awesome-api-security/README.md

224 lines
21 KiB
Markdown
Raw Normal View History

2020-08-14 13:39:47 -04:00
# [awesome-apisec](https://github.com/arainho/awesome-apisec)
2020-08-14 13:18:44 -04:00
**A collection of awesome API Security tools and resources.**
2021-08-04 06:48:36 -04:00
## Awesome Repositories
| Name | Description |
| ---- | ----------- |
| [awesome-security-apis](https://github.com/jaegeral/security-apis)| A collective list of public JSON APIs for use in security. |
2020-08-14 13:18:44 -04:00
## Tools
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| | |
| **GraphQL** |
| [BatchQL](https://github.com/assetnote/batchql)| GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. |
| [InQL](https://github.com/doyensec/inql) | InQL - A Burp Extension for GraphQL Security Testing. |
| [GraphQLmap](https://github.com/swisskyrepo/GraphQLmap)| GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. |
| [graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum) | Tool that lists the different ways of reaching a given type in a GraphQL schema. |
| | |
| **REST APIs** |
| [APICheck](https://bbva.github.io/apicheck/) | The DevSecOps toolset for REST APIs. |
| [APIClarity](https://github.com/apiclarity/apiclarity) | Reconstruct Open API Specifications from real-time workload traffic seamlessly. |
| [APIFuzzer](https://github.com/KissPeter/APIFuzzer) | Fuzz test your application using your OpenAPI or Swagger API definition without coding. |
| [APIKit](https://github.com/API-Security/APIKit) | APIKitDiscovery, Scan and Audit APIs Toolkit All In One. |
| [Arjun](https://github.com/s0md3v/Arjun) | HTTP parameter discovery suite. |
2021-08-04 05:42:03 -04:00
| [Astra](https://github.com/flipkart-incubator/Astra) | Automated Security Testing For REST API's. |
| [Automatic API Attack Tool](https://github.com/imperva/automatic-api-attack-tool) | Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. |
| [Firecracker](https://www.blstsecurity.com/firecracker) | Firecracker from BLST security is an Intelligent attacker that simulates business flows in your API |
| [ffuf](https://github.com/ffuf/ffuf) | Fast web fuzzer written in Go. |
| [fuzzapi](https://github.com/Fuzzapi/fuzzapi)| Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem. |
| [gotestwaf](https://github.com/wallarm/gotestwaf) | An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses |
| [kiterunner](https://github.com/assetnote/kiterunner)| Contextual Content Discovery Tool. |
2021-08-04 05:42:03 -04:00
| [RESTler](https://github.com/microsoft/restler-fuzzer) | RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. |
| [Swagger-EZ](https://github.com/RhinoSecurityLabs/Swagger-EZ)| A tool geared towards pentesting APIs using OpenAPI definitions. |
| [TnT-Fuzzer](https://github.com/Teebytes/TnT-Fuzzer) | OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API. |
| [wadl-dumper](https://github.com/dwisiswant0/wadl-dumper) | Dump all available paths and/or endpoints on WADL file. |
| [fuzz-lightyear](https://github.com/Yelp/fuzz-lightyear)| A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. |
| | |
| **SOAP** |
| [Wsdler](https://github.com/NetSPI/Wsdler)| WSDL Parser extension for Burp. |
| [wsdl-wizard](https://github.com/portswigger/wsdl-wizard)| WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files. |
| | |
| **Others**|
| [SoapUI](https://github.com/SmartBear/soapui) | SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services. |
2020-08-14 13:18:44 -04:00
2021-07-27 04:50:46 -04:00
## Mind maps
| Author | Name | Description |
2021-08-04 05:44:24 -04:00
| ------- | ---- | ----------- |
2021-07-27 04:54:38 -04:00
| [David Sopas](https://github.com/dsopas) | [MindAPI](https://dsopas.github.io/MindAPI/play/) | Organize your API security assessment by using MindAPI |
2021-07-27 04:50:46 -04:00
| [Mufaddal Masalawala](https://github.com/harsh-bothra) | [IDOR Techniques](https://www.xmind.net/m/CSKSWZ/) | Mind map: IDOR Techniques |
