awesome-apisec

A collection of awesome API Security tools and resources.

Awesome Repositories

Name	Description
awesome-security-apis	A collective list of public JSON APIs for use in security

Tools

Name	Description
Arjun	HTTP parameter discovery suite
ffuf	Fast web fuzzer written in Go
fuzzapi	Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem
kiterunner	Contextual Content Discovery Tool
MindAPI	Organize your API security assessment by using MindAPI
Astra	Automated Security Testing For REST API's
Automatic API Attack Tool	Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output
APICheck	The DevSecOps toolset for REST APIs
RESTler	RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services
SoapUI	SoapUI is a free and open source cross-platform functional testing solution for APIs and web services

Cheatsheets

Name	Description
REST Security Cheat Sheet	REST Security - OWASP Cheat Sheet Series
REST Assessment Cheat Sheet	REST Assessment - OWASP Cheat Sheet Series
OWASP API Security Top 10	42Crunch - OWASP API Security Top 10
GraphQL Cheat Sheet	GraphQL - OWASP Cheat Sheet Series
Microservices Security Cheat Sheet	Microservices - OWASP Security Cheat Sheet

Wiki's / Encyclopedias / GitBook's

Name	Description
API Security Encyclopedia	APIsecurity.io - API Security Encyclopedia
Web API Pentesting	HackTricks - Web API Pentesting

Checklist

Name	Description
API-Security-Checklist	Checklist of the most important security countermeasures when designing, testing, and releasing your API

Training / Labs

Name	Description
Kontra - OWASP Top 10 for API	Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
Pentesting Lab: vAPI	vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises.

Enumeration / Scanning

Name	Description
Burp enumeration	Using Burp to Enumerate a REST API
ZAP scanning	Scanning APIs with ZAP
w3af scanning	Scan REST APIs with w3af

Fuzzing / SecLists

Name	Description
Common API endpoints	Wordlist for common API endpoints
List of API endpoints & objects	A list of 3203 common API endpoints and objects designed for fuzzing.
List of Swagger endpoints	Swagger endpoints
SecLists for API's web-content discovery	It is a collection of web content discovery lists for APIs used during security assessments.
GraphQL SecList	It's a GraphQL list used during security assessments, collected in one place.

Deliberately vulnerable APIs

Name	Description
crAPI	completely ridiculous API (crAPI)
VAmPI	Vulnerable REST API with OWASP top 10 vulnerabilities for APIs
dvws-node	Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.
DamnVulnerableMicroServices	This is vulnerable microservice written in many language to demonstrating OWASP API Top Security Risk (under development)
Damn-Vulnerable-GraphQL-Application	Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
Generic-University	Vulnerable API with Laravel App

Presentations / Videos

Name	Description
pentesting-rest-apis	Pentesting Rest API's by :- Gaurang Bhatnagar
Securing your APIs	“How Secure are you APIs?” - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo
api-security-testing-for-hackers	API Security Testing For Hackers
bad-api-hapi-hackers	Bad API, hAPI Hackers!
disclosing-information-via-your-apis	Hidden in Plain Site: Disclosing Information via Your APIs
rest-in-peace-abusing-graphql	REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure

Playlists

Name	Description
Everything API Hacking	Katie Paxton-Fear, @InsiderPhD - videos collection + some other people creating a playlist of API hacking knowledge!

Podcasts

Podcast	Description
Hacking APIs	The Hacker Mind Podcast: Hacking APIs
Hack Your API-Security Testing	21: Troy Hunt: Hack Your API-Security Testing
The OWASP API Security Project	Erez Yalon — The OWASP API Security Project
Episode 38 API Security Best Practices	We Hack Purple Podcast Episode 38 API Security Best Practices

Projects

Project	Description
owasp api security project	OWASP API Security Project - API Security Top 10

Newsletters

Newsletter	Description
api security articles	API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices

Other useful resources

Name	Description
How to design a REST API	How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
Awesome REST	A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this on-going list.
31 days of API Security Tips	This challenge is Inon Shkedy's 31 days API Security Tips.
API Security Guide	API Security: The Definitive Guide
API Penetration Testing	API Penetration Testing with OWASP 2017 Test Cases
How to Hack an API and Get Away with It	API Security Testing – How to Hack an API and Get Away with It (Part 1 of 3)
GraphQL penetration testing	How to exploit GraphQL endpoint: introspection, query, mutations & tools
SOAP Security Vulnerabilities and Prevention	SOAP Security: Top Vulnerabilities and How to Prevent Them
API and microservice security	A guide from PortSwigger: What is API and microservice security?
Strengthening Your API Security Posture	Strengthening Your API Security Posture – Ford Motor Company