A collection of awesome API Security tools and resources.
About •
API Keys: Find and validate •
Books •
Cheatsheets •
Checklist •
Conferences •
Deliberately vulnerable APIs •
Design, Architecture, Development •
Encyclopedias, Projects, Wikis and GitBooks •
Enumeration, Scanning and exploration steps •
Firewalls •
Fuzzing, SecLists, Wordlists •
HTTP 101 •
Mind maps •
Newsletters •
Other resources •
Playlists •
Podcasts •
Presentations, Videos •
Projects •
Security APIs •
Specifications •
Tools •
Training, Workshops, Labs •
Twitter •
• Contributions •
The awesome-api-security (aka awesome-apisec) repository is collection of awesome API Security tools and resources.
The focus goes to open-source tools and resources that benefit all the community.
Please read the contributions section before opening a pull request.
API Keys: Find and validate
Name
Description
API Guesser
Simple website to guess API Key / OAuth Token by Muhammad Daffa
API Key Leaks: Tools and exploits
An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Key-Checker
Go scripts for checking API key / access token validity.
Keyhacks
Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
Private key usage verification
Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
Author
Publisher
Name
Description
Emily Freeman
Data Theorem Special Edition
API Security for dummies
This book is a high-level introduction to the key concepts of API security and DevSecOps.
Neil Madden
Manning
API Security in Action
API Security in Action teaches you how to create secure APIs for any situation.
Dolev Farhi and Nick Aleks
No starch press
Black Hat GraphQL
Black Hat GraphQL (book in pre-order).
Corey Ball
No starch press
Hacking APIs
Breaking Web Application Programming Interfaces.
Justing Richer and Antonio Sanso
Manning
Understanding API Security
Several chapters from several Manning books that give you some context for how API security works in the real world.
Name
Description
APIsecure
The world's first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Deliberately vulnerable APIs
Name
Description
APISandbox
Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.
Bookstore
TryHackMe room - A Beginner level box with basic web enumeration and REST API Fuzzing.
crAPI
completely ridiculous API (crAPI)
Damn-Vulnerable-GraphQL-Application
Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security.
Damn Vulnerable Micro Services
This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development)
Damn Vulnerable Web Services
Damn Vulnerable Web Services is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
Generic-University
Vulnerable API with Laravel App
node-api-goat
A simple Express.JS REST API application that exposes endpoints with code that contains vulnerabilities.
Pixi
The Pixi module is a MEAN Stack web app with wildly insecure APIs!
REST API Goat
This is a "Goat" project so you can get familiar with REST API testing.
VAmPI
Vulnerable REST API with OWASP top 10 vulnerabilities for APIs
vAPI
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
vulnapi
Intentionaly very vulnerable API with bonus bad coding practices.
vulnerable-graphql-api
A very vulnerable implementation of a GraphQL API.
Websheep
Websheep is an app based on a willingly vulnerable ReSTful APIs.
Design, Architecture, Development
Name
Description
The API Specification Toolbox
This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements.
Understanding gRPC, OpenAPI and REST
gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design
API security design best practices
API security design best practices for enterprise and public cloud.
REST API Design Guide
This design guide or style guide contains best practices suitable for most REST APIs.
How to design a REST API
How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
Awesome REST
A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
Collect API Requirements
Collecting Requirements for your API with APIOps Cycles.
API Audit
API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.
Encyclopedias, Projects, Wikis and GitBooks
Enumeration, Scanning and exploration steps
Name
Description
Wallarm Free API Firewall
Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs.
Fuzzing, SecLists, Wordlists
Author
Name
Description
42Crunch
api security articles
API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices.
Name
Description
Everything API Hacking
A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!
API hacking
API hacking videos from @theXSSrat
Name
Description
GraphQL
BatchQL
GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
clairvoyance
Obtain GraphQL API schema despite disabled introspection!
InQL
InQL - A Burp Extension for GraphQL Security Testing.
GraphQLmap
GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
graphql-path-enum
Tool that lists the different ways of reaching a given type in a GraphQL schema.
graphql-playground
GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration)
graphql-threat-matrix
GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations.
graphw00f
graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.
REST APIs
APICheck
The DevSecOps toolset for REST APIs.
APIClarity
Reconstruct Open API Specifications from real-time workload traffic seamlessly.
APIFuzzer
Fuzz test your application using your OpenAPI or Swagger API definition without coding.
APIKit
APIKit:Discovery, Scan and Audit APIs Toolkit All In One.
Arjun
HTTP parameter discovery suite.
Astra
Automated Security Testing For REST API's.
Automatic API Attack Tool
Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
CATS
CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints.
Cherrybomb
Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications.
ffuf
Fast web fuzzer written in Go.
fuzzapi
Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem.
gotestwaf
An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses
kiterunner
Contextual Content Discovery Tool.
mitmproxy2swagger
Automagically reverse-engineer REST APIs via capturing traffic
RESTler
RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
Swagger-EZ
A tool geared towards pentesting APIs using OpenAPI definitions.
TnT-Fuzzer
OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.
wadl-dumper
Dump all available paths and/or endpoints on WADL file.
fuzz-lightyear
A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
SOAP
Wsdler
WSDL Parser extension for Burp.
wsdl-wizard
WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
Others
SoapUI
SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services.
dredd
Language-agnostic HTTP API Testing Tool
unfurl
Pull out bits of URLs provided on stdin
Training, Workshops, Labs
Author
Name
Description
Pentester Academy
API security, REST Labs
Pentester Academy - attack & defense
Corey Ball
API Security University
APIsec University provides training courses for application security professionals
Grant Ongers
API top 10 walkthrough
OWASP API Top 10 CTF Walk-through.
Hacker101
GraphQL challenges
GraphQL Week on The Hacker101 Capture the Flag Challenges
OWASP-SKF
GraphQL Labs
GraphQL Labs on the OWASP Security Knowledge Framework
Corey Ball
Hacking APIs
Hacking APIs: workshop
Wesley Thijs
Let's build an API to hack
API Hacking Excercises by @TheXSSrat
Kontra
OWASP Top 10 for API
Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
ShipFast
Practical API Security Walkthrough
Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation.
Tushar Kulkarni
vAPI
vAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises.
Twitter
Author
Name
Description
42Crunch
@apisecurityio
API security news, standards, vulnerabilities, tools.
The purpose of this repository is to collect API Security tools and resources. The preference goes to open-source or community editions tools, creative commons resources, and resources created by the community for the benefit of the community. The exception is in the book's topic, where some referenced items may have an associated cost.
Other content vendor-specific, ads, commercial, restricted, free trial, freemium, closed-source (proprietary software), products or services provided in exchange for private user details are considered out of scope pull requests.
Duplicated content or entries that do not provide additional or relevant content compared with existing entries may also not be considered.
Out of scope pull requests will be probably discarded, closed or ignored without notice.
If you think your content fits the above purposes, please
create a new branch
change README.md
push the new changes
open a pull request
For more details check GitHub quickstart/contributing-to-projects