| [Harsh Bothra](https://github.com/muffyhub) | [XML attacks](https://www.xmind.net/m/xNEY9b/) | Mind map: XML attacks |
2021-08-04 05:24:36 -04:00
## Checklist
| Author | Name | Description |
| ------- | ---- | ------------|
2021-08-04 05:42:03 -04:00
| Shieldfy | [API-Security-Checklist](https://github.com/shieldfy/API-Security-Checklist) | Checklist of the most important security countermeasures when designing, testing, and releasing your API. |
| Inon Shkedy | [31 days of API Security Tips](https://github.com/smodnix/31-days-of-API-Security-Tips) | This challenge is Inon Shkedy's 31 days API Security Tips. |
2021-08-04 05:24:36 -04:00
| APIOps Cycles | [API audit checklist](https://www.apiopscycles.com/api-audit-checklist) | API Audit checklist |
| HolyBugx | [another API Security checklist](https://github.com/HolyBugx/HolyTips/blob/main/Checklist/API%20Security.pdf) | HolyTips: API security checklist
| Binary Brotherhood| [OAuth2: Security checklist](https://web.archive.org/web/20210607123429/https://www.binarybrotherhood.io/oauth2_threat_model.html)| OAuth 2.0 Threat Model Pentesting Checklist |
2021-07-27 04:50:46 -04:00
2020-08-14 13:18:44 -04:00
## Cheatsheets
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [REST Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html) | REST Security - OWASP Cheat Sheet Series |
| [REST Assessment Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html) | REST Assessment - OWASP Cheat Sheet Series |
| [OWASP API Security Top 10](https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-a4.pdf) | 42Crunch - OWASP API Security Top 10 |
| [GraphQL Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html) | GraphQL - OWASP Cheat Sheet Series |
| [Microservices Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Microservices_security.html) | Microservices - OWASP Security Cheat Sheet |
| [JSON Web Token Security Cheat Sheet](https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf) | PentesterLab - JSON Web Token Security Cheat Sheet |
2020-08-14 13:18:44 -04:00
## Wiki's / Encyclopedias / GitBook's
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [API Security Encyclopedia](https://apisecurity.io/encyclopedia/content/api-security-encyclopedia.htm) | APIsecurity.io - API Security Encyclopedia |
| [Web API Pentesting](https://book.hacktricks.xyz/pentesting/pentesting-web/web-api-pentesting) | HackTricks - Web API Pentesting |
| [APIs Pentest Book](https://pentestbook.six2dez.com/enumeration/webservices/apis) | six2dez - APIs Pentest Book |
2020-08-14 13:18:44 -04:00
## Books
| Author | Name | Description |
| ------ | ---- | ----------- |
| Neil Madden | [API Security in Action](https://www.manning.com/books/api-security-in-action)| API Security in Action teaches you how to create secure APIs for any situation. |
| Corey Ball | [Hacking APIs](https://nostarch.com/hacking-apis)| Breaking Web Application Programming Interfaces |
## Training / Walkthrough / Labs
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [Kontra - OWASP Top 10 for API](https://application.security/free/owasp-top-10-API) | Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. |
| [Pentesting Lab: vAPI](https://github.com/roottusk/vapi) | vAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises. |
| [ShipFast - Practical API Security Walkthrough](https://github.com/approov/shipfast-api-protection) | Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation. |
| [Hacker101 CTFs - GraphQL challenges](https://www.hackerone.com/ethical-hacker/graphql-week-hacker101-capture-flag-challenges) | GraphQL Week on The Hacker101 Capture the Flag Challenges |
## Enumeration / Scanning
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [Burp enumeration](https://portswigger.net/support/using-burp-to-enumerate-a-rest-api) | Using Burp to Enumerate a REST API |
| [ZAP scanning](https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/) | Scanning APIs with ZAP |
