API Keys: Find and Verify
| name | Description |
|---|---|
| API Guesser | Muhammad Daffa's Simple Website to Guess API Keys/OAuth Tokens |
| API key leaks: tools and exploits | An API key is a unique identifier used to authenticate requests associated with your project. Some developers may hardcode them or leave them in a public share. |
| Key-Checker | Go script to check API key/access token validity. |
| Key hacks | Keyhacks is a repository that shows a quick way to check if a leaked API key from a bug bounty program is valid. |
| private key authentication | Driftwood is a GitHub SSH key tool that lets you find out if a private key is used for something like TLS or as a user. |
books
| author | publisher | name | Description |
|---|---|---|---|
| Emily Freeman | Data Theorem Special Edition | API Security for dummies | This book is a high-level introduction to API security and key DevSecOps concepts. |
| Neil Madden | Manning | API Security in Action | API Security in Action teaches you how to create secure APIs for any situation. |
| Dolev Farhi and Nick Aleks | No starch press | Black Hat GraphQL | Black Hat GraphQL (in pre-order). |
| Corey Ball | No starch press | Hacking APIs | Breaks the Web Application Programming Interface. |
| Justing Richer and Antonio Sanso | Manning | Understanding API Security | Several chapters in various Manning books give you some background information on how API security works in the real world. |
cheat sheet
| name | Description |
|---|---|
| GraphQL Cheat Sheet | GraphQL - OWASP Cheat Sheet Series |
| JSON Web Token Security Cheat Sheet | PentesterLab - JSON Web Token Security Cheat Sheet |
| Injection Prevention Cheat Sheet | Injection – OWASP Cheat Sheet Series |
| Microservices Security Cheat Sheet | Microservices – The OWASP Security Cheat Sheet |
| OWASP API Security Top 10 | 42Crunch – OWASP API Security Top 10 |
| REST Evaluation Cheat Sheet | REST Evaluation – OWASP Cheat Sheet Series |
| REST Security Cheat Sheet | REST Security - OWASP Cheat Sheet Series |
Checklist
| author | name | Description |
|---|---|---|
| HolyBugx | another API Security checklist | HolyTips: API Security Checklist |
| API Ops Cycles | API Audit Checklist | API audit checklist. |
| Shieldfy | API-Security Checklist | A checklist of the most important security countermeasures when designing, testing, and publishing APIs. |
| API Mike, @api_sec | API Penetration Testing Checklist | Common steps included in any API penetration testing process. |
| Latish Danawale | API Test Checklist | API test checklist. |
| Inon Shkedy | 31 Days of API Security Tips | This challenge is Inon Shkedy's 31 Days of API Security Tips. |
| Binary Brotherhood | OAuth2: Security Checklist | OAuth 2.0 Threat Model Penetration Testing Checklist |
| Apollo | GraphQL API — GraphQL Security Checklist | 9 Ways to Secure Your GraphQL API — GraphQL Security Checklist |
| LeapGraph | GraphQL API - A Complete List of Vulnerabilities | How to Secure GraphQL APIs - A Complete List of Vulnerabilities |
| Lokesh Gupta | REST API Security Basics | REST API tutorial blog entry. |
Meeting
| name | Description |
|---|---|
| API security | The world's first conference dedicated to API threat management; bringing together the disruptors, defenders and solutions in API security. |
Intentionally Vulnerable API
| name | Description |
|---|---|
| API Sandbox | Pre-built vulnerable multi-API scenario environment based on Docker-Compose. |
| Bookstore | TryHackMe room - Beginner level box with basic web enumeration and REST API fuzzing. |
| crAPI | Totally Ridiculous API (crAPI) |
| Damn-Vulnerable-GraphQL-Application | Damn Vulnerable GraphQL App is an intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL security. |
| Damn Vulnerable Micro Services | This is a vulnerable microservice written in multiple languages to demonstrate the OWASP API highest security risk (under development) |
| Damn Vulnerable Web Services | A damn vulnerable web service is a vulnerable web service/API/application that we can use to understand web service/API vulnerabilities. |
| Generic-University | Vulnerable APIs and Laravel applications |
| node-api-goat | A simple Express.JS REST API application exposing endpoints with vulnerable code. |
| Pixi | The Pixi module is a MEAN Stack web application with an extremely insecure API! |
| REST API Goat | This is a "goat" project so you can get familiar with REST API testing. |
| wxya | Top 10 Vulnerabilities of Vulnerable REST APIs and OWASP APIs |
