Security

Multi-protocol API security testing, self-hosted.
Burp for the non-HTTP protocols — schema-aware, Apache-2.0-licensed.

Bowire's discovery, recording, and replay primitives extend into vulnerability scanning — one workbench, one CLI, one CI job for every protocol on the wire.

Why a new lane

Every incumbent owns one transport. Bowire's sweet-spot is the intersection three other tools leave open — multi-protocol-native, schema-aware via the frame-semantics layer, with recordings as the template format.

Multi-protocol-native

Burp Suite Pro and OWASP ZAP are HTTP-zentric — gRPC needs plugins plus manual .proto wiring; SignalR, WebSocket, MQTT have at best community-contributed half-solutions. Bowire hits a gRPC service via reflection, a SignalR hub via its typed methods, an OData endpoint via $metadata, an MQTT broker via topic enumeration — each in the protocol's own dialect, not as a polyfill over HTTP.

Schema-aware

The Phase-3 frame-semantics framework already classifies fields by kind (coordinate.latitude, image.bytes, audio.bytes, timestamp, …). A schema-aware fuzzer knows not to throw SQL injection at a latitude field, knows that image.bytes deserves magic-byte mutation instead of XSS payloads, knows that audio.sample-rate is a numeric integer and not a string. No incumbent has this for non-HTTP protocols.

Recording ≡ template

Every Bowire recording carries the same shape bowire scan consumes. Add attack: true, a vulnerability metadata block, and a vulnerableWhen predicate — that is the vulnerability template format. Same replay engine the mock server uses, just with the direction flipped. Version it, review it in a PR, replay it deterministically across detector drift.

Self-hosted, Apache-2.0-licensed

No SaaS subscription, no seat counting, no data leaving your network. The 42Crunch / Salt / Bright lane is enterprise APIsec posture-management as a service — Bowire is the OSS, on-prem alternative that runs in your CI on your runners against your APIs. Free for any use including commercial.

Three lines, one scan

Install the CLI, point it at a target, read the findings. Same binary as the rest of Bowire — scan is just another subcommand alongside list, call, and mock.

bash copy & run 
# 1. Install the Bowire CLI (any platform with .NET 10)
dotnet tool install -g Kuestenlogik.Bowire.Tool

# 2. Run the built-in checks + the seed corpus against your target
bowire scan --target https://api.example.com --templates docs/security/examples --out findings.sarif

# 3. Filter to the findings you actually want to fail a build on
bowire scan --target https://api.example.com --severity high

Findings stream to the console as a table; --out findings.sarif emits SARIF 2.1.0 ready for GitHub Code Scanning, GitLab Security Dashboard, or Azure DevOps. --no-builtins turns off the built-in TLS / banner / verbose-error checks if you only want corpus templates to fire.

Read the security-testing ADR →

What it checks today

Three built-in passive checks fire on every run; three seed templates demonstrate the recording-as-attack-replay format. Everything below is shipped — the corpus grows from here.

Built-in passive checks

  • TLS version enumeration — drives raw SslStream handshakes against TLS 1.0 / 1.1 / 1.2 / 1.3 in sequence. Accepted handshakes on deprecated versions surface as high-severity findings (CWE-326, downgrade-attack vector). Plain http:// targets short-circuit to a single high-severity finding.
  • Banner / version disclosure — single GET on the target root, scans for Server / X-Powered-By / X-AspNet-Version / X-AspNetMvc-Version / Via headers. Each disclosed header becomes its own SARIF rule so dashboards group correctly.
  • Verbose error detection — three probes that trip default error pages (random path → 404, null-byte URL → 500, malformed query → 4xx). Bodies are regex-scanned for the canonical stack-trace and framework-banner markers (CWE-209, medium severity).

Seed corpus templates

  • gRPC Server Reflection in production (high) — leaks the entire service catalogue and method signatures to anyone who can reach the port. grpc-server-reflection.json
  • GraphQL __schema introspection (medium) — every public schema field becomes an attack-surface map for the caller. Most frameworks ship it on. graphql-introspection.json
  • REST missing baseline security headers (low) — the "do you have security-headers middleware wired?" check. Misses on X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Content-Security-Policy. rest-missing-security-headers.json

Every template is a regular BowireRecording JSON file with three additional fields the scanner consumes — attack: true, a vulnerability metadata block, and a vulnerableWhen predicate. Template format reference →

Wired into CI

SARIF in, GitHub Security tab out. A reusable GitHub Actions workflow ships with the repo — call it from any pipeline, findings land in the calling repo's Code Scanning view.

yaml .github/workflows/security.yml 
# Call the reusable workflow from any repo
jobs:
  scan:
    uses: Kuestenlogik/Bowire/.github/workflows/scan-template.yml@main
    with:
      target: https://staging.api.example.com
      corpus: docs/security/examples
      severity: medium

The workflow installs the CLI, runs the scan, uploads findings.sarif both as a build artifact and via github/codeql-action/upload-sarif@v3 so each finding becomes a Code Scanning alert with stable rule IDs, severity, and remediation copy. View the workflow file →

Roadmap

Four capability tiers from the ADR. Each tier is sellable on its own; the upper tiers compound on the lower ones. Tier 1 anchors the lane today.

  • Tier 1 — Foundation shipped

    The minimum that makes Bowire a credible security tool: bowire scan subcommand, predicate engine, three seed templates, SARIF output, built-in TLS / banner / verbose-error checks. Authentication profile and scope-awareness still on the list.

  • Tier 2 — Specialty partial — toolkit + seed corpus shipped

    Shipped: JWT toolkit (bowire jwt decode, bowire jwt tamper) and the first multi-protocol attack templates (gRPC Server-Reflection, GraphQL __schema introspection, REST missing-security-headers) plus the built-in TLS / banner / verbose-error passive checks. Still on the list: schema-aware fuzzing driven by the frame-semantics layer, SignalR brute-force and MQTT topic-enumeration templates, and the kuestenlogik/bowire-vulndb community-corpus repo with per-PR CI validation.

  • Tier 3 — Pro-grade catch-up partial — intercepting proxy + GitHub Action shipped

    Shipped: the intercepting proxy with HTTPS MITM via a self-minted root CA (CONNECT-tunnel hijack, raw TcpListener + SslStream, leaf-cert cache), workbench-side Proxy view with live SSE flow stream and one-click "send to recording", and the reusable scan-template.yml GitHub Action that consuming repos pull in via uses:. Still on the list: active fuzzer with curated wordlists, sensitive-data scanner (PII / API keys / JWTs), proxy-level breakpoints with conditional pass-through, BOLA / BFLA two-token tests.

  • Tier 4 — Differentiation distinct from DAST

    AI-assisted threat modeling via the existing MCP surface, recording-driven security regression tests, multi-protocol attack chains as recordings, automatic OWASP API Top 10 / CWE / CVSS scoring in the SARIF and HTML reports.

Full plan: security-testing ADR on GitHub →

Run a scan

The Tier-1 anchor is in your hands today. Read the ADR, pull the templates, point bowire scan at staging.

Read the ADR Browse the seed corpus See the source

Found a template gap? Bring it to the crew →