| [w3af scanning](http://docs.w3af.org/en/latest/scan-rest-apis.html) | Scan REST APIs with w3af |
## Fuzzing / SecLists
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [Common API endpoints](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common-api-endpoints-mazen160.txt) | Wordlist for common API endpoints. |
| [List of API endpoints & objects](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d) | A list of 3203 common API endpoints and objects designed for fuzzing. |
| [List of Swagger endpoints](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/swagger.txt) | Swagger endpoints |
| [SecLists for API's web-content discovery](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content/api) | It is a collection of web content discovery lists for APIs used during security assessments. |
| [Kiterunner Wordlists](https://github.com/assetnote/wordlists/blob/master/data/kiterunner.json) | Kiterunner Wordlists provided by Assetnote |
| [API Routes Wordlists](https://github.com/assetnote/wordlists/blob/master/data/automated.json) | API Routes - Automated Wordlists provided by Assetnote |
| [API Common methods](https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery/common-methods) | API Common methods provided by fuzzdb. |
2021-08-04 05:42:03 -04:00
| [GraphQL SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt) | It's a GraphQL list used during security assessments, collected in one place. |
2021-08-04 05:42:03 -04:00
## API Keys: Find & validate
2021-07-27 04:20:58 -04:00
| Name | Description |
2021-08-04 05:42:03 -04:00
| ---- | ----------- |
| [Key-Checker](https://github.com/daffainfo/Key-Checker)| Go scripts for checking API key / access token validity. |
2021-07-27 04:20:58 -04:00
| [Keyhacks](https://github.com/streaak/keyhacks)| Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. |
|[API Key Leaks: Tools and exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/API%20Key%20Leaks) | An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
|[Private key usage verification ](https://github.com/trufflesecurity/driftwood) | Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user. |
2021-07-27 04:20:58 -04:00
## Firewalls
| Name | Description |
| ---- | ----------- |
| [Wallarm Free API Firewall](https://github.com/wallarm/api-firewall)| Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs. |
## Deliberately vulnerable APIs
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [APISandbox](https://github.com/API-Security/APISandbox) | Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. |
2021-08-04 05:42:03 -04:00
| [crAPI](https://github.com/OWASP/crAPI) | completely ridiculous API (crAPI) |
| [Damn-Vulnerable-GraphQL-Application](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application)| Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security. |
| [DamnVulnerableMicroServices](https://github.com/ne0z/DamnVulnerableMicroServices) | This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development)|
| [dvws-node](https://github.com/snoopysecurity/dvws-node) | Damn Vulnerable Web Service is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities. |
2021-08-04 05:42:03 -04:00
| [Generic-University](https://github.com/InsiderPhD/Generic-University) | Vulnerable API with Laravel App |
| [VAmPI](https://github.com/erev0s/VAmPI)| Vulnerable REST API with OWASP top 10 vulnerabilities for APIs |
| [Websheep](https://github.com/marmicode/websheep) | Websheep is an app based on a willingly vulnerable ReSTful APIs. |
2020-08-16 16:59:16 -04:00
## Presentations / Videos
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [pentesting-rest-apis](https://www.slideshare.net/OWASPdelhi/pentesting-rest-apis-by-gaurang-bhatnagar) | Pentesting Rest API's by Gaurang Bhatnagar |
| [Securing your APIs](https://owasp.org/www-chapter-singapore/assets/presos/Securing_your_APIs_-_OWASP_API_Top_10_2019,_Real-life_Case.pdf) | "How Secure are you APIs?" - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo. |
