add a menu in readme

This commit is contained in:
André Rainho 2021-12-21 09:58:23 +00:00 committed by GitHub
parent 46cf3ec19c
commit 6b6e53b814
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,6 +1,34 @@
# [awesome-apisec](https://github.com/arainho/awesome-apisec) # [awesome-apisec](https://github.com/arainho/awesome-apisec)
**A collection of awesome API Security tools and resources.** <h4 align="center">A collection of awesome API Security tools and resources.</h4>
<p align="center">
<a href="#awesome-repositories">Awesome Repositories</a>
<a href="#tools">Tools</a>
<a href="#mind-maps">Mind maps</a>
<a href="#checklist">Checklist</a>
<a href="#cheatsheets">Cheatsheets</a>
<a href="#wikis-encyclopedias-gitbooks">Wiki's, Encyclopedias, GitBook's</a>
<a href="#books">Books</a>
<a href="#training-walkthrough-labs">Training, Walkthrough, Labs</a>
<a href="#enumeration-scanning">Enumeration, Scanning</a>
<a href="#fuzzing-seclists">Fuzzing, SecLists</a>
<a href="#api-keys-find-and-validate">API Keys: Find and validate</a>
<a href="#firewalls">Firewalls</a>
<a href="#deliberately-vulnerable-apis">Deliberately vulnerable APIs</a>
<a href="#presentations-videos">Presentations, Videos</a>
<a href="#playlists">Playlists</a>
<a href="#podcasts">Podcasts</a>
<a href="#projects">Projects</a>
<a href="#newsletters">Newsletters</a>
<a href="#twitter">Twitter</a>
<a href="#http-101">HTTP 101</a>
<a href="#design-architecture-development">Design, Architecture, Development</a>
<a href="#specifications">Specifications</a>
<a href="#other-useful-resources">Other useful resources</a>
</p>
---
## Awesome Repositories ## Awesome Repositories
| Name | Description | | Name | Description |
@ -71,7 +99,7 @@
| [Microservices Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Microservices_security.html) | Microservices - OWASP Security Cheat Sheet | | [Microservices Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Microservices_security.html) | Microservices - OWASP Security Cheat Sheet |
| [JSON Web Token Security Cheat Sheet](https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf) | PentesterLab - JSON Web Token Security Cheat Sheet | | [JSON Web Token Security Cheat Sheet](https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf) | PentesterLab - JSON Web Token Security Cheat Sheet |
## Wiki's / Encyclopedias / GitBook's ## Wiki's, Encyclopedias, GitBook's
| Name | Description | | Name | Description |
| ---- | ----------- | | ---- | ----------- |
| [API Security Encyclopedia](https://apisecurity.io/encyclopedia/content/api-security-encyclopedia.htm) | APIsecurity.io - API Security Encyclopedia | | [API Security Encyclopedia](https://apisecurity.io/encyclopedia/content/api-security-encyclopedia.htm) | APIsecurity.io - API Security Encyclopedia |
@ -84,7 +112,7 @@
| Neil Madden | [API Security in Action](https://www.manning.com/books/api-security-in-action)| API Security in Action teaches you how to create secure APIs for any situation. | | Neil Madden | [API Security in Action](https://www.manning.com/books/api-security-in-action)| API Security in Action teaches you how to create secure APIs for any situation. |
| Corey Ball | [Hacking APIs](https://nostarch.com/hacking-apis)| Breaking Web Application Programming Interfaces | | Corey Ball | [Hacking APIs](https://nostarch.com/hacking-apis)| Breaking Web Application Programming Interfaces |
## Training / Walkthrough / Labs ## Training, Walkthrough, Labs
| Name | Description | | Name | Description |
| ---- | ----------- | | ---- | ----------- |
| [Kontra - OWASP Top 10 for API](https://application.security/free/owasp-top-10-API) | Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. | | [Kontra - OWASP Top 10 for API](https://application.security/free/owasp-top-10-API) | Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. |
@ -92,14 +120,14 @@
| [ShipFast - Practical API Security Walkthrough](https://github.com/approov/shipfast-api-protection) | Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation. | | [ShipFast - Practical API Security Walkthrough](https://github.com/approov/shipfast-api-protection) | Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation. |
