API Keys: Find and Verify
name | Description |
---|---|
API Guesser | Muhammad Daffa's Simple Website to Guess API Keys/OAuth Tokens |
API key leaks: tools and exploits | An API key is a unique identifier used to authenticate requests associated with your project. Some developers may hardcode them or leave them in a public share. |
Key-Checker | Go script to check API key/access token validity. |
Key hacks | Keyhacks is a repository that shows a quick way to check if a leaked API key from a bug bounty program is valid. |
private key authentication | Driftwood is a GitHub SSH key tool that lets you find out if a private key is used for something like TLS or as a user. |
books
author | publisher | name | Description |
---|---|---|---|
Emily Freeman | Data Theorem Special Edition | API Security for dummies | This book is a high-level introduction to API security and key DevSecOps concepts. |
Neil Madden | Manning | API Security in Action | API Security in Action teaches you how to create secure APIs for any situation. |
Dolev Farhi and Nick Aleks | No starch press | Black Hat GraphQL | Black Hat GraphQL (in pre-order). |
Corey Ball | No starch press | Hacking APIs | Breaks the Web Application Programming Interface. |
Justing Richer and Antonio Sanso | Manning | Understanding API Security | Several chapters in various Manning books give you some background information on how API security works in the real world. |
cheat sheet
name | Description |
---|---|
GraphQL Cheat Sheet | GraphQL - OWASP Cheat Sheet Series |
JSON Web Token Security Cheat Sheet | PentesterLab - JSON Web Token Security Cheat Sheet |
Injection Prevention Cheat Sheet | Injection – OWASP Cheat Sheet Series |
Microservices Security Cheat Sheet | Microservices – The OWASP Security Cheat Sheet |
OWASP API Security Top 10 | 42Crunch – OWASP API Security Top 10 |
REST Evaluation Cheat Sheet | REST Evaluation – OWASP Cheat Sheet Series |
REST Security Cheat Sheet | REST Security - OWASP Cheat Sheet Series |
Checklist
author | name | Description |
---|---|---|
HolyBugx | another API Security checklist | HolyTips: API Security Checklist |
API Ops Cycles | API Audit Checklist | API audit checklist. |
Shieldfy | API-Security Checklist | A checklist of the most important security countermeasures when designing, testing, and publishing APIs. |
API Mike, @api_sec | API Penetration Testing Checklist | Common steps included in any API penetration testing process. |
Latish Danawale | API Test Checklist | API test checklist. |
Inon Shkedy | 31 Days of API Security Tips | This challenge is Inon Shkedy's 31 Days of API Security Tips. |
Binary Brotherhood | OAuth2: Security Checklist | OAuth 2.0 Threat Model Penetration Testing Checklist |
Apollo | GraphQL API — GraphQL Security Checklist | 9 Ways to Secure Your GraphQL API — GraphQL Security Checklist |
LeapGraph | GraphQL API - A Complete List of Vulnerabilities | How to Secure GraphQL APIs - A Complete List of Vulnerabilities |
Lokesh Gupta | REST API Security Basics | REST API tutorial blog entry. |
Meeting
name | Description |
---|---|
API security | The world's first conference dedicated to API threat management; bringing together the disruptors, defenders and solutions in API security. |
Intentionally Vulnerable API
name | Description |
---|---|
API Sandbox | Pre-built vulnerable multi-API scenario environment based on Docker-Compose. |
Bookstore | TryHackMe room - Beginner level box with basic web enumeration and REST API fuzzing. |
crAPI | Totally Ridiculous API (crAPI) |
Damn-Vulnerable-GraphQL-Application | Damn Vulnerable GraphQL App is an intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL security. |
Damn Vulnerable Micro Services | This is a vulnerable microservice written in multiple languages to demonstrate the OWASP API highest security risk (under development) |
Damn Vulnerable Web Services | A damn vulnerable web service is a vulnerable web service/API/application that we can use to understand web service/API vulnerabilities. |
Generic-University | Vulnerable APIs and Laravel applications |
node-api-goat | A simple Express.JS REST API application exposing endpoints with vulnerable code. |
Pixi | The Pixi module is a MEAN Stack web application with an extremely insecure API! |
REST API Goat | This is a "goat" project so you can get familiar with REST API testing. |
wxya | Top 10 Vulnerabilities of Vulnerable REST APIs and OWASP APIs |
