A collection of awesome API Security tools and resources.
The “Awesome API Security” is a github repository by @arainho_it
Awesome Repositories
| Name | Description |
|---|---|
| awesome-security-apis | A collective list of public JSON APIs for use in security. |
Tools
| Name | Description |
|---|---|
| GraphQL | |
| BatchQL | GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. |
| clairvoyance | Obtain GraphQL API schema despite disabled introspection! |
| InQL | InQL – A Burp Extension for GraphQL Security Testing. |
| GraphQLmap | GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. |
| graphql-path-enum | Tool that lists the different ways of reaching a given type in a GraphQL schema. |
| graphql-playground | GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration) |
| REST APIs | |
| APICheck | The DevSecOps toolset for REST APIs. |
| APIClarity | Reconstruct Open API Specifications from real-time workload traffic seamlessly. |
| APIFuzzer | Fuzz test your application using your OpenAPI or Swagger API definition without coding. |
| APIKit | APIKit:Discovery, Scan and Audit APIs Toolkit All In One. |
| Arjun | HTTP parameter discovery suite. |
| Astra | Automated Security Testing For REST API’s. |
| Automatic API Attack Tool | Imperva’s customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. |
| Firecracker | Firecracker from BLST security is an Intelligent attacker that simulates business flows in your API |
| ffuf | Fast web fuzzer written in Go. |
| fuzzapi | Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem. |
| gotestwaf | An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses |
| kiterunner | Contextual Content Discovery Tool. |
| RESTler | RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. |
| Swagger-EZ | A tool geared towards pentesting APIs using OpenAPI definitions. |
| TnT-Fuzzer | OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API. |
| wadl-dumper | Dump all available paths and/or endpoints on WADL file. |
| fuzz-lightyear | A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. |
| SOAP | |
| Wsdler | WSDL Parser extension for Burp. |
| wsdl-wizard | WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files. |
| Others | |
| SoapUI | SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services. |
Mind maps
| Author | Name | Description |
|---|---|---|
| David Sopas | MindAPI | Organize your API security assessment by using MindAPI |
| Mufaddal Masalawala | IDOR Techniques | Mind map: IDOR Techniques |
| Harsh Bothra | XML attacks | Mind map: XML attacks |
Checklist
| Author | Name | Description |
|---|---|---|
| Shieldfy | API-Security-Checklist | Checklist of the most important security countermeasures when designing, testing, and releasing your API. |
| Inon Shkedy | 31 days of API Security Tips | This challenge is Inon Shkedy’s 31 days API Security Tips. |
| APIOps Cycles | API audit checklist | API Audit checklist |
| HolyBugx | another API Security checklist | HolyTips: API security checklist |
| Binary Brotherhood | OAuth2: Security checklist | OAuth 2.0 Threat Model Pentesting Checklist |
Cheatsheets
| Name | Description |
|---|---|
| REST Security Cheat Sheet | REST Security – OWASP Cheat Sheet Series |
| REST Assessment Cheat Sheet | REST Assessment – OWASP Cheat Sheet Series |
| OWASP API Security Top 10 | 42Crunch – OWASP API Security Top 10 |
| GraphQL Cheat Sheet | GraphQL – OWASP Cheat Sheet Series |
| Microservices Security Cheat Sheet | Microservices – OWASP Security Cheat Sheet |
| JSON Web Token Security Cheat Sheet | PentesterLab – JSON Web Token Security Cheat Sheet |
Wiki’s, Encyclopedias, GitBook’s
| Name | Description |
|---|---|
| API Security Encyclopedia | APIsecurity.io – API Security Encyclopedia |
| Web API Pentesting | HackTricks – Web API Pentesting |
| APIs Pentest Book | six2dez – APIs Pentest Book |
Books
| Author | Name | Description |
|---|---|---|
| Neil Madden | API Security in Action | API Security in Action teaches you how to create secure APIs for any situation. |
| Corey Ball | Hacking APIs | Breaking Web Application Programming Interfaces |
Training, Walkthrough, Labs
| Name | Description |
|---|---|
| Kontra – OWASP Top 10 for API | Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. |
| Pentesting Lab: vAPI | vAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises. |
| ShipFast – Practical API Security Walkthrough | Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation. |
| Hacker101 CTFs – GraphQL challenges | GraphQL Week on The Hacker101 Capture the Flag Challenges |
Enumeration, Scanning
| Name | Description |
|---|---|
| Burp enumeration | Using Burp to Enumerate a REST API |
| ZAP scanning | Scanning APIs with ZAP |
| w3af scanning | Scan REST APIs with w3af |
Fuzzing, SecLists
| Name | Description |
|---|---|
| Common API endpoints | Wordlist for common API endpoints. |
| List of API endpoints & objects | A list of 3203 common API endpoints and objects designed for fuzzing. |
| List of Swagger endpoints | Swagger endpoints |
| SecLists for API’s web-content discovery | It is a collection of web content discovery lists for APIs used during security assessments. |
| Kiterunner Wordlists | Kiterunner Wordlists provided by Assetnote |
| API Routes Wordlists | API Routes – Automated Wordlists provided by Assetnote |
| API Common methods | API Common methods provided by fuzzdb. |
| GraphQL SecList | It’s a GraphQL list used during security assessments, collected in one place. |
API Keys: Find and validate
| Name | Description |
|---|---|
| Key-Checker | Go scripts for checking API key / access token validity. |
| Keyhacks | Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they’re valid. |
| API Key Leaks: Tools and exploits | An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares. |
