. Falls back to traffic-based schema inference when introspection is disabled entirely.

• WSDL for SOAP — Identifies SOAP services via SOAPAction headers and envelope detection, fetches and parses WSDL documents.

Key Capabilities

• API Type Auto-Detection — Automatically determines REST, GraphQL, or SOAP from captured traffic. No manual selection needed.

• Multi-Source Import — Reuse traffic from Burp Suite XML, HAR 1.2, and mitmproxy. No re-scanning needed.

• Active Probing — OPTIONS discovery, JSON schema inference, WSDL document fetching, and GraphQL introspection enrich discovered endpoints.

• SSRF Protection — Blocks probing of private and loopback addresses by default. Use --dangerous-allow-private for internal targets.

• Confidence Scoring — Configurable classification confidence thresholds filter noise from legitimate API calls.

Vespasian + Hadrian = Complete API Security

Vespasian discovers the attack surface. Hadrian tests it for vulnerabilities. Together they form a pipeline that takes you from "no documentation" to "proven authorization vulnerabilities" — without asking the client for anything beyond a login.

Open Source

Vespasian is fully open source at github.com/praetorian-inc/vespasian. Install with a single command:

go install github.com/praetorian-inc/vespasian/cmd/vespasian@latest

Or scan an application end-to-end:

vespasian scan https://app.example.com -o api.yaml

How It Fits Into Guard

Vespasian runs as a Guard Platform capability, feeding discovered API endpoints and generated specifications directly into your attack surface inventory. When paired with Hadrian, the complete API discovery-to-testing pipeline operates within Guard — endpoints discovered, specs generated, authorization tested, findings triaged — all in one platform.

Documentation

https://docs.praetorian.com/en/articles/2168486-vespasian-api-discovery-and-specification-generation