| vAPI | vAPI is a Vulnerable Reverse Programming Interface, which is a self-hosted API that simulates the OWASP API Top 10 scenarios through exercises. |
| vulnapi | Intentionally very fragile API with additional bad coding practices. |
| vulnerable-graphql-api | A very fragile implementation of the GraphQL API. |
| Websheep | Websheep is an application based on a vulnerable ReSTful API. |
Design, Architecture, Development
| name | Description |
|---|---|
| API Specification Toolbox | The goal of this toolbox is to try to map out all the different API specifications in use, as well as services, tools, extensions and other supporting elements. |
| Learn about gRPC, OpenAPI, and REST | gRPC vs REST: Understanding gRPC, OpenAPI, and REST and when to use them in API design |
| Best Practices for API Security Design | API Security Design Best Practices for Enterprise and Public Cloud. |
| REST API Design Guidelines | This design guide or style guide contains best practices for most REST APIs. |
| How to design a REST API | How to design a REST API? - Complete guide to troubleshoot issues with security, pagination, filtering, versioning, partial answers, CORS, and more. |
| Great REST | A collaborative list of great resources on RESTful API architecture, development, testing, and performance. Feel free to contribute to this ongoing list. |
| Gather API requirements | Gather requirements for your API with APIOps Cycles. |
| API Audit | An API audit is a way to ensure that an API complies with API design guidelines. It also helps to check usability, security, and API management platform compatibility. |
Encyclopedias, Projects, Wikis and GitBooks
| name | Description |
|---|---|
| API Pentest Book APIs Pentest Book | six2dez - API Penetration Testing Book |
| API Security Empire API Security Empire | The API Security Empire project aims to present unique offensive and defensive methods in the field of API security |
| API Security Encyclopedia API Security Encyclopedia | APIsecurity.io – The API Security Encyclopedia |
| Web API Pentesting | HackTricks - Web API Penetration Testing |
| GraphQL | Hacking Tips – GraphQL |
Enumeration, Scanning and Exploration Steps
| name | Description |
|---|---|
| Burp API enumeration | Enumerate REST APIs with Burp |
| zap scan | Scan API with ZAP |
| ZAPExplore | Exploring the API with ZAP |
| w3af scan | Scan REST APIs with w3af |
firewall
| name | Description |
|---|---|
| Wallarm Free API Firewall | Fast and lightweight API proxy firewall for request and response validation via the OpenAPI specification. |
Fuzzing, SecLists, Wordlists Password Dictionary
| name | Description |
|---|---|
| API name dictionary | API Name Glossary for Web Application Evaluation |
| API HTTP request method | HTTP Request Method Vocabulary by @danielmiessler |
| API Routing Glossary | API routing – automatic vocabulary provided by Assetnote |
| Generic API endpoint | A vocabulary of common API endpoints. |
| filename of fuzz.txt | potentially dangerous file |
| Fuzzing APIs | Fuzzing APIs chapter in "The Fuzzing Book". |
| GraphQL Safelist | It is a list of GraphQL used during security assessments, collected in one place. |
| Hacking-APIs | Glossary and API paths by @hapi_hacker |
| Kiterunner Wordlists | Kiterunner glossary provided by Assetnote |
| List of API endpoints and objects | A list of 3203 common API endpoints and objects designed for fuzzing. |
| List of Swagger endpoints | Swagger endpoints |
| Dictionary table for API's web content discovery | It is a collection of web content discovery lists for APIs used during security assessments. |
HTTP 101
| name | Description |
|---|---|
| Know your HTTP headers! | HTTP Headers: A Simplified Yet Comprehensive Table. |
| Know your HTTP methods! | HTTP Methods: A Simplified Yet Comprehensive Table. |
| Know your HTTP status codes! | HTTP Status Codes: A Simplified Yet Comprehensive Table. |
| HTTP status code | httpstatuses.com is an easy-to-reference database of HTTP status codes with their definitions and useful code references all in one place. |
| Know Your HTTP* Well | HTTP headers, media types, methods, relationships, and status codes, all summarized and linked to their specifications. |
mind Mapping
| author | name | Description |
|---|---|---|
| Cypro AB | API Penetration Testing – Attacks | Mind Map: API Pentesting – ATTACK |
| Cypro AB | API Penetration Testing – Recon | Mind Map: API Pentesting – Recon |
| Cypro AB | GraphQL attack | Mind Map: GraphQL Attacks |
