Awesome API Security

API

A collection of awesome API Security tools and resources.


The “Awesome API Security” is a github repository by @arainho_it

Awesome Repositories

NameDescription
awesome-security-apisA collective list of public JSON APIs for use in security.

Tools

NameDescription
GraphQL
BatchQLGraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
clairvoyanceObtain GraphQL API schema despite disabled introspection!
InQLInQL – A Burp Extension for GraphQL Security Testing.
GraphQLmapGraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
graphql-path-enumTool that lists the different ways of reaching a given type in a GraphQL schema.
graphql-playgroundGraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration)
REST APIs
APICheckThe DevSecOps toolset for REST APIs.
APIClarityReconstruct Open API Specifications from real-time workload traffic seamlessly.
APIFuzzerFuzz test your application using your OpenAPI or Swagger API definition without coding.
APIKitAPIKit:Discovery, Scan and Audit APIs Toolkit All In One.
ArjunHTTP parameter discovery suite.
AstraAutomated Security Testing For REST API’s.
Automatic API Attack ToolImperva’s customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
FirecrackerFirecracker from BLST security is an Intelligent attacker that simulates business flows in your API
ffufFast web fuzzer written in Go.
fuzzapiFuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem.
gotestwafAn open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses
kiterunnerContextual Content Discovery Tool.
RESTlerRESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
Swagger-EZA tool geared towards pentesting APIs using OpenAPI definitions.
TnT-FuzzerOpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.
wadl-dumperDump all available paths and/or endpoints on WADL file.
fuzz-lightyearA pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
SOAP
WsdlerWSDL Parser extension for Burp.
wsdl-wizardWSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
Others
SoapUISoapUI is a free and open-source cross-platform functional testing solution for APIs and web services.

Mind maps

AuthorNameDescription
David SopasMindAPIOrganize your API security assessment by using MindAPI
Mufaddal MasalawalaIDOR TechniquesMind map: IDOR Techniques
Harsh BothraXML attacksMind map: XML attacks

Checklist

AuthorNameDescription
ShieldfyAPI-Security-ChecklistChecklist of the most important security countermeasures when designing, testing, and releasing your API.
Inon Shkedy31 days of API Security TipsThis challenge is Inon Shkedy’s 31 days API Security Tips.
APIOps CyclesAPI audit checklistAPI Audit checklist
HolyBugxanother API Security checklistHolyTips: API security checklist
Binary BrotherhoodOAuth2: Security checklistOAuth 2.0 Threat Model Pentesting Checklist

Cheatsheets

NameDescription
REST Security Cheat SheetREST Security – OWASP Cheat Sheet Series
REST Assessment Cheat SheetREST Assessment – OWASP Cheat Sheet Series
OWASP API Security Top 1042Crunch – OWASP API Security Top 10
GraphQL Cheat SheetGraphQL – OWASP Cheat Sheet Series
Microservices Security Cheat SheetMicroservices – OWASP Security Cheat Sheet
JSON Web Token Security Cheat SheetPentesterLab – JSON Web Token Security Cheat Sheet

Wiki’s, Encyclopedias, GitBook’s

NameDescription
API Security EncyclopediaAPIsecurity.io – API Security Encyclopedia
Web API PentestingHackTricks – Web API Pentesting
APIs Pentest Booksix2dez – APIs Pentest Book

Books

AuthorNameDescription
Neil MaddenAPI Security in ActionAPI Security in Action teaches you how to create secure APIs for any situation.
Corey BallHacking APIsBreaking Web Application Programming Interfaces

Training, Walkthrough, Labs

NameDescription
Kontra – OWASP Top 10 for APIIs a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
Pentesting Lab: vAPIvAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises.
ShipFast – Practical API Security WalkthroughLearn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation.
Hacker101 CTFs – GraphQL challengesGraphQL Week on The Hacker101 Capture the Flag Challenges

Enumeration, Scanning

NameDescription
Burp enumerationUsing Burp to Enumerate a REST API
ZAP scanningScanning APIs with ZAP
w3af scanningScan REST APIs with w3af

Fuzzing, SecLists

NameDescription
Common API endpointsWordlist for common API endpoints.
List of API endpoints & objectsA list of 3203 common API endpoints and objects designed for fuzzing.
List of Swagger endpointsSwagger endpoints
SecLists for API’s web-content discoveryIt is a collection of web content discovery lists for APIs used during security assessments.
Kiterunner WordlistsKiterunner Wordlists provided by Assetnote
API Routes WordlistsAPI Routes – Automated Wordlists provided by Assetnote
API Common methodsAPI Common methods provided by fuzzdb.
GraphQL SecListIt’s a GraphQL list used during security assessments, collected in one place.

