Join Our Telegram GroupsTelegram

API security tools and resources awesome api security

api bug bounty API security tools


API Keys: Find and Verify

API GuesserMuhammad Daffa's Simple Website to Guess API Keys/OAuth Tokens
API key leaks: tools and exploitsAn API key is a unique identifier used to authenticate requests associated with your project. Some developers may hardcode them or leave them in a public share.
Key-CheckerGo script to check API key/access token validity.
Key hacksKeyhacks is a repository that shows a quick way to check if a leaked API key from a bug bounty program is valid.
private key authenticationDriftwood is a GitHub SSH key tool that lets you find out if a private key is used for something like TLS or as a user.


Emily FreemanData Theorem Special EditionAPI Security for dummiesThis book is a high-level introduction to API security and key DevSecOps concepts.
Neil MaddenManningAPI Security in ActionAPI Security in Action teaches you how to create secure APIs for any situation.
Dolev Farhi and Nick AleksNo starch pressBlack Hat GraphQLBlack Hat GraphQL (in pre-order).
Corey BallNo starch pressHacking APIsBreaks the Web Application Programming Interface.
Justing Richer and Antonio SansoManningUnderstanding API SecuritySeveral chapters in various Manning books give you some background information on how API security works in the real world.

 cheat sheet

GraphQL Cheat SheetGraphQL - OWASP Cheat Sheet Series
JSON Web Token Security Cheat SheetPentesterLab - JSON Web Token Security Cheat Sheet
Injection Prevention Cheat SheetInjection – OWASP Cheat Sheet Series
Microservices Security Cheat SheetMicroservices – The OWASP Security Cheat Sheet
OWASP API Security Top 1042Crunch – OWASP API Security Top 10
REST Evaluation Cheat SheetREST Evaluation – OWASP Cheat Sheet Series
REST Security Cheat SheetREST Security - OWASP Cheat Sheet Series


HolyBugxanother API Security checklistHolyTips: API Security Checklist
API Ops CyclesAPI Audit ChecklistAPI audit checklist.
ShieldfyAPI-Security ChecklistA checklist of the most important security countermeasures when designing, testing, and publishing APIs.
API Mike, @api_secAPI Penetration Testing ChecklistCommon steps included in any API penetration testing process.
Latish DanawaleAPI Test ChecklistAPI test checklist.
Inon Shkedy31 Days of API Security TipsThis challenge is Inon Shkedy's 31 Days of API Security Tips.
Binary BrotherhoodOAuth2: Security ChecklistOAuth 2.0 Threat Model Penetration Testing Checklist
ApolloGraphQL API — GraphQL Security Checklist9 Ways to Secure Your GraphQL API — GraphQL Security Checklist
LeapGraphGraphQL API - A Complete List of VulnerabilitiesHow to Secure GraphQL APIs - A Complete List of Vulnerabilities
Lokesh GuptaREST API Security BasicsREST API tutorial blog entry.


API securityThe world's first conference dedicated to API threat management; bringing together the disruptors, defenders and solutions in API security.

 Intentionally Vulnerable API

API SandboxPre-built vulnerable multi-API scenario environment based on Docker-Compose.
BookstoreTryHackMe room - Beginner level box with basic web enumeration and REST API fuzzing.
crAPITotally Ridiculous API (crAPI)
Damn-Vulnerable-GraphQL-ApplicationDamn Vulnerable GraphQL App is an intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL security.
Damn Vulnerable Micro ServicesThis is a vulnerable microservice written in multiple languages to demonstrate the OWASP API highest security risk (under development)
Damn Vulnerable Web ServicesA damn vulnerable web service is a vulnerable web service/API/application that we can use to understand web service/API vulnerabilities.
Generic-UniversityVulnerable APIs and Laravel applications
node-api-goatA simple Express.JS REST API application exposing endpoints with vulnerable code.
PixiThe Pixi module is a MEAN Stack web application with an extremely insecure API!
REST API GoatThis is a "goat" project so you can get familiar with REST API testing.
wxyaTop 10 Vulnerabilities of Vulnerable REST APIs and OWASP APIs
vAPIvAPI is a Vulnerable Reverse Programming Interface, which is a self-hosted API that simulates the OWASP API Top 10 scenarios through exercises.
vulnapiIntentionally very fragile API with additional bad coding practices.
vulnerable-graphql-apiA very fragile implementation of the GraphQL API.
WebsheepWebsheep is an application based on a vulnerable ReSTful API.

