A collection of awesome API Security tools and resources.
About • API Keys: Find and validate • Books • Cheatsheets • Checklist • Conferences •
Deliberately vulnerable APIs • Design, Architecture, Development • Encyclopedias, Projects, Wikis and GitBooks •
Enumeration, Scanning and exploration steps • Firewalls • Fuzzing, SecLists, Wordlists • HTTP 101 • Mind maps •
Newsletters • Other resources • Playlists • Podcasts • Presentations, Videos • Projects •
Security APIs • Specifications • Tools • Training, Walkthrough, Labs • Twitter •
• Contributions •
About
The awesome-api-security (aka awesome-apisec) repository is collection of awesome API Security tools and resources.
The focus goes to open-source tools and resources that benefit all the community.
Please read the contributions section before opening a pull request.
API Keys: Find and validate
Name | Description |
---|---|
API Guesser | Simple website to guess API Key / OAuth Token by Muhammad Daffa |
API Key Leaks: Tools and exploits | An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares. |
Key-Checker | Go scripts for checking API key / access token validity. |
Keyhacks | Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. |
Private key usage verification | Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user. |
Books
Author | Publisher | Name | Description |
---|---|---|---|
Neil Madden | Manning | API Security in Action | API Security in Action teaches you how to create secure APIs for any situation. |
Corey Ball | No starch press | Hacking APIs | Breaking Web Application Programming Interfaces. |
Justing Richer and Antonio Sanso | Manning | Understanding API Security | Several chapters from several Manning books that give you some context for how API security works in the real world. |
Emily Freeman | Data Theorem Special Edition | API Security for dummies | This book is a high-level introduction to the key concepts of API security and DevSecOps. |
Cheatsheets
Name | Description |
---|---|
GraphQL Cheat Sheet | GraphQL - OWASP Cheat Sheet Series |
JSON Web Token Security Cheat Sheet | PentesterLab - JSON Web Token Security Cheat Sheet |
Injection Prevention Cheat Sheet | Injection - OWASP Cheat Sheet Series |
Microservices Security Cheat Sheet | Microservices - OWASP Security Cheat Sheet |
OWASP API Security Top 10 | 42Crunch - OWASP API Security Top 10 |
REST Assessment Cheat Sheet | REST Assessment - OWASP Cheat Sheet Series |
REST Security Cheat Sheet | REST Security - OWASP Cheat Sheet Series |
Checklist
Author | Name | Description |
---|---|---|
Shieldfy | API-Security-Checklist | Checklist of the most important security countermeasures when designing, testing, and releasing your API. |
Inon Shkedy | 31 days of API Security Tips | This challenge is Inon Shkedy's 31 days API Security Tips. |
APIOps Cycles | API audit checklist | API Audit checklist. |
HolyBugx | another API Security checklist | HolyTips: API security checklist |
Latish Danawale | API Testing Checklist | API Testing Checklist. |
Binary Brotherhood | OAuth2: Security checklist | OAuth 2.0 Threat Model Pentesting Checklist |
API Mike, @api_sec | API penetration testing checklist | Common steps to include in any API penetration testing process. |
LeapGraph | GraphQL API - The Complete Vulnerability Checklist | How to Secure a GraphQL API - The Complete Vulnerability Checklist |
Apollo | GraphQL API — GraphQL Security Checklist | 9 Ways To Secure your GraphQL API — GraphQL Security Checklist |
Conferences
Name | Description |
---|---|
APIsecure | The world's first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. |
Deliberately vulnerable APIs
Name | Description |
---|---|
APISandbox | Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. |
crAPI | completely ridiculous API (crAPI) |
Damn-Vulnerable-GraphQL-Application | Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security. |
DamnVulnerableMicroServices | This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development) |
dvws-node | Damn Vulnerable Web Service is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities. |
Generic-University | Vulnerable API with Laravel App |
Pixi | The Pixi module is a MEAN Stack web app with wildly insecure APIs! |
REST API Goat | This is a "Goat" project so you can get familiar with REST API testing. |
VAmPI | Vulnerable REST API with OWASP top 10 vulnerabilities for APIs |
vAPI | vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises. |
vulnerable-graphql-api | A very vulnerable implementation of a GraphQL API. |
Websheep | Websheep is an app based on a willingly vulnerable ReSTful APIs. |
Design, Architecture, Development
Name | Description |
---|---|
The API Specification Toolbox | This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements. |
Understanding gRPC, OpenAPI and REST | gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design |
API security design best practices | API security design best practices for enterprise and public cloud. |
