{
  "_comment": "Example API response from a security scan",
  "scan_id": "api-scan-2024-10-27-123456",
  "target_url": "https://example.com/api/v1",
  "scan_start_time": "2024-10-27T14:00:00Z",
  "scan_end_time": "2024-10-27T14:15:00Z",
  "scan_status": "completed",
  "vulnerabilities": [
    {
      "vulnerability_id": "API1:2023 Broken Object Level Authorization",
      "name": "Broken Object Level Authorization",
      "severity": "High",
      "description": "API endpoints are vulnerable to broken object level authorization. Attackers can access objects belonging to other users by manipulating object IDs.",
      "owasp_category": "OWASP API Security Top 10",
      "cwe_id": "CWE-285",
      "affected_endpoint": "/users/{user_id}",
      "http_method": "GET",
      "parameter": "user_id",
      "payload": "12345",
      "evidence": "Returned user data for user_id 98765 when authenticated as user_id 12345.",
      "remediation": "Implement proper authorization checks to ensure users can only access objects they own or have permission to access.  Use parameterized queries and avoid direct object references.  Consider using a Role-Based Access Control (RBAC) system.",
      "references": [
        "https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/",
        "https://cwe.mitre.org/data/definitions/285.html"
      ],
      "status": "open"
    },
    {
      "vulnerability_id": "API4:2023 Unrestricted Resource Consumption",
      "name": "Unrestricted Resource Consumption",
      "severity": "Medium",
      "description": "API is vulnerable to unrestricted resource consumption.  Attackers can exhaust server resources by sending a large number of requests or large payloads.",
      "owasp_category": "OWASP API Security Top 10",
      "cwe_id": "CWE-400",
      "affected_endpoint": "/search",
      "http_method": "POST",
      "parameter": "query",
      "payload": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
      "evidence": "Server response time increased significantly after sending a large number of requests with large payloads.",
      "remediation": "Implement rate limiting, pagination, and input validation to prevent resource exhaustion. Consider using a Content Delivery Network (CDN) to cache static content.",
      "references": [
        "https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-access-to-sensitive-business-flows/",
        "https://cwe.mitre.org/data/definitions/400.html"
      ],
      "status": "open"
    },
    {
      "_comment": "Example of a low severity issue",
      "vulnerability_id": "API9:2023 Improper Assets Management",
      "name": "Improper Assets Management",
      "severity": "Low",
      "description": "API lacks proper assets management.  Debug endpoints are exposed in production.",
      "owasp_category": "OWASP API Security Top 10",
      "cwe_id": "CWE-1173",
      "affected_endpoint": "/debug/healthcheck",
      "http_method": "GET",
      "parameter": null,
      "payload": null,
      "evidence": "Debug endpoint /debug/healthcheck is accessible without authentication in production.",
      "remediation": "Disable or remove debug endpoints from production environment. Implement proper authentication and authorization for sensitive endpoints.",
      "references": [
        "https://owasp.org/API-Security/editions/2023/en/0xa9-improper-assets-management/",
        "https://cwe.mitre.org/data/definitions/1173.html"
      ],
      "status": "open"
    }
  ],
  "scan_summary": {
    "total_vulnerabilities": 3,
    "high_severity": 1,
    "medium_severity": 1,
    "low_severity": 1,
    "info_severity": 0
  }
}