| [api-security-testing-for-hackers](https://www.bugcrowd.com/resources/webinars/api-security-testing-for-hackers) | API Security Testing For Hackers |
| [bad-api-hapi-hackers](https://www.bugcrowd.com/resources/webinars/bad-api-hapi-hackers)| Bad API, hAPI Hackers! |
| [disclosing-information-via-your-apis](https://www.bugcrowd.com/resources/webinars/hidden-in-plain-site-disclosing-information-via-your-apis/) | Hidden in Plain Site: Disclosing Information via Your APIs. |
| [rest-in-peace-abusing-graphql](https://www.bugcrowd.com/resources/webinars/rest-in-peace-abusing-graphql-to-attack-underlying-infrastructure) | REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure. |
2020-08-14 13:32:38 -04:00
## Playlists
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [Everything API Hacking](https://www.youtube.com/playlist?list=PLbyncTkpno5HqX1h2MnV6Qt4wvTb8Mpol) | A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge! |
## Podcasts
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [Hacking APIs](https://forallsecure.com/blog/the-hacker-mind-podcast-hacking-apis) | The Hacker Mind Podcast: Hacking APIs |
| [Hack Your API-Security Testing](https://testguild.com/podcast/automation/21-troy-hunt-hack-your-api-security-testing/) | 21: Troy Hunt: Hack Your API-Security Testing. |
| [The OWASP API Security Project](https://podcast.securityjourney.com/erez-yalon-the-owasp-api-security-project/) | Erez Yalon — The OWASP API Security Project |
| [Episode 38 API Security Best Practices](https://wehackpurple.com/podcast/episode-38-api-security-best-practices/) | We Hack Purple Podcast Episode 38 API Security Best Practices. |
## Projects
2021-08-04 05:42:03 -04:00
| Name | Description |
| ---- | ----------- |
| [owasp api security project](https://owasp.org/www-project-api-security/) | OWASP API Security Project - API Security Top 10 |
2021-05-14 04:13:04 -04:00
## Newsletters
2021-08-04 05:44:24 -04:00
| Author | Name | Description |
| ------- | ---- | ----------- |
| 42Crunch | [api security articles](https://apisecurity.io/#newsletter1) | API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices. |
2021-05-14 04:11:47 -04:00
## Twitter
| Author | Name | Description |
| ------- | ---- | ----------- |
| 42Crunch | [@apisecurityio](https://twitter.com/apisecurityio/) | API security news, standards, vulnerabilities, tools. |
2021-12-04 19:54:08 -05:00
## HTTP 101
| Name | Description |
| ---- | ----------- |
|[Know your HTTP Headers!](http://prezo.s3.amazonaws.com/pixi_california_2018/basics/headers.pdf) | HTTP Headers: a simplified and comprehensive table. |
|[Know your HTTP Methods!](http://prezo.s3.amazonaws.com/pixi_california_2018/basics/methods.pdf) | HTTP Methods: a simplified and comprehensive table. |
|[Know your HTTP Status codes!](http://prezo.s3.amazonaws.com/pixi_california_2018/basics/status-codes.pdf) | HTTP Status codes: a simplified and comprehensive table. |
| [HTTP Status Codes](https://httpstatuses.com/) | httpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place. |
|[Know your HTTP * Well](https://github.com/for-GET/know-your-http-well)| HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification. |
2021-12-04 19:54:08 -05:00
2021-08-04 05:24:36 -04:00
## Design / Architecture / Development
| Name | Description |
| ---- | ----------- |
| [The API Specification Toolbox](http://api.specificationtoolbox.com) | This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements. |
| [Understanding gRPC, OpenAPI and REST](https://cloud.google.com/blog/products/api-management/understanding-grpc-openapi-and-rest-and-when-to-use-them) | gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design |
2021-08-04 05:42:03 -04:00
| [REST API Design Guide](https://www.apiopscycles.com/resources/rest-api-design-guide) | This design guide or style guide contains best practices suitable for most REST APIs. |
| [How to design a REST API](https://blog.octo.com/en/design-a-rest-api) | How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