API Keys: Find and validate

NameDescription
Key-CheckerGo scripts for checking API key / access token validity.
KeyhacksKeyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they’re valid.
API Key Leaks: Tools and exploitsAn API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Private key usage verificationDriftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.

Firewalls

NameDescription
Wallarm Free API FirewallFast and light-weight API proxy firewall for request and response validation by OpenAPI specs.

Deliberately vulnerable APIs

NameDescription
APISandboxPre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.
crAPIcompletely ridiculous API (crAPI)
Damn-Vulnerable-GraphQL-ApplicationDamn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook’s GraphQL technology to learn and practice GraphQL Security.
DamnVulnerableMicroServicesThis is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development)
dvws-nodeDamn Vulnerable Web Service is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
Generic-UniversityVulnerable API with Laravel App
VAmPIVulnerable REST API with OWASP top 10 vulnerabilities for APIs
WebsheepWebsheep is an app based on a willingly vulnerable ReSTful APIs.

Presentations, Videos

NameDescription
pentesting-rest-apisPentesting Rest API’s by Gaurang Bhatnagar
Securing your APIs“How Secure are you APIs?” – Securing your APIs: OWASP API Top 10 2019, Case Study and Demo.
api-security-testing-for-hackersAPI Security Testing For Hackers
bad-api-hapi-hackersBad API, hAPI Hackers!
disclosing-information-via-your-apisHidden in Plain Site: Disclosing Information via Your APIs.
rest-in-peace-abusing-graphqlREST in Peace: Abusing GraphQL to Attack Underlying Infrastructure.

Playlists

NameDescription
Everything API HackingA video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!

Podcasts

NameDescription
Hacking APIsThe Hacker Mind Podcast: Hacking APIs
Hack Your API-Security Testing21: Troy Hunt: Hack Your API-Security Testing.
The OWASP API Security ProjectErez Yalon — The OWASP API Security Project
Episode 38 API Security Best PracticesWe Hack Purple Podcast Episode 38 API Security Best Practices.

Projects

NameDescription
owasp api security projectOWASP API Security Project – API Security Top 10

Newsletters

AuthorNameDescription
42Crunchapi security articlesAPI Security Articles – The Latest API Security News, Vulnerabilities & Best Practices.

Twitter

AuthorNameDescription
42Crunch@apisecurityioAPI security news, standards, vulnerabilities, tools.

HTTP 101

NameDescription
Know your HTTP Headers!HTTP Headers: a simplified and comprehensive table.
Know your HTTP Methods!HTTP Methods: a simplified and comprehensive table.
Know your HTTP Status codes!HTTP Status codes: a simplified and comprehensive table.
HTTP Status Codeshttpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place.
Know your HTTP * WellHTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification.

Design, Architecture, Development

NameDescription
The API Specification ToolboxThis Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements.
Understanding gRPC, OpenAPI and RESTgRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design
API security design best practicesAPI security design best practices for enterprise and public cloud.
REST API Design GuideThis design guide or style guide contains best practices suitable for most REST APIs.
How to design a REST APIHow to design a REST API? – Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
Awesome RESTA collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
Collect API RequirementsCollecting Requirements for your API with APIOps Cycles.
API AuditAPI Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.

Specifications

NameDescription
AscyncAPIAsyncAPI Specification
OpenAPIOpenAPI Specification
JSON APIJSON API Specification
GraphQLGraphQL Specification
RAMLRAML Specification

Other useful resources

NameDescription
API Security GuideAPI Security: The Definitive Guide
API Security best practices guideExpedited Security – API Security Best Practices MegaGuide
API Penetration TestingAPI Penetration Testing with OWASP 2017 Test Cases.
API Pentesting with Swagger FilesSimplifying API Pentesting With Swagger Files.
API security articlesChar49 – API security articles.
API Security TestingSpherical Defence – Principles of API Security Testing and how to perform a Security Test on an API.
How to Hack an API and Get Away with ItAPI Security Testing – How to Hack an API and Get Away with It (Part 1 of 3).
How to Hack APIs in 2021detectify – How to Hack APIs in 2021
How to Hack API in 60 minutes with Open Source ToolsHow to Hack API in 60 minutes with Open Source Tools
GraphQL penetration testingHow to exploit GraphQL endpoint: introspection, query, mutations & tools.
Fixing the 13 most common GraphQL VulnerabilitiesThe complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready.
Hacking APIs – Notes from Bug Bounty BootcampAakash Choudhary: My Notes on Hacking APIs from Bug Bounty Bootcamp.
SOAP Security Vulnerabilities and PreventionSOAP Security: Top Vulnerabilities and How to Prevent Them.
API and microservice securityA guide from PortSwigger: What are API and microservice security?
Strengthening Your API Security PostureStrengthening Your API Security Posture – Ford Motor Company.
The Fault in Our StarsSecurity Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion.

Contributors

arainho André Rainho : @arainho
akpsgit
yigblst