 Design, Architecture, Development

API Specification ToolboxThe goal of this toolbox is to try to map out all the different API specifications in use, as well as services, tools, extensions and other supporting elements.
Learn about gRPC, OpenAPI, and RESTgRPC vs REST: Understanding gRPC, OpenAPI, and REST and when to use them in API design
Best Practices for API Security DesignAPI Security Design Best Practices for Enterprise and Public Cloud.
REST API Design GuidelinesThis design guide or style guide contains best practices for most REST APIs.
How to design a REST APIHow to design a REST API? - Complete guide to troubleshoot issues with security, pagination, filtering, versioning, partial answers, CORS, and more.
Great RESTA collaborative list of great resources on RESTful API architecture, development, testing, and performance. Feel free to contribute to this ongoing list.
Gather API requirementsGather requirements for your API with APIOps Cycles.
API AuditAn API audit is a way to ensure that an API complies with API design guidelines. It also helps to check usability, security, and API management platform compatibility.

 Encyclopedias, Projects, Wikis and GitBooks

API Pentest Book APIs Pentest Booksix2dez - API Penetration Testing Book
API Security Empire API Security EmpireThe API Security Empire project aims to present unique offensive and defensive methods in the field of API security
API Security Encyclopedia API Security – The API Security Encyclopedia
Web API PentestingHackTricks - Web API Penetration Testing
GraphQLHacking Tips – GraphQL

 Enumeration, Scanning and Exploration Steps

Burp API enumerationEnumerate REST APIs with Burp
zap scanScan API with ZAP
ZAPExploreExploring the API with ZAP
w3af scanScan REST APIs with w3af


Wallarm Free API Firewall

Fast and lightweight API proxy firewall for request and response validation via the OpenAPI specification.

 Fuzzing, SecLists, Wordlists Password Dictionary

API name dictionaryAPI Name Glossary for Web Application Evaluation
API HTTP request methodHTTP Request Method Vocabulary by @danielmiessler
API Routing GlossaryAPI routing – automatic vocabulary provided by Assetnote
Generic API endpointA vocabulary of common API endpoints.
filename of fuzz.txtpotentially dangerous file
Fuzzing APIsFuzzing APIs chapter in "The Fuzzing Book".
GraphQL SafelistIt is a list of GraphQL used during security assessments, collected in one place.
Hacking-APIsGlossary and API paths by @hapi_hacker
Kiterunner WordlistsKiterunner glossary provided by Assetnote
List of API endpoints and objectsA list of 3203 common API endpoints and objects designed for fuzzing.
List of Swagger endpointsSwagger endpoints
Dictionary table for API's web content discoveryIt is a collection of web content discovery lists for APIs used during security assessments.

 HTTP 101

Know your HTTP headers!HTTP Headers: A Simplified Yet Comprehensive Table.
Know your HTTP methods!HTTP Methods: A Simplified Yet Comprehensive Table.
Know your HTTP status codes!HTTP Status Codes: A Simplified Yet Comprehensive Table.
HTTP status is an easy-to-reference database of HTTP status codes with their definitions and useful code references all in one place.
Know Your HTTP* WellHTTP headers, media types, methods, relationships, and status codes, all summarized and linked to their specifications.