REST API Design Guide | This design guide or style guide contains best practices suitable for most REST APIs. |
How to design a REST API | How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc. |
Awesome REST | A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list. |
Collect API Requirements | Collecting Requirements for your API with APIOps Cycles. |
API Audit | API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility. |
Encyclopedias, Projects, Wikis and GitBooks
Name | Description |
---|---|
APIs Pentest Book | six2dez - APIs Pentest Book |
API Security Empire | The API Security Empire Project aims to present unique attack & defense methods in the API Security field |
API Security Encyclopedia | APIsecurity.io - API Security Encyclopedia |
Web API Pentesting | HackTricks - Web API Pentesting |
GraphQL | HackTricks - GraphQL |
Enumeration, Scanning and exploration steps
Name | Description |
---|---|
Burp API enumeration | Using Burp to Enumerate a REST API |
ZAP scanning | Scanning APIs with ZAP |
ZAP exploring | Exploring APIs with ZAP |
w3af scanning | Scan REST APIs with w3af |
Firewalls
Name | Description |
---|---|
Wallarm Free API Firewall | Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs. |
Fuzzing, SecLists, Wordlists
Name | Description |
---|---|
API Common methods | API Common methods provided by fuzzdb. |
API names wordlist | A wordlist of API names for web application assessments |
API Routes Wordlists | API Routes - Automated Wordlists provided by Assetnote |
Common API endpoints | Wordlist for common API endpoints. |
Filenames by fuzz.txt | Potentially dangerous files |
Fuzzing APIs | Fuzzing APIs chapter from "The Fuzzing Book". |
GraphQL SecList | It's a GraphQL list used during security assessments, collected in one place. |
Hacking-APIs | Wordlists and API paths by @hapi_hacker |
Kiterunner Wordlists | Kiterunner Wordlists provided by Assetnote |
List of API endpoints & objects | A list of 3203 common API endpoints and objects designed for fuzzing. |
List of Swagger endpoints | Swagger endpoints |
SecLists for API's web-content discovery | It is a collection of web content discovery lists for APIs used during security assessments. |
HTTP 101
Name | Description |
---|---|
Know your HTTP Headers! | HTTP Headers: a simplified and comprehensive table. |
Know your HTTP Methods! | HTTP Methods: a simplified and comprehensive table. |
Know your HTTP Status codes! | HTTP Status codes: a simplified and comprehensive table. |
HTTP Status Codes | httpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place. |
Know your HTTP * Well | HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification. |
Mind maps
Author | Name | Description |
---|---|---|
David Sopas | MindAPI | Organize your API security assessment by using MindAPI |
Mufaddal Masalawala | IDOR Techniques | Mind map: IDOR Techniques |
Harsh Bothra | XML attacks | Mind map: XML attacks |
Cypro AB | API Pentesting - Recon | Mind map: API Pentesting - Recon |
Cypro AB | API Pentesting - ATTACK | Mind map: API Pentesting - ATTACK |
Cypro AB | GraphQL Attacking | Mind map: GraphQL Attacking |
Newsletters
Author | Name | Description |
---|---|---|
42Crunch | api security articles | API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices. |
Other resources
Name | Author | Description |
---|---|---|
API Security best practices guide | Expedited Security | API Security Best Practices MegaGuide |
API Security: The Complete Guide | Bright Security | API Security, The Complete Guide |
API Penetration Testing | SecureLayer7 | API Penetration Testing with OWASP 2017 Test Cases. |
API Penetration Testing Report | UnderDefense | Anonymised API Penetration Testing Report - vendor sample template |
API Pentesting with Swagger Files | RhinoSecurityLabs | Simplifying API Pentesting With Swagger Files. |
API security articles | Char49 | API security articles. |
API Security Testing | Spherical Defence | Principles of API Security Testing and how to perform a Security Test on an API. |
Finding and Exploiting Web App APIs | Bend Theory | Finding and Exploiting Unintended Functionality in Main Web App APIs |
How to Hack an API and Get Away with It | SmartBear | How to Hack an API and Get Away with It (Part 1 of 3). |
How to Hack APIs in 2021 | Detectify | How to Hack APIs in 2021 |
How to Hack API in 60 minutes with Open Source Tools | Wallarm | How to Hack API in 60 minutes with Open Source Tools |
GraphQL penetration testing | YesWeHAck | How to exploit GraphQL endpoint: introspection, query, mutations & tools. |
Fixing the 13 most common GraphQL Vulnerabilities | WunderGraph | GraphQL Security Guide, Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready. |
Hacking APIs - Notes from Bug Bounty Bootcamp | Aakash Choudhary | My Notes on Hacking APIs from Bug Bounty Bootcamp. |
SOAP Security Vulnerabilities and Prevention | NeuraLegion | SOAP Security, Top Vulnerabilities and How to Prevent Them. |