vAPI | vAPI is a Vulnerable Reverse Programming Interface, which is a self-hosted API that simulates the OWASP API Top 10 scenarios through exercises. |
vulnapi | Intentionally very fragile API with additional bad coding practices. |
vulnerable-graphql-api | A very fragile implementation of the GraphQL API. |
Websheep | Websheep is an application based on a vulnerable ReSTful API. |
Design, Architecture, Development
name | Description |
---|---|
API Specification Toolbox | The goal of this toolbox is to try to map out all the different API specifications in use, as well as services, tools, extensions and other supporting elements. |
Learn about gRPC, OpenAPI, and REST | gRPC vs REST: Understanding gRPC, OpenAPI, and REST and when to use them in API design |
Best Practices for API Security Design | API Security Design Best Practices for Enterprise and Public Cloud. |
REST API Design Guidelines | This design guide or style guide contains best practices for most REST APIs. |
How to design a REST API | How to design a REST API? - Complete guide to troubleshoot issues with security, pagination, filtering, versioning, partial answers, CORS, and more. |
Great REST | A collaborative list of great resources on RESTful API architecture, development, testing, and performance. Feel free to contribute to this ongoing list. |
Gather API requirements | Gather requirements for your API with APIOps Cycles. |
API Audit | An API audit is a way to ensure that an API complies with API design guidelines. It also helps to check usability, security, and API management platform compatibility. |
Encyclopedias, Projects, Wikis and GitBooks
name | Description |
---|---|
API Pentest Book APIs Pentest Book | six2dez - API Penetration Testing Book |
API Security Empire API Security Empire | The API Security Empire project aims to present unique offensive and defensive methods in the field of API security |
API Security Encyclopedia API Security Encyclopedia | APIsecurity.io – The API Security Encyclopedia |
Web API Pentesting | HackTricks - Web API Penetration Testing |
GraphQL | Hacking Tips – GraphQL |

Enumeration, Scanning and Exploration Steps
name | Description |
---|---|
Burp API enumeration | Enumerate REST APIs with Burp |
zap scan | Scan API with ZAP |
ZAPExplore | Exploring the API with ZAP |
w3af scan | Scan REST APIs with w3af |
firewall
name | Description |
---|---|
Wallarm Free API Firewall | Fast and lightweight API proxy firewall for request and response validation via the OpenAPI specification. |
Fuzzing, SecLists, Wordlists Password Dictionary
name | Description |
---|---|
API name dictionary | API Name Glossary for Web Application Evaluation |
API HTTP request method | HTTP Request Method Vocabulary by @danielmiessler |
API Routing Glossary | API routing – automatic vocabulary provided by Assetnote |
Generic API endpoint | A vocabulary of common API endpoints. |
filename of fuzz.txt | potentially dangerous file |
Fuzzing APIs | Fuzzing APIs chapter in "The Fuzzing Book". |
GraphQL Safelist | It is a list of GraphQL used during security assessments, collected in one place. |
Hacking-APIs | Glossary and API paths by @hapi_hacker |
Kiterunner Wordlists | Kiterunner glossary provided by Assetnote |
List of API endpoints and objects | A list of 3203 common API endpoints and objects designed for fuzzing. |
List of Swagger endpoints | Swagger endpoints |
Dictionary table for API's web content discovery | It is a collection of web content discovery lists for APIs used during security assessments. |
HTTP 101
name | Description |
---|---|
Know your HTTP headers! | HTTP Headers: A Simplified Yet Comprehensive Table. |
Know your HTTP methods! | HTTP Methods: A Simplified Yet Comprehensive Table. |
Know your HTTP status codes! | HTTP Status Codes: A Simplified Yet Comprehensive Table. |
HTTP status code | httpstatuses.com is an easy-to-reference database of HTTP status codes with their definitions and useful code references all in one place. |
Know Your HTTP* Well | HTTP headers, media types, methods, relationships, and status codes, all summarized and linked to their specifications. |
mind Mapping
author | name | Description |
---|---|---|
Cypro AB | API Penetration Testing – Attacks | Mind Map: API Pentesting – ATTACK |
Cypro AB | API Penetration Testing – Recon | Mind Map: API Pentesting – Recon |
Cypro AB | GraphQL attack | Mind Map: GraphQL Attacks |