| [Hacker101 CTFs - GraphQL challenges](https://www.hackerone.com/ethical-hacker/graphql-week-hacker101-capture-flag-challenges) | GraphQL Week on The Hacker101 Capture the Flag Challenges | | [Hacker101 CTFs - GraphQL challenges](https://www.hackerone.com/ethical-hacker/graphql-week-hacker101-capture-flag-challenges) | GraphQL Week on The Hacker101 Capture the Flag Challenges |
## Enumeration / Scanning ## Enumeration, Scanning
| Name | Description | | Name | Description |
| ---- | ----------- | | ---- | ----------- |
| [Burp enumeration](https://portswigger.net/support/using-burp-to-enumerate-a-rest-api) | Using Burp to Enumerate a REST API | | [Burp enumeration](https://portswigger.net/support/using-burp-to-enumerate-a-rest-api) | Using Burp to Enumerate a REST API |
| [ZAP scanning](https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/) | Scanning APIs with ZAP | | [ZAP scanning](https://www.zaproxy.org/blog/2017-06-19-scanning-apis-with-zap/) | Scanning APIs with ZAP |
| [w3af scanning](http://docs.w3af.org/en/latest/scan-rest-apis.html) | Scan REST APIs with w3af | | [w3af scanning](http://docs.w3af.org/en/latest/scan-rest-apis.html) | Scan REST APIs with w3af |
## Fuzzing / SecLists ## Fuzzing, SecLists
| Name | Description | | Name | Description |
| ---- | ----------- | | ---- | ----------- |
| [Common API endpoints](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common-api-endpoints-mazen160.txt) | Wordlist for common API endpoints. | | [Common API endpoints](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common-api-endpoints-mazen160.txt) | Wordlist for common API endpoints. |
@ -111,7 +139,7 @@
| [API Common methods](https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery/common-methods) | API Common methods provided by fuzzdb. | | [API Common methods](https://github.com/fuzzdb-project/fuzzdb/tree/master/discovery/common-methods) | API Common methods provided by fuzzdb. |
| [GraphQL SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt) | It's a GraphQL list used during security assessments, collected in one place. | | [GraphQL SecList](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt) | It's a GraphQL list used during security assessments, collected in one place. |
## API Keys: Find & validate ## API Keys: Find and validate
| Name | Description | | Name | Description |
| ---- | ----------- | | ---- | ----------- |
| [Key-Checker](https://github.com/daffainfo/Key-Checker)| Go scripts for checking API key / access token validity. | | [Key-Checker](https://github.com/daffainfo/Key-Checker)| Go scripts for checking API key / access token validity. |
@ -136,7 +164,7 @@
| [VAmPI](https://github.com/erev0s/VAmPI)| Vulnerable REST API with OWASP top 10 vulnerabilities for APIs | | [VAmPI](https://github.com/erev0s/VAmPI)| Vulnerable REST API with OWASP top 10 vulnerabilities for APIs |
| [Websheep](https://github.com/marmicode/websheep) | Websheep is an app based on a willingly vulnerable ReSTful APIs. | | [Websheep](https://github.com/marmicode/websheep) | Websheep is an app based on a willingly vulnerable ReSTful APIs. |
## Presentations / Videos ## Presentations, Videos
| Name | Description | | Name | Description |
| ---- | ----------- | | ---- | ----------- |
| [pentesting-rest-apis](https://www.slideshare.net/OWASPdelhi/pentesting-rest-apis-by-gaurang-bhatnagar) | Pentesting Rest API's by Gaurang Bhatnagar | | [pentesting-rest-apis](https://www.slideshare.net/OWASPdelhi/pentesting-rest-apis-by-gaurang-bhatnagar) | Pentesting Rest API's by Gaurang Bhatnagar |
@ -184,7 +212,7 @@
| [HTTP Status Codes](https://httpstatuses.com/) | httpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place. | | [HTTP Status Codes](https://httpstatuses.com/) | httpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place. |
|[Know your HTTP * Well](https://github.com/for-GET/know-your-http-well)| HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification. | |[Know your HTTP * Well](https://github.com/for-GET/know-your-http-well)| HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification. |
## Design / Architecture / Development ## Design, Architecture, Development
| Name | Description | | Name | Description |
| ---- | ----------- | | ---- | ----------- |
| [The API Specification Toolbox](http://api.specificationtoolbox.com) | This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements. | | [The API Specification Toolbox](http://api.specificationtoolbox.com) | This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements. |