A collection of awesome API Security tools and resources. The focus goes to open-source tools and resources that benefit all the community.
A collection of awesome API Security tools and resources.
Awesome Repositories
Tools
Name |
Description |
Arjun |
HTTP parameter discovery suite |
fuzzapi |
Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem |
kiterunner |
Contextual Content Discovery Tool |
MindAPI |
Organize your API security assessment by using MindAPI |
Astra |
Automated Security Testing For REST API's |
Automatic API Attack Tool |
Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. |
Cheatsheets
Wiki's / Encyclopedias / GitBook's
Checklist
Name |
Description |
API-Security-Checklist |
Checklist of the most important security countermeasures when designing, testing, and releasing your API |
Training / Labs
Name |
Description |
Kontra - OWASP Top 10 for API |
Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. |
Pentesting Lab: vAPI |
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises. |
Enumeration / Scanning
Fuzzing / SecLists
Deliberately vulnerable APIs
Name |
Description |
crAPI |
completely ridiculous API (crAPI) |
VAmPI |
Vulnerable REST API with OWASP top 10 vulnerabilities for APIs |
dvws-node |
Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities. |
DamnVulnerableMicroServices |
This is vulnerable microservice written in many language to demonstrating OWASP API Top Security Risk (under development) |
Damn-Vulnerable-GraphQL-Application |
Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security. |
Presentations / Videos
Podcasts
Projects
Newsletters
Newsletter |
Description |
api security articles |
API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices |
Other useful resources
Name |
Description |
How to design a REST API |
How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc. |
Awesome REST |
A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this on-going list. |
31 days of API Security Tips |
This challenge is Inon Shkedy's 31 days API Security Tips. |
API Security Guide |
API Security: The Definitive Guide |
API Penetration Testing |
API Penetration Testing with OWASP 2017 Test Cases |
How to Hack an API and Get Away with It |
API Security Testing – How to Hack an API and Get Away with It (Part 1 of 3) |
GraphQL penetration testing |
How to exploit GraphQL endpoint: introspection, query, mutations & tools |
SOAP Security Vulnerabilities and Prevention |
SOAP Security: Top Vulnerabilities and How to Prevent Them |
API and microservice security |
A guide from PortSwigger: What is API and microservice security? |