mirror of
https://github.com/arainho/awesome-api-security.git
synced 2024-10-01 01:06:11 -04:00
12 KiB
12 KiB
awesome-apisec
A collection of awesome API Security tools and resources.
Tools
Name | Description |
---|---|
Arjun | HTTP parameter discovery suite |
ffuf | Fast web fuzzer written in Go |
fuzzapi | Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem |
kiterunner | Contextual Content Discovery Tool |
Astra | Automated Security Testing For REST API's |
Automatic API Attack Tool | Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output |
APICheck | The DevSecOps toolset for REST APIs |
RESTler | RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services |
SoapUI | SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services |
Mind maps
Author | Name | Description |
---|---|---|
David Sopas | MindAPI | Organize your API security assessment by using MindAPI |
Mufaddal Masalawala | IDOR Techniques | Mind map: IDOR Techniques |
Harsh Bothra | XML attacks | Mind map: XML attacks |
Checklist
Author | Name | Description |
---|---|---|
Shieldfy | API-Security-Checklist | Checklist of the most important security countermeasures when designing, testing, and releasing your API |
Inon Shkedy | 31 days of API Security Tips | This challenge is Inon Shkedy's 31 days API Security Tips |
APIOps Cycles | API audit checklist | API Audit checklist |
HolyBugx | another API Security checklist | HolyTips: API security checklist |
Binary Brotherhood | OAuth2: Security checklist | OAuth 2.0 Threat Model Pentesting Checklist |
Cheatsheets
Name | Description |
---|---|
REST Security Cheat Sheet | REST Security - OWASP Cheat Sheet Series |
REST Assessment Cheat Sheet | REST Assessment - OWASP Cheat Sheet Series |
OWASP API Security Top 10 | 42Crunch - OWASP API Security Top 10 |
GraphQL Cheat Sheet | GraphQL - OWASP Cheat Sheet Series |
Microservices Security Cheat Sheet | Microservices - OWASP Security Cheat Sheet |
JSON Web Token Security Cheat Sheet | PentesterLab - JSON Web Token Security Cheat Sheet |
Wiki's / Encyclopedias / GitBook's
Name | Description |
---|---|
API Security Encyclopedia | APIsecurity.io - API Security Encyclopedia |
Web API Pentesting | HackTricks - Web API Pentesting |
Training / Walkthrough / Labs
Name | Description |
---|---|
Kontra - OWASP Top 10 for API | Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. |
Pentesting Lab: vAPI | vAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises. |
ShipFast - Practical API Security Walkthrough | Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation. |
Enumeration / Scanning
Name | Description |
---|---|
Burp enumeration | Using Burp to Enumerate a REST API |
ZAP scanning | Scanning APIs with ZAP |
w3af scanning | Scan REST APIs with w3af |
Fuzzing / SecLists
Name | Description |
---|---|
Common API endpoints | Wordlist for common API endpoints |
List of API endpoints & objects | A list of 3203 common API endpoints and objects designed for fuzzing. |
List of Swagger endpoints | Swagger endpoints |
SecLists for API's web-content discovery | It is a collection of web content discovery lists for APIs used during security assessments. |
GraphQL SecList | It's a GraphQL list used during security assessments, collected in one place. |
API Keys (Find & validate)
Name | Description |
---|---|
Key-Checker | Go scripts for checking API key / access token validity |
Keyhacks | Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. |
API Key Leaks: Tools and exploits | An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares. |
Deliberately vulnerable APIs
Name | Description |
---|---|
crAPI | completely ridiculous API (crAPI) |
VAmPI | Vulnerable REST API with OWASP top 10 vulnerabilities for APIs |
dvws-node | Damn Vulnerable Web Service is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities. |
DamnVulnerableMicroServices | This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development) |
Damn-Vulnerable-GraphQL-Application | Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security. |
Generic-University | Vulnerable API with Laravel App |
Presentations / Videos
Name | Description |
---|---|
pentesting-rest-apis | Pentesting Rest API's by Gaurang Bhatnagar |
Securing your APIs | "How Secure are you APIs?" - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo |
api-security-testing-for-hackers | API Security Testing For Hackers |
bad-api-hapi-hackers | Bad API, hAPI Hackers! |
disclosing-information-via-your-apis | Hidden in Plain Site: Disclosing Information via Your APIs |
rest-in-peace-abusing-graphql | REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure |
Playlists
Name | Description |
---|---|
Everything API Hacking | A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge! |
Podcasts
Podcast | Description |
---|---|
Hacking APIs | The Hacker Mind Podcast: Hacking APIs |
Hack Your API-Security Testing | 21: Troy Hunt: Hack Your API-Security Testing |
The OWASP API Security Project | Erez Yalon — The OWASP API Security Project |
Episode 38 API Security Best Practices | We Hack Purple Podcast Episode 38 API Security Best Practices |
Projects
Project | Description |
---|---|
owasp api security project | OWASP API Security Project - API Security Top 10 |
Newsletters
Newsletter | Description |
---|---|
api security articles | API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices |
Awesome Repositories
Name | Description |
---|---|
awesome-security-apis | A collective list of public JSON APIs for use in security |
Design / Architecture / Development
Name | Description |
---|---|
REST API Design Guide | This design guide or style guide contains best practices suitable for most REST APIs. |
How to design a REST API | How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc. |
Awesome REST | A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list. |
Other useful resources
Name | Description |
---|---|
API Security Guide | API Security: The Definitive Guide |
API Penetration Testing | API Penetration Testing with OWASP 2017 Test Cases |
How to Hack an API and Get Away with It | API Security Testing – How to Hack an API and Get Away with It (Part 1 of 3) |
GraphQL penetration testing | How to exploit GraphQL endpoint: introspection, query, mutations & tools |
SOAP Security Vulnerabilities and Prevention | SOAP Security: Top Vulnerabilities and How to Prevent Them |
API and microservice security | A guide from PortSwigger: What are API and microservice security? |
Strengthening Your API Security Posture | Strengthening Your API Security Posture – Ford Motor Company |
The Fault in Our Stars | Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion |