A collection of awesome API Security tools and resources.
|A collective list of public JSON APIs for use in security.
|GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
|Obtain GraphQL API schema despite disabled introspection!
|InQL – A Burp Extension for GraphQL Security Testing.
|GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
|Tool that lists the different ways of reaching a given type in a GraphQL schema.
|GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration)
|The DevSecOps toolset for REST APIs.
|Reconstruct Open API Specifications from real-time workload traffic seamlessly.
|Fuzz test your application using your OpenAPI or Swagger API definition without coding.
|APIKit：Discovery, Scan and Audit APIs Toolkit All In One.
|HTTP parameter discovery suite.
|Automated Security Testing For REST API’s.
|Automatic API Attack Tool
|Imperva’s customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
|Firecracker from BLST security is an Intelligent attacker that simulates business flows in your API
|Fast web fuzzer written in Go.
|Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem.
|An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses
|Contextual Content Discovery Tool.
|RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
|A tool geared towards pentesting APIs using OpenAPI definitions.
|OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.
|Dump all available paths and/or endpoints on WADL file.
|A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
|WSDL Parser extension for Burp.
|WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
|SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services.
|Organize your API security assessment by using MindAPI
|Mind map: IDOR Techniques
|Mind map: XML attacks
|Checklist of the most important security countermeasures when designing, testing, and releasing your API.
|31 days of API Security Tips
|This challenge is Inon Shkedy’s 31 days API Security Tips.
|API audit checklist
|API Audit checklist
|another API Security checklist
|HolyTips: API security checklist
|OAuth2: Security checklist
|OAuth 2.0 Threat Model Pentesting Checklist
|REST Security Cheat Sheet
|REST Security – OWASP Cheat Sheet Series
|REST Assessment Cheat Sheet
|REST Assessment – OWASP Cheat Sheet Series
|OWASP API Security Top 10
|42Crunch – OWASP API Security Top 10
|GraphQL Cheat Sheet
|GraphQL – OWASP Cheat Sheet Series
|Microservices Security Cheat Sheet
|Microservices – OWASP Security Cheat Sheet
|JSON Web Token Security Cheat Sheet
|PentesterLab – JSON Web Token Security Cheat Sheet
|API Security Encyclopedia
|APIsecurity.io – API Security Encyclopedia
|Web API Pentesting
|HackTricks – Web API Pentesting
|APIs Pentest Book
|six2dez – APIs Pentest Book
|API Security in Action
|API Security in Action teaches you how to create secure APIs for any situation.
|Breaking Web Application Programming Interfaces
|Kontra – OWASP Top 10 for API
|Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
|Pentesting Lab: vAPI
|vAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises.
|ShipFast – Practical API Security Walkthrough
|Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation.
|Hacker101 CTFs – GraphQL challenges
|GraphQL Week on The Hacker101 Capture the Flag Challenges
|Using Burp to Enumerate a REST API
|Scanning APIs with ZAP
|Scan REST APIs with w3af
|Common API endpoints
|Wordlist for common API endpoints.
|List of API endpoints & objects
|A list of 3203 common API endpoints and objects designed for fuzzing.
|List of Swagger endpoints
|SecLists for API’s web-content discovery
|It is a collection of web content discovery lists for APIs used during security assessments.
|Kiterunner Wordlists provided by Assetnote
|API Routes Wordlists
|API Routes – Automated Wordlists provided by Assetnote
|API Common methods
|API Common methods provided by fuzzdb.
|It’s a GraphQL list used during security assessments, collected in one place.
|Go scripts for checking API key / access token validity.
|Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they’re valid.
|API Key Leaks: Tools and exploits
|An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
|Private key usage verification
|Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
|Wallarm Free API Firewall
|Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs.
|Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.
|completely ridiculous API (crAPI)
|Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook’s GraphQL technology to learn and practice GraphQL Security.
|This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development)
|Damn Vulnerable Web Service is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
|Vulnerable API with Laravel App
|Vulnerable REST API with OWASP top 10 vulnerabilities for APIs
|Websheep is an app based on a willingly vulnerable ReSTful APIs.
|Pentesting Rest API’s by Gaurang Bhatnagar
|Securing your APIs
|“How Secure are you APIs?” – Securing your APIs: OWASP API Top 10 2019, Case Study and Demo.
|API Security Testing For Hackers
|Bad API, hAPI Hackers!
|Hidden in Plain Site: Disclosing Information via Your APIs.
|REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure.
|Everything API Hacking
|A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!
|The Hacker Mind Podcast: Hacking APIs
|Hack Your API-Security Testing
|21: Troy Hunt: Hack Your API-Security Testing.
|The OWASP API Security Project
|Erez Yalon — The OWASP API Security Project
|Episode 38 API Security Best Practices
|We Hack Purple Podcast Episode 38 API Security Best Practices.
|owasp api security project
|OWASP API Security Project – API Security Top 10
|api security articles
|API Security Articles – The Latest API Security News, Vulnerabilities & Best Practices.
|API security news, standards, vulnerabilities, tools.
|Know your HTTP Headers!
|HTTP Headers: a simplified and comprehensive table.
|Know your HTTP Methods!
|HTTP Methods: a simplified and comprehensive table.
|Know your HTTP Status codes!
|HTTP Status codes: a simplified and comprehensive table.
|HTTP Status Codes
|httpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place.
|Know your HTTP * Well
|HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification.
|The API Specification Toolbox
|This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements.
|Understanding gRPC, OpenAPI and REST
|gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design
|API security design best practices
|API security design best practices for enterprise and public cloud.
|REST API Design Guide
|This design guide or style guide contains best practices suitable for most REST APIs.
|How to design a REST API
|How to design a REST API? – Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
|A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
|Collect API Requirements
|Collecting Requirements for your API with APIOps Cycles.
|API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.
|JSON API Specification
|API Security Guide
|API Security: The Definitive Guide
|API Security best practices guide
|Expedited Security – API Security Best Practices MegaGuide
|API Penetration Testing
|API Penetration Testing with OWASP 2017 Test Cases.
|API Pentesting with Swagger Files
|Simplifying API Pentesting With Swagger Files.
|API security articles
|Char49 – API security articles.
|API Security Testing
|Spherical Defence – Principles of API Security Testing and how to perform a Security Test on an API.
|How to Hack an API and Get Away with It
|API Security Testing – How to Hack an API and Get Away with It (Part 1 of 3).
|How to Hack APIs in 2021
|detectify – How to Hack APIs in 2021
|How to Hack API in 60 minutes with Open Source Tools
|How to Hack API in 60 minutes with Open Source Tools
|GraphQL penetration testing
|How to exploit GraphQL endpoint: introspection, query, mutations & tools.
|Fixing the 13 most common GraphQL Vulnerabilities
|The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready.
|Hacking APIs – Notes from Bug Bounty Bootcamp
|Aakash Choudhary: My Notes on Hacking APIs from Bug Bounty Bootcamp.
|SOAP Security Vulnerabilities and Prevention
|SOAP Security: Top Vulnerabilities and How to Prevent Them.
|API and microservice security
|A guide from PortSwigger: What are API and microservice security?
|Strengthening Your API Security Posture
|Strengthening Your API Security Posture – Ford Motor Company.
|The Fault in Our Stars
|Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion.
arainho André Rainho : @arainho