Mufaddal Masalawala | IDOR Technology | Mind Mapping: IDOR Techniques |
David Sopas | Thinking API | Organize your API security assessment with MindAPI |
Harsh Bothra | XML attack | Mind Map: XML Attacks |
Abhay Bhargav | REST API Defense | Mind Map: REST API Defense |
newsletter
author | name | Description |
---|---|---|
42Crunch | api security | API Security Articles – The latest API security news, vulnerabilities, and best practices. |
other resources
name | author | Description |
---|---|---|
API Hacking Articles | Dana Epp | API hacking basics, tools, techniques, failures, and mindset articles. |
API Security Best Practices Guide | Expedited Security | API Security Best Practices MegaGuide |
API Security: The Complete Guide | Bright Security | API Security, The Complete Guide |
API penetration testing | SecureLayer7 | API penetration testing with OWASP 2017 test cases. |
API Penetration Test Report | Under Defense | Anonymous API Penetration Test Report – Vendor Sample Template |
API Penetration Testing Using Swagger Files | Rhino Security Labs | Simplify API penetration testing with Swagger files. |
API security path resource | MindAPI | Resources to help in the API security path; various content from talks/webinars/videos, must reads, writeups, bola/idors, oauth, jwt, rate limiting, ssrf and practice entries. |
API security testing | Spherical Defense | Principles of API security testing and how to perform security testing on APIs. |
Find and leverage web application APIs | Bend Theory | Find and exploit unexpected functionality in major web application APIs |
How to hack an API and get away with it | Smart Bear | How to hack an API and get away with it (Part 1 of 3). |
How to Hack APIs in 2021 | Detectify | How to Hack APIs in 2021 |
How to Hack an API in 60 Minutes Using Open Source Tools | Wallarm | How to Hack an API in 60 Minutes Using Open Source Tools |
GraphQL penetration testing | Yes We Hack | How to leverage GraphQL endpoints: introspection, queries, mutations, and tools. |
Fixing the 13 Most Common GraphQL Vulnerabilities | WunderGraph | A GraphQL security guide that fixes the 13 most common GraphQL vulnerabilities and gets your API production-ready. |
Hacking APIs - Notes from Bug Bounty Bootcamp | Aakash Choudhary | My notes on hacking APIs at the Bug Bounty Bootcamp. |
SOAP Security Vulnerabilities and Prevention | Neura Legion | SOAP security, major vulnerabilities, and how to prevent them. |
API and Microservices Security | PortSwigger | What is API and Microservices Security? |
Strengthen your API security posture | 42Crunch | Strengthen Your API Security Posture - Ford Motor Company. |
our star's mistake | Tenchi Security | Security implications of AWS API Gateway Lambda authorizers and IAM wildcard extensions. |
playlist
name | Description |
---|---|
Everything API Hacking | A collection of videos from Katie Paxton-Fear, @InsiderPhD, and others who created the API Hacking Knowledge Playlist! |
API hacking | API hacking video from @theXSSrat |
podcast
name | Description |
---|---|
Hacking APIs | Hacking Minds Podcast: Hacking APIs |
Crack Your API Security Testing | 21: Troy Hunt: Crack Your API Security Testing. |
OWASP API Security Project | Erez Yalon — OWASP API Security Project |
Episode 38 API Security Best Practices | We Hack Purple Podcast Episode 38 API Security Best Practices. |
presentations, videos
name | Description |
---|---|
penetration testing-rest-api | Gaurang Bhatnagar Penetration Testing Rest API |
Secure your APIs | "How Secure Are Your APIs?" - Securing Your APIs: OWASP API Top 10 2019, Case Studies and Demos. |
api-security-testing-for-hackers | API Security Testing for Hackers |
bad api-hapi-hacking | Bad API, hAPI hack! |
Disclosing information through your API | Hidden from common sites: Expose information through your API. |
Safe to abuse graphql | REST in Peace: Misusing GraphQL to attack the underlying infrastructure. |
project
name | Description |
---|---|
owasp api security project | OWASP API Security Project – Top 10 API Security |
API security
name | Description |
---|---|
awesome-security-apis | Collection list of public JSON APIs for security. |
specification
name | Description |
---|---|
API Blueprint | API blueprint specification |
Asynchronous API | Asynchronous API Specification |
Open API | OpenAPI specification |
JSON API | JSON API specification |
GraphQL | GraphQL specification |
RAML | RAML specification |