| Private key usage verification | Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user. |
Firewalls
| Name | Description |
|---|---|
| Wallarm Free API Firewall | Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs. |
Deliberately vulnerable APIs
| Name | Description |
|---|---|
| APISandbox | Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. |
| crAPI | completely ridiculous API (crAPI) |
| Damn-Vulnerable-GraphQL-Application | Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook’s GraphQL technology to learn and practice GraphQL Security. |
| DamnVulnerableMicroServices | This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development) |
| dvws-node | Damn Vulnerable Web Service is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities. |
| Generic-University | Vulnerable API with Laravel App |
| VAmPI | Vulnerable REST API with OWASP top 10 vulnerabilities for APIs |
| Websheep | Websheep is an app based on a willingly vulnerable ReSTful APIs. |
Presentations, Videos
| Name | Description |
|---|---|
| pentesting-rest-apis | Pentesting Rest API’s by Gaurang Bhatnagar |
| Securing your APIs | “How Secure are you APIs?” – Securing your APIs: OWASP API Top 10 2019, Case Study and Demo. |
| api-security-testing-for-hackers | API Security Testing For Hackers |
| bad-api-hapi-hackers | Bad API, hAPI Hackers! |
| disclosing-information-via-your-apis | Hidden in Plain Site: Disclosing Information via Your APIs. |
| rest-in-peace-abusing-graphql | REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure. |
Playlists
| Name | Description |
|---|---|
| Everything API Hacking | A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge! |
Podcasts
| Name | Description |
|---|---|
| Hacking APIs | The Hacker Mind Podcast: Hacking APIs |
| Hack Your API-Security Testing | 21: Troy Hunt: Hack Your API-Security Testing. |
| The OWASP API Security Project | Erez Yalon — The OWASP API Security Project |
| Episode 38 API Security Best Practices | We Hack Purple Podcast Episode 38 API Security Best Practices. |
Projects
| Name | Description |
|---|---|
| owasp api security project | OWASP API Security Project – API Security Top 10 |
Newsletters
| Author | Name | Description |
|---|---|---|
| 42Crunch | api security articles | API Security Articles – The Latest API Security News, Vulnerabilities & Best Practices. |
| Author | Name | Description |
|---|---|---|
| 42Crunch | @apisecurityio | API security news, standards, vulnerabilities, tools. |
HTTP 101
| Name | Description |
|---|---|
| Know your HTTP Headers! | HTTP Headers: a simplified and comprehensive table. |
| Know your HTTP Methods! | HTTP Methods: a simplified and comprehensive table. |
| Know your HTTP Status codes! | HTTP Status codes: a simplified and comprehensive table. |
| HTTP Status Codes | httpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place. |
| Know your HTTP * Well | HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification. |
Design, Architecture, Development
| Name | Description |
|---|---|
| The API Specification Toolbox | This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements. |
| Understanding gRPC, OpenAPI and REST | gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design |
| API security design best practices | API security design best practices for enterprise and public cloud. |
| REST API Design Guide | This design guide or style guide contains best practices suitable for most REST APIs. |
| How to design a REST API | How to design a REST API? – Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc. |
| Awesome REST | A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list. |
| Collect API Requirements | Collecting Requirements for your API with APIOps Cycles. |
| API Audit | API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility. |
Specifications
| Name | Description |
|---|---|
| AscyncAPI | AsyncAPI Specification |
| OpenAPI | OpenAPI Specification |
| JSON API | JSON API Specification |
| GraphQL | GraphQL Specification |
| RAML | RAML Specification |
Other useful resources
| Name | Description |
|---|---|
| API Security Guide | API Security: The Definitive Guide |
| API Security best practices guide | Expedited Security – API Security Best Practices MegaGuide |
| API Penetration Testing | API Penetration Testing with OWASP 2017 Test Cases. |
| API Pentesting with Swagger Files | Simplifying API Pentesting With Swagger Files. |
| API security articles | Char49 – API security articles. |
| API Security Testing | Spherical Defence – Principles of API Security Testing and how to perform a Security Test on an API. |
| How to Hack an API and Get Away with It | API Security Testing – How to Hack an API and Get Away with It (Part 1 of 3). |
| How to Hack APIs in 2021 | detectify – How to Hack APIs in 2021 |
| How to Hack API in 60 minutes with Open Source Tools | How to Hack API in 60 minutes with Open Source Tools |
| GraphQL penetration testing | How to exploit GraphQL endpoint: introspection, query, mutations & tools. |
| Fixing the 13 most common GraphQL Vulnerabilities | The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready. |
| Hacking APIs – Notes from Bug Bounty Bootcamp | Aakash Choudhary: My Notes on Hacking APIs from Bug Bounty Bootcamp. |
| SOAP Security Vulnerabilities and Prevention | SOAP Security: Top Vulnerabilities and How to Prevent Them. |
| API and microservice security | A guide from PortSwigger: What are API and microservice security? |
| Strengthening Your API Security Posture | Strengthening Your API Security Posture – Ford Motor Company. |
| The Fault in Our Stars | Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion. |
Contributors
arainho André Rainho : @arainho
akpsgit
yigblst