| Mufaddal Masalawala | IDOR Technology | Mind Mapping: IDOR Techniques |
| David Sopas | Thinking API | Organize your API security assessment with MindAPI |
| Harsh Bothra | XML attack | Mind Map: XML Attacks |
| Abhay Bhargav | REST API Defense | Mind Map: REST API Defense |
newsletter
| author | name | Description |
|---|---|---|
| 42Crunch | api security | API Security Articles – The latest API security news, vulnerabilities, and best practices. |
other resources
| name | author | Description |
|---|---|---|
| API Hacking Articles | Dana Epp | API hacking basics, tools, techniques, failures, and mindset articles. |
| API Security Best Practices Guide | Expedited Security | API Security Best Practices MegaGuide |
| API Security: The Complete Guide | Bright Security | API Security, The Complete Guide |
| API penetration testing | SecureLayer7 | API penetration testing with OWASP 2017 test cases. |
| API Penetration Test Report | Under Defense | Anonymous API Penetration Test Report – Vendor Sample Template |
| API Penetration Testing Using Swagger Files | Rhino Security Labs | Simplify API penetration testing with Swagger files. |
| API security path resource | MindAPI | Resources to help in the API security path; various content from talks/webinars/videos, must reads, writeups, bola/idors, oauth, jwt, rate limiting, ssrf and practice entries. |
| API security testing | Spherical Defense | Principles of API security testing and how to perform security testing on APIs. |
| Find and leverage web application APIs | Bend Theory | Find and exploit unexpected functionality in major web application APIs |
| How to hack an API and get away with it | Smart Bear | How to hack an API and get away with it (Part 1 of 3). |
| How to Hack APIs in 2021 | Detectify | How to Hack APIs in 2021 |
| How to Hack an API in 60 Minutes Using Open Source Tools | Wallarm | How to Hack an API in 60 Minutes Using Open Source Tools |
| GraphQL penetration testing | Yes We Hack | How to leverage GraphQL endpoints: introspection, queries, mutations, and tools. |
| Fixing the 13 Most Common GraphQL Vulnerabilities | WunderGraph | A GraphQL security guide that fixes the 13 most common GraphQL vulnerabilities and gets your API production-ready. |
| Hacking APIs - Notes from Bug Bounty Bootcamp | Aakash Choudhary | My notes on hacking APIs at the Bug Bounty Bootcamp. |
| SOAP Security Vulnerabilities and Prevention | Neura Legion | SOAP security, major vulnerabilities, and how to prevent them. |
| API and Microservices Security | PortSwigger | What is API and Microservices Security? |
| Strengthen your API security posture | 42Crunch | Strengthen Your API Security Posture - Ford Motor Company. |
| our star's mistake | Tenchi Security | Security implications of AWS API Gateway Lambda authorizers and IAM wildcard extensions. |
playlist
| name | Description |
|---|---|
| Everything API Hacking | A collection of videos from Katie Paxton-Fear, @InsiderPhD, and others who created the API Hacking Knowledge Playlist! |
| API hacking | API hacking video from @theXSSrat |
podcast
| name | Description |
|---|---|
| Hacking APIs | Hacking Minds Podcast: Hacking APIs |
| Crack Your API Security Testing | 21: Troy Hunt: Crack Your API Security Testing. |
| OWASP API Security Project | Erez Yalon — OWASP API Security Project |
| Episode 38 API Security Best Practices | We Hack Purple Podcast Episode 38 API Security Best Practices. |
presentations, videos
| name | Description |
|---|---|
| penetration testing-rest-api | Gaurang Bhatnagar Penetration Testing Rest API |
| Secure your APIs | "How Secure Are Your APIs?" - Securing Your APIs: OWASP API Top 10 2019, Case Studies and Demos. |
| api-security-testing-for-hackers | API Security Testing for Hackers |
| bad api-hapi-hacking | Bad API, hAPI hack! |
| Disclosing information through your API | Hidden from common sites: Expose information through your API. |
| Safe to abuse graphql | REST in Peace: Misusing GraphQL to attack the underlying infrastructure. |
project
| name | Description |
|---|---|
| owasp api security project | OWASP API Security Project – Top 10 API Security |
API security
| name | Description |
|---|---|
| awesome-security-apis | Collection list of public JSON APIs for security. |
specification
| name | Description |
|---|---|
| API Blueprint | API blueprint specification |
| Asynchronous API | Asynchronous API Specification |
| Open API | OpenAPI specification |
| JSON API | JSON API specification |
| GraphQL | GraphQL specification |
