跳转到主要内容

标签(标签)

资源精选(342) Go开发(108) Go语言(103) Go(99) angular(82) LLM(75) 大语言模型(63) 人工智能(53) 前端开发(50) LangChain(43) golang(43) 机器学习(39) Go工程师(38) Go程序员(38) Go开发者(36) React(33) Go基础(29) Python(24) Vue(22) Web开发(20) Web技术(19) 精选资源(19) 深度学习(19) Java(18) ChatGTP(17) Cookie(16) android(16) 前端框架(13) JavaScript(13) Next.js(12) 安卓(11) 聊天机器人(10) typescript(10) 资料精选(10) NLP(10) 第三方Cookie(9) Redwoodjs(9) LLMOps(9) Go语言中级开发(9) 自然语言处理(9) PostgreSQL(9) 区块链(9) mlops(9) 安全(9) 全栈开发(8) ChatGPT(8) OpenAI(8) Linux(8) AI(8) GraphQL(8) iOS(8) 软件架构(7) Go语言高级开发(7) AWS(7) C++(7) 数据科学(7) whisper(6) Prisma(6) 隐私保护(6) RAG(6) JSON(6) DevOps(6) 数据可视化(6) wasm(6) 计算机视觉(6) 算法(6) Rust(6) 微服务(6) 隐私沙盒(5) FedCM(5) 语音识别(5) Angular开发(5) 快速应用开发(5) 提示工程(5) Agent(5) LLaMA(5) 低代码开发(5) Go测试(5) gorm(5) REST API(5) 推荐系统(5) WebAssembly(5) GameDev(5) CMS(5) CSS(5) machine-learning(5) 机器人(5) 游戏开发(5) Blockchain(5) Web安全(5) Kotlin(5) 低代码平台(5) 机器学习资源(5) Go资源(5) Nodejs(5) PHP(5) Swift(5) 智能体(4) devin(4) Blitz(4) javascript框架(4) Redwood(4) GDPR(4) 生成式人工智能(4) Angular16(4) Alpaca(4) 编程语言(4) SAML(4) JWT(4) JSON处理(4) Go并发(4) kafka(4) 移动开发(4) 移动应用(4) security(4) 隐私(4) spring-boot(4) 物联网(4) nextjs(4) 网络安全(4) API(4) Ruby(4) 信息安全(4) flutter(4) 专家智能体(3) Chrome(3) CHIPS(3) 3PC(3) SSE(3) 人工智能软件工程师(3) LLM Agent(3) Remix(3) Ubuntu(3) GPT4All(3) 软件开发(3) 问答系统(3) 开发工具(3) 最佳实践(3) RxJS(3) SSR(3) Node.js(3) Dolly(3) 移动应用开发(3) 低代码(3) IAM(3) Web框架(3) CORS(3) 基准测试(3) Go语言数据库开发(3) Oauth2(3) 并发(3) 主题(3) Theme(3) earth(3) nginx(3) 软件工程(3) azure(3) keycloak(3) 生产力工具(3) gpt3(3) 工作流(3) C(3) jupyter(3) 认证(3) prometheus(3) GAN(3) Spring(3) 逆向工程(3) 应用安全(3) Docker(3) Django(3) R(3) .NET(3) 大数据(3) Hacking(3) 渗透测试(3) C++资源(3) Mac(3) 微信小程序(3) Python资源(3) JHipster(3) 大型语言模型(2) 语言模型(2) 可穿戴设备(2) JDK(2) SQL(2) Apache(2) Hashicorp Vault(2) Spring Cloud Vault(2) Go语言Web开发(2) Go测试工程师(2) WebSocket(2) 容器化(2) AES(2) 加密(2) 输入验证(2) ORM(2) Fiber(2) Postgres(2) Gorilla Mux(2) Go数据库开发(2) 模块(2) 泛型(2) 指针(2) HTTP(2) PostgreSQL开发(2) Vault(2) K8s(2) Spring boot(2) R语言(2) 深度学习资源(2) 半监督学习(2) semi-supervised-learning(2) architecture(2) 普罗米修斯(2) 嵌入模型(2) productivity(2) 编码(2) Qt(2) 前端(2) Rust语言(2) NeRF(2) 神经辐射场(2) 元宇宙(2) CPP(2) 数据分析(2) spark(2) 流处理(2) Ionic(2) 人体姿势估计(2) human-pose-estimation(2) 视频处理(2) deep-learning(2) kotlin语言(2) kotlin开发(2) burp(2) Chatbot(2) npm(2) quantum(2) OCR(2) 游戏(2) game(2) 内容管理系统(2) MySQL(2) python-books(2) pentest(2) opengl(2) IDE(2) 漏洞赏金(2) Web(2) 知识图谱(2) PyTorch(2) 数据库(2) reverse-engineering(2) 数据工程(2) swift开发(2) rest(2) robotics(2) ios-animation(2) 知识蒸馏(2) 安卓开发(2) nestjs(2) solidity(2) 爬虫(2) 面试(2) 容器(2) C++精选(2) 人工智能资源(2) Machine Learning(2) 备忘单(2) 编程书籍(2) angular资源(2) 速查表(2) cheatsheets(2) SecOps(2) mlops资源(2) R资源(2) DDD(2) 架构设计模式(2) 量化(2) Hacking资源(2) 强化学习(2) flask(2) 设计(2) 性能(2) Sysadmin(2) 系统管理员(2) Java资源(2) 机器学习精选(2) android资源(2) android-UI(2) Mac资源(2) iOS资源(2) Vue资源(2) flutter资源(2) JavaScript精选(2) JavaScript资源(2) Rust开发(2) deeplearning(2) RAD(2)