 mind Mapping

Cypro ABAPI Penetration Testing – AttacksMind Map: API Pentesting – ATTACK
Cypro ABAPI Penetration Testing – ReconMind Map: API Pentesting – Recon
Cypro ABGraphQL attackMind Map: GraphQL Attacks
Mufaddal MasalawalaIDOR TechnologyMind Mapping: IDOR Techniques
David SopasThinking APIOrganize your API security assessment with MindAPI
Harsh BothraXML attackMind Map: XML Attacks
Abhay BhargavREST API DefenseMind Map: REST API Defense


42Crunchapi securityAPI Security Articles – The latest API security news, vulnerabilities, and best practices.

 other resources

API Hacking ArticlesDana EppAPI hacking basics, tools, techniques, failures, and mindset articles.
API Security Best Practices GuideExpedited SecurityAPI Security Best Practices MegaGuide
API Security: The Complete GuideBright SecurityAPI Security, The Complete Guide
API penetration testingSecureLayer7API penetration testing with OWASP 2017 test cases.
API Penetration Test ReportUnder DefenseAnonymous API Penetration Test Report – Vendor Sample Template
API Penetration Testing Using Swagger FilesRhino Security LabsSimplify API penetration testing with Swagger files.
API security path resourceMindAPIResources to help in the API security path; various content from talks/webinars/videos, must reads, writeups, bola/idors, oauth, jwt, rate limiting, ssrf and practice entries.
API security testingSpherical DefensePrinciples of API security testing and how to perform security testing on APIs.
Find and leverage web application APIsBend TheoryFind and exploit unexpected functionality in major web application APIs
How to hack an API and get away with itSmart BearHow to hack an API and get away with it (Part 1 of 3).
How to Hack APIs in 2021DetectifyHow to Hack APIs in 2021
How to Hack an API in 60 Minutes Using Open Source ToolsWallarmHow to Hack an API in 60 Minutes Using Open Source Tools
GraphQL penetration testingYes We HackHow to leverage GraphQL endpoints: introspection, queries, mutations, and tools.
Fixing the 13 Most Common GraphQL VulnerabilitiesWunderGraphA GraphQL security guide that fixes the 13 most common GraphQL vulnerabilities and gets your API production-ready.
Hacking APIs - Notes from Bug Bounty BootcampAakash ChoudharyMy notes on hacking APIs at the Bug Bounty Bootcamp.
SOAP Security Vulnerabilities and PreventionNeura LegionSOAP security, major vulnerabilities, and how to prevent them.
API and Microservices SecurityPortSwiggerWhat is API and Microservices Security?
Strengthen your API security posture42CrunchStrengthen Your API Security Posture - Ford Motor Company.
our star's mistakeTenchi SecuritySecurity implications of AWS API Gateway Lambda authorizers and IAM wildcard extensions.


Everything API HackingA collection of videos from Katie Paxton-Fear, @InsiderPhD, and others who created the API Hacking Knowledge Playlist!
API hackingAPI hacking video from @theXSSrat


Hacking APIsHacking Minds Podcast: Hacking APIs
Crack Your API Security Testing21: Troy Hunt: Crack Your API Security Testing.
OWASP API Security ProjectErez Yalon — OWASP API Security Project
Episode 38 API Security Best PracticesWe Hack Purple Podcast Episode 38 API Security Best Practices.

 presentations, videos

penetration testing-rest-apiGaurang Bhatnagar Penetration Testing Rest API
Secure your APIs"How Secure Are Your APIs?" - Securing Your APIs: OWASP API Top 10 2019, Case Studies and Demos.
api-security-testing-for-hackersAPI Security Testing for Hackers
bad api-hapi-hackingBad API, hAPI hack!
Disclosing information through your APIHidden from common sites: Expose information through your API.
Safe to abuse graphqlREST in Peace: Misusing GraphQL to attack the underlying infrastructure.


owasp api security projectOWASP API Security Project – Top 10 API Security

 API security

awesome-security-apisCollection list of public JSON APIs for security.