| RAML | RAML specification |
Tool
| name | Description |
|---|---|
| GraphQL | |
| BatchQL | GraphQL security audit script focused on executing batch GraphQL queries and mutations. |
| clairvoyance | Fetching GraphQL API schemas despite disabling introspection! |
| InQL | InQL - Burp extension for GraphQL security testing. |
| GraphQLmap | GraphQLmap is a scripting engine for interacting with graphql endpoints for penetration testing. |
| graphql-path-enum | A utility that lists the different ways a given type can be reached in a GraphQL schema. |
| graphql-playground | GraphQL IDE for better development workflow (GraphQL subscriptions, interactive documentation and collaboration) |
| graphql-threat-matrix | Security experts use the GraphQL Threat Framework to study security vulnerabilities in GraphQL implementations. |
| graphw00f | graphw00f is a GraphQL server engine fingerprinting utility for software security professionals who want to learn more about the technology behind a given GraphQL endpoint. |
| REST API | Description |
| APICheck | DevSecOps toolset for REST APIs. |
| API Clarity | Seamlessly rebuild open API specifications from real-time workload traffic. |
| API Fuzzer | Fuzz your application using OpenAPI or Swagger API definitions without coding. |
| APIKit | APIKit: A toolkit for discovering, scanning and auditing APIs in one. |
| Arjun | HTTP parameter discovery suite. |
| Astra | Automated security testing of REST APIs. |
| Automatic API Attack Tool | Imperva's customizable API attack tool takes an API specification as input and generates and runs attacks based on it as output. |
| CATS | CATS is a REST API fuzzer and negative testing tool for OpenAPI endpoints. |
| Cherry bombs | Stop half-finished API specifications with a CLI tool that helps you avoid undefined user behavior by validating API specifications. |
| ffuf | A fast network fuzzing tool written in Go. |
| fuzzapi | Fuzzapi is a tool for REST API penetration testing and TnT-Fuzzerd uses the API_Fuzzer gem. |
| gotestwaf | An open source project in Golang to test detection logic and bypasses of different Web Application Firewalls (WAFs) |
| kiterunner | Contextual content discovery tool. |
| mitmproxy2swagger | Automatically reverse engineer REST APIs by capturing traffic |
| REST | RESTler is the first stateful REST API fuzzer for automatically testing cloud services via REST APIs and finding security and reliability bugs in those services. |
| Swagger-EZ | A tool for penetration testing APIs using OpenAPI definitions. |
| TnT-Fuzzer | OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API. |
| wadl-dumper | Dump all available paths and/or endpoints into a WADL file. |
| fuzz-lightyear | pytest-inspired DAST framework capable of identifying vulnerabilities in distributed microservice ecosystems through chaos engineering testing and stateful Swagger fuzzing. |
| SOAP | Description |
| Wsdler | Burp's WSDL parser extension. |
| wsdl-wizard | WSDL Wizard is a Burp Suite plugin written in Python that detects current and discovers new WSDL (Web Services Definition Language) files. |
| other | Description |
| Soap UI | SoapUI is a free and open source cross-platform API and Web services functional testing solution. |
| dredd | Language-independent HTTP API testing tool |
| unfurl | Extract bits of URL provided on stdin |
Training, Seminars, Labs
| author | name | Description |
|---|---|---|
| Pentester Academy | API Security, REST Lab | Pentester Academy – Offense and Defense |
| Corey Ball | API Security University | APIsec University Offers Training Courses for Application Security Professionals |
| Grant Ongers | API Top 10 Walkthrough | OWASP API Top 10 CTF Walkthrough. |
| Hacker101 | GraphQL Challenge | GraphQL Week on The Hacker101 Capture the Flag Challenge |
| OWASP-SKF | GraphQL Labs | GraphQL Labs on the OWASP Security Knowledge Framework |
| Corey Ball | Hack API | Hacking APIs: A Workshop |
| Wesley Thijs | Let's build an API to crack | API Hacking Exercises by @TheXSSrat |
| Kontra | Top 10 OWASP APIs | is a series of free, interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their Web API endpoints. |
| Ship Fast | Practical API Security Walkthrough | Learn practical mobile and API security techniques: API keys, static and dynamic HMAC, dynamic certificate pinning, and mobile app attestation. |
| Tushar Kulkarni | vAPI | vAPI is a vulnerable reverse programming interface, self-hosted PHP interface that mimics the OWASP API top 10 scenarios by way of an exercise. |