Outshift Logo


3 min read

Blog thumbnail
Published on 04/25/2023
Last updated on 03/21/2024

APIClarity: Detecting Zombie APIs



This blog is part of the APIClarity How-To Series.

Detecting Zombie APIs

In this blog, I’ll demonstrate how APIClarity detects and reports zombie APIs for an application. For review, a zombie API is a deprecated API that is still accepted by an application and can present a potential attack vector because it may not have the same level of updated security or scrutiny that officially supported APIs have. Therefore, identifying and removing zombie API support from an application is critical. 

Behind the Scenes

Throughout the APIClarity blog series, we’ve been using Sock Shop as our sample microservice application. See the installation blog for specifics on setting up APIClarity with Sock Shop.

In order to illustrate APIClarity reporting a zombie API, I’ve uploaded an OpenAPI spec for the catalogue service, but this time I’ve marked one of the catalogue APIs as deprecated in the spec before uploading it. The deprecated catalogue API endpoint is “/catalogue/{id}.”  Therefore, any API calls to that endpoint will be flagged as zombies by APIClarity. 

See the “Generate Traffic” section of the installation blog for details on how to generate traffic.

Detecting Zombies 

In order to detect zombie APIs, APIClarity first needs to know the list of acceptable APIs for an application. This can either be from an uploaded OpenAPI spec, or a reconstructed one.  Any APIs that are deprecated in the spec will be monitored for potential zombie calls. Note that I’m not aware of an easy way to mark APIs as deprecated in a reconstructed spec, short of downloading it, marking the APIs deprecated, and uploading the spec again. 

APIClarity reports zombie APIs with this (suitably creepy) symbol:


Zombie APIs will be reported on the APIClarity dashboard UI (if they happened recently), or from the API Events UI.  Below is an example of a zombie API being reported on the dashboard (circled in green in Figure 1). 

Zombie API Reported on Dashboard UI
Figure 1: Zombie API Reported on Dashboard UI

And this is an example API event being reported as a zombie API (circled in green in Figure 2).

Zombie API Reported for API Event
Figure 2: Zombie API Reported for API Event

Killing Zombies 

If an API is labeled a zombie and you’d like to make it legitimate, you’d have to remove the deprecated label from that API in the OpenAPI spec. This is not the typical lifecycle of an API, though. Generally, there’s a plan to eventually remove support for deprecated APIs, and given the increasingly sophisticated API attacks in the cloud, the sooner the zombies are killed, the better. 


We’ve now seen how to detect zombie APIs with APIClarity, and how important it is to kill zombies as soon as possible. 

Next up in the blog series, we’ll take a look at using APIClarity's Trace Analyzer! 

Anne McCormick is a cloud architect and open-source advocate in Cisco’s Emerging Technology & Incubation organization. 

Subscribe card background
Subscribe to
the Shift!

Get emerging insights on emerging technology straight to your inbox.

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

the Shift
emerging insights
on emerging technology straight to your inbox.

The Shift keeps you at the forefront of cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations that are shaping the future of technology.

Outshift Background