| [Awesome REST](https://github.com/marmelab/awesome-rest) | A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
| [Collect API Requirements](https://www.apiopscycles.com/collecting-requirements)| Collecting Requirements for your API with APIOps Cycles. |
| [API Audit](https://www.apiopscycles.com/method/api-audit) | API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility. |
2021-08-04 05:24:36 -04:00
2021-11-27 05:48:05 -05:00
## Specifications
| Name | Description |
| ---- | ----------- |
| [AscyncAPI](https://www.asyncapi.com/docs/specifications/latest) | AsyncAPI Specification |
| [OpenAPI](https://swagger.io/specification/) | OpenAPI Specification |
| [JSON API](https://jsonapi.org/format/) | JSON API Specification |
| [GraphQL](https://spec.graphql.org/) | GraphQL Specification |
| [RAML](https://github.com/raml-org/raml-spec) | RAML Specification |
## Other useful resources
Name | Description
2020-08-14 13:18:44 -04:00
---- | ----
2021-08-04 05:42:03 -04:00
| [API Security Guide](https://www.pingidentity.com/en/company/blog/posts/2020/everything-need-know-api-security-2020.html) | API Security: The Definitive Guide |
2021-10-26 17:05:04 -04:00
| [API Security best practices guide](https://expeditedsecurity.com/api-security-best-practices-megaguide) | Expedited Security - API Security Best Practices MegaGuide |
2021-08-04 05:42:03 -04:00
| [API Penetration Testing](https://blog.securelayer7.net/api-penetration-testing-with-owasp-2017-test-cases) | API Penetration Testing with OWASP 2017 Test Cases. |
| [API Pentesting with Swagger Files](https://rhinosecuritylabs.com/application-security/simplifying-api-pentesting-swagger-files/) | Simplifying API Pentesting With Swagger Files. |
| [API security articles](https://char49.com/search/query:API%20security) | Char49 - API security articles. |
| [API Security Testing](https://sphericaldefence.com/api-security-testing) | Spherical Defence - Principles of API Security Testing and how to perform a Security Test on an API. |
2021-08-04 05:42:03 -04:00
| [How to Hack an API and Get Away with It](https://smartbear.com/blog/test-and-monitor/api-security-testing-how-to-hack-an-api-part-1/)| API Security Testing How to Hack an API and Get Away with It (Part 1 of 3). |
| [How to Hack APIs in 2021](https://labs.detectify.com/2021/08/10/how-to-hack-apis-in-2021) | detectify - How to Hack APIs in 2021 |
| [How to Hack API in 60 minutes with Open Source Tools](https://www.wallarm.com/what/how-to-hack-api-in-60-minutes-with-open-source) | How to Hack API in 60 minutes with Open Source Tools |
2021-08-04 05:42:03 -04:00
| [GraphQL penetration testing](https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/) | How to exploit GraphQL endpoint: introspection, query, mutations & tools. |
| [Fixing the 13 most common GraphQL Vulnerabilities](https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready)| The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready. |
| [Hacking APIs - Notes from Bug Bounty Bootcamp](https://attacker-codeninja.github.io/2021-08-28-Hacking-APIs-notes-from-bug-bounty-bootcamp/)| Aakash Choudhary: My Notes on Hacking APIs from Bug Bounty Bootcamp. |
2021-08-04 05:42:03 -04:00
| [SOAP Security Vulnerabilities and Prevention](https://www.neuralegion.com/blog/top-7-soap-api-vulnerabilities/) | SOAP Security: Top Vulnerabilities and How to Prevent Them. |
| [API and microservice security](https://portswigger.net/burp/vulnerability-scanner/api-security-testing/guide-to-api-microservice-security) | A guide from PortSwigger: What are API and microservice security? |
| [Strengthening Your API Security Posture](https://42crunch.com/knowledge-series/strengthening-api-security-posture/) | Strengthening Your API Security Posture Ford Motor Company. |
| [The Fault in Our Stars](https://www.tenchisecurity.com/blog/thefaultinourstars) | Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion. |