Tool
name | Description |
---|---|
GraphQL | |
BatchQL | GraphQL security audit script focused on executing batch GraphQL queries and mutations. |
clairvoyance | Fetching GraphQL API schemas despite disabling introspection! |
InQL | InQL - Burp extension for GraphQL security testing. |
GraphQLmap | GraphQLmap is a scripting engine for interacting with graphql endpoints for penetration testing. |
graphql-path-enum | A utility that lists the different ways a given type can be reached in a GraphQL schema. |
graphql-playground | GraphQL IDE for better development workflow (GraphQL subscriptions, interactive documentation and collaboration) |
graphql-threat-matrix | Security experts use the GraphQL Threat Framework to study security vulnerabilities in GraphQL implementations. |
graphw00f | graphw00f is a GraphQL server engine fingerprinting utility for software security professionals who want to learn more about the technology behind a given GraphQL endpoint. |
REST API | Description |
APICheck | DevSecOps toolset for REST APIs. |
API Clarity | Seamlessly rebuild open API specifications from real-time workload traffic. |
API Fuzzer | Fuzz your application using OpenAPI or Swagger API definitions without coding. |
APIKit | APIKit: A toolkit for discovering, scanning and auditing APIs in one. |
Arjun | HTTP parameter discovery suite. |
Astra | Automated security testing of REST APIs. |
Automatic API Attack Tool | Imperva's customizable API attack tool takes an API specification as input and generates and runs attacks based on it as output. |
CATS | CATS is a REST API fuzzer and negative testing tool for OpenAPI endpoints. |
Cherry bombs | Stop half-finished API specifications with a CLI tool that helps you avoid undefined user behavior by validating API specifications. |
ffuf | A fast network fuzzing tool written in Go. |
fuzzapi | Fuzzapi is a tool for REST API penetration testing and TnT-Fuzzerd uses the API_Fuzzer gem. |
gotestwaf | An open source project in Golang to test detection logic and bypasses of different Web Application Firewalls (WAFs) |
kiterunner | Contextual content discovery tool. |
mitmproxy2swagger | Automatically reverse engineer REST APIs by capturing traffic |
REST | RESTler is the first stateful REST API fuzzer for automatically testing cloud services via REST APIs and finding security and reliability bugs in those services. |
Swagger-EZ | A tool for penetration testing APIs using OpenAPI definitions. |
TnT-Fuzzer | OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API. |
wadl-dumper | Dump all available paths and/or endpoints into a WADL file. |
fuzz-lightyear | pytest-inspired DAST framework capable of identifying vulnerabilities in distributed microservice ecosystems through chaos engineering testing and stateful Swagger fuzzing. |
SOAP | Description |
Wsdler | Burp's WSDL parser extension. |
wsdl-wizard | WSDL Wizard is a Burp Suite plugin written in Python that detects current and discovers new WSDL (Web Services Definition Language) files. |
other | Description |
Soap UI | SoapUI is a free and open source cross-platform API and Web services functional testing solution. |
dredd | Language-independent HTTP API testing tool |
unfurl | Extract bits of URL provided on stdin |
Training, Seminars, Labs
author | name | Description |
---|---|---|
Pentester Academy | API Security, REST Lab | Pentester Academy – Offense and Defense |
Corey Ball | API Security University | APIsec University Offers Training Courses for Application Security Professionals |
Grant Ongers | API Top 10 Walkthrough | OWASP API Top 10 CTF Walkthrough. |
Hacker101 | GraphQL Challenge | GraphQL Week on The Hacker101 Capture the Flag Challenge |
OWASP-SKF | GraphQL Labs | GraphQL Labs on the OWASP Security Knowledge Framework |
Corey Ball | Hack API | Hacking APIs: A Workshop |
Wesley Thijs | Let's build an API to crack | API Hacking Exercises by @TheXSSrat |
Kontra | Top 10 OWASP APIs | is a series of free, interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their Web API endpoints. |
Ship Fast | Practical API Security Walkthrough | Learn practical mobile and API security techniques: API keys, static and dynamic HMAC, dynamic certificate pinning, and mobile app attestation. |
Tushar Kulkarni | vAPI | vAPI is a vulnerable reverse programming interface, self-hosted PHP interface that mimics the OWASP API top 10 scenarios by way of an exercise. |