API BlueprintAPI blueprint specification
Asynchronous APIAsynchronous API Specification
Open APIOpenAPI specification
JSON APIJSON API specification
GraphQLGraphQL specification
RAMLRAML specification


BatchQLGraphQL security audit script focused on executing batch GraphQL queries and mutations.
clairvoyanceFetching GraphQL API schemas despite disabling introspection!
InQLInQL - Burp extension for GraphQL security testing.
GraphQLmapGraphQLmap is a scripting engine for interacting with graphql endpoints for penetration testing.
graphql-path-enumA utility that lists the different ways a given type can be reached in a GraphQL schema.
graphql-playgroundGraphQL IDE for better development workflow (GraphQL subscriptions, interactive documentation and collaboration)
graphql-threat-matrixSecurity experts use the GraphQL Threat Framework to study security vulnerabilities in GraphQL implementations.
graphw00fgraphw00f is a GraphQL server engine fingerprinting utility for software security professionals who want to learn more about the technology behind a given GraphQL endpoint.
REST APIDescription
APICheckDevSecOps toolset for REST APIs.
API ClaritySeamlessly rebuild open API specifications from real-time workload traffic.
API FuzzerFuzz your application using OpenAPI or Swagger API definitions without coding.
APIKitAPIKit: A toolkit for discovering, scanning and auditing APIs in one.
ArjunHTTP parameter discovery suite.
AstraAutomated security testing of REST APIs.
Automatic API Attack ToolImperva's customizable API attack tool takes an API specification as input and generates and runs attacks based on it as output.
CATSCATS is a REST API fuzzer and negative testing tool for OpenAPI endpoints.
Cherry bombsStop half-finished API specifications with a CLI tool that helps you avoid undefined user behavior by validating API specifications.
ffufA fast network fuzzing tool written in Go.
fuzzapiFuzzapi is a tool for REST API penetration testing and TnT-Fuzzerd uses the API_Fuzzer gem.
gotestwafAn open source project in Golang to test detection logic and bypasses of different Web Application Firewalls (WAFs)
kiterunnerContextual content discovery tool.
mitmproxy2swaggerAutomatically reverse engineer REST APIs by capturing traffic
RESTRESTler is the first stateful REST API fuzzer for automatically testing cloud services via REST APIs and finding security and reliability bugs in those services.
Swagger-EZA tool for penetration testing APIs using OpenAPI definitions.
TnT-FuzzerOpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.
wadl-dumperDump all available paths and/or endpoints into a WADL file.
fuzz-lightyearpytest-inspired DAST framework capable of identifying vulnerabilities in distributed microservice ecosystems through chaos engineering testing and stateful Swagger fuzzing.
WsdlerBurp's WSDL parser extension.
wsdl-wizardWSDL Wizard is a Burp Suite plugin written in Python that detects current and discovers new WSDL (Web Services Definition Language) files.
Soap UISoapUI is a free and open source cross-platform API and Web services functional testing solution.
dreddLanguage-independent HTTP API testing tool
unfurlExtract bits of URL provided on stdin

 Training, Seminars, Labs

Pentester AcademyAPI Security, REST LabPentester Academy – Offense and Defense
Corey BallAPI Security UniversityAPIsec University Offers Training Courses for Application Security Professionals
Grant OngersAPI Top 10 WalkthroughOWASP API Top 10 CTF Walkthrough.
Hacker101GraphQL ChallengeGraphQL Week on The Hacker101 Capture the Flag Challenge
OWASP-SKFGraphQL LabsGraphQL Labs on the OWASP Security Knowledge Framework
Corey BallHack APIHacking APIs: A Workshop
Wesley ThijsLet's build an API to crackAPI Hacking Exercises by @TheXSSrat
KontraTop 10 OWASP APIsis a series of free, interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their Web API endpoints.
Ship FastPractical API Security WalkthroughLearn practical mobile and API security techniques: API keys, static and dynamic HMAC, dynamic certificate pinning, and mobile app attestation.
Tushar KulkarnivAPIvAPI is a vulnerable reverse programming interface, self-hosted PHP interface that mimics the OWASP API top 10 scenarios by way of an exercise.

Post a Comment

Hope you enjoyed the article!😊
Post a Comment