API and microservice security | PortSwigger | What are API and microservice security? |
Strengthening Your API Security Posture | 42Crunch | Strengthening Your API Security Posture – Ford Motor Company. |
The Fault in Our Stars | Tenchi Security | Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion. |
Playlists
Name | Description |
---|---|
Everything API Hacking | A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge! |
API hacking | API hacking videos from @theXSSrat |
Podcasts
Name | Description |
---|---|
Hacking APIs | The Hacker Mind Podcast: Hacking APIs |
Hack Your API-Security Testing | 21: Troy Hunt: Hack Your API-Security Testing. |
The OWASP API Security Project | Erez Yalon — The OWASP API Security Project |
Episode 38 API Security Best Practices | We Hack Purple Podcast Episode 38 API Security Best Practices. |
Presentations, Videos
Name | Description |
---|---|
pentesting-rest-apis | Pentesting Rest API's by Gaurang Bhatnagar |
Securing your APIs | "How Secure are you APIs?" - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo. |
api-security-testing-for-hackers | API Security Testing For Hackers |
bad-api-hapi-hackers | Bad API, hAPI Hackers! |
disclosing-information-via-your-apis | Hidden in Plain Site: Disclosing Information via Your APIs. |
rest-in-peace-abusing-graphql | REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure. |
Projects
Name | Description |
---|---|
owasp api security project | OWASP API Security Project - API Security Top 10 |
Security APIs
Name | Description |
---|---|
awesome-security-apis | A collective list of public JSON APIs for use in security. |
Specifications
Name | Description |
---|---|
AscyncAPI | AsyncAPI Specification |
OpenAPI | OpenAPI Specification |
JSON API | JSON API Specification |
GraphQL | GraphQL Specification |
RAML | RAML Specification |
Tools
Name | Description |
---|---|
GraphQL | |
BatchQL | GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. |
clairvoyance | Obtain GraphQL API schema despite disabled introspection! |
InQL | InQL - A Burp Extension for GraphQL Security Testing. |
GraphQLmap | GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. |
graphql-path-enum | Tool that lists the different ways of reaching a given type in a GraphQL schema. |
graphql-playground | GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration) |
graphql-threat-matrix | GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations. |
graphw00f | graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint. |
REST APIs | |
APICheck | The DevSecOps toolset for REST APIs. |
APIClarity | Reconstruct Open API Specifications from real-time workload traffic seamlessly. |
APIFuzzer | Fuzz test your application using your OpenAPI or Swagger API definition without coding. |
APIKit | APIKit:Discovery, Scan and Audit APIs Toolkit All In One. |
Arjun | HTTP parameter discovery suite. |
Astra | Automated Security Testing For REST API's. |
Automatic API Attack Tool | Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. |
CATS | CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. |
Cherrybomb | Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. |
ffuf | Fast web fuzzer written in Go. |
fuzzapi | Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem. |
gotestwaf | An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses |
kiterunner | Contextual Content Discovery Tool. |
mitmproxy2swagger | Automagically reverse-engineer REST APIs via capturing traffic |
RESTler | RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. |
Swagger-EZ | A tool geared towards pentesting APIs using OpenAPI definitions. |
TnT-Fuzzer | OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API. |
wadl-dumper | Dump all available paths and/or endpoints on WADL file. |
fuzz-lightyear | A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. |
SOAP | |
Wsdler | WSDL Parser extension for Burp. |
wsdl-wizard | WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files. |
Others | |
SoapUI | SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services. |
unfurl | Pull out bits of URLs provided on stdin |
Training, Walkthrough, Labs
Author | Name | Description |
---|---|---|
Kontra | OWASP Top 10 for API | Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. |
Tushar Kulkarni | vAPI | vAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises. |
Grant Ongers | API top 10 walkthrough | OWASP API Top 10 CTF Walk-through. |
ShipFast | Practical API Security Walkthrough | Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation. |
Pentester Academy | API security, REST Labs | Pentester Academy - attack & defense |
Hacker101 | GraphQL challenges | GraphQL Week on The Hacker101 Capture the Flag Challenges |
OWASP-SKF | GraphQL Labs | GraphQL Labs on the OWASP Security Knowledge Framework |
Wesley Thijs | Let's build an API to hack | API Hacking Excercises by @TheXSSrat |
原因:https://github.com/arainho/awesome-api-security
- 登录 发表评论