A collection of awesome API Security tools and resources.

About • API Keys: Find and validate • Books • Cheatsheets • Checklist • Conferences •
Deliberately vulnerable APIs • Design, Architecture, Development • Encyclopedias, Projects, Wikis and GitBooks •
Enumeration, Scanning and exploration steps • Firewalls • Fuzzing, SecLists, Wordlists • HTTP 101 • Mind maps •
Newsletters • Other resources • Playlists • Podcasts • Presentations, Videos • Projects •
Security APIs • Specifications • Tools • Training, Walkthrough, Labs • Twitter •
• Contributions •


About

The awesome-api-security (aka awesome-apisec) repository is collection of awesome API Security tools and resources.
The focus goes to open-source tools and resources that benefit all the community.

Please read the contributions section before opening a pull request.

API Keys: Find and validate

Name Description
API Guesser Simple website to guess API Key / OAuth Token by Muhammad Daffa
API Key Leaks: Tools and exploits An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Key-Checker Go scripts for checking API key / access token validity.
Keyhacks Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
Private key usage verification Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.

Books

Author Publisher Name Description
Neil Madden Manning API Security in Action API Security in Action teaches you how to create secure APIs for any situation.
Corey Ball No starch press Hacking APIs Breaking Web Application Programming Interfaces.
Justing Richer and Antonio Sanso Manning Understanding API Security Several chapters from several Manning books that give you some context for how API security works in the real world.
Emily Freeman Data Theorem Special Edition API Security for dummies This book is a high-level introduction to the key concepts of API security and DevSecOps.

Cheatsheets

Name Description
GraphQL Cheat Sheet GraphQL - OWASP Cheat Sheet Series
JSON Web Token Security Cheat Sheet PentesterLab - JSON Web Token Security Cheat Sheet
Injection Prevention Cheat Sheet Injection - OWASP Cheat Sheet Series
Microservices Security Cheat Sheet Microservices - OWASP Security Cheat Sheet
OWASP API Security Top 10 42Crunch - OWASP API Security Top 10
REST Assessment Cheat Sheet REST Assessment - OWASP Cheat Sheet Series
REST Security Cheat Sheet REST Security - OWASP Cheat Sheet Series

Checklist

Author Name Description
Shieldfy API-Security-Checklist Checklist of the most important security countermeasures when designing, testing, and releasing your API.
Inon Shkedy 31 days of API Security Tips This challenge is Inon Shkedy's 31 days API Security Tips.
APIOps Cycles API audit checklist API Audit checklist.
HolyBugx another API Security checklist HolyTips: API security checklist
Latish Danawale API Testing Checklist API Testing Checklist.
Binary Brotherhood OAuth2: Security checklist OAuth 2.0 Threat Model Pentesting Checklist
API Mike, @api_sec API penetration testing checklist Common steps to include in any API penetration testing process.
LeapGraph GraphQL API - The Complete Vulnerability Checklist How to Secure a GraphQL API - The Complete Vulnerability Checklist
Apollo GraphQL API — GraphQL Security Checklist 9 Ways To Secure your GraphQL API — GraphQL Security Checklist

Conferences

Name Description
APIsecure The world's first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.

Deliberately vulnerable APIs

Name Description
APISandbox Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.
crAPI completely ridiculous API (crAPI)
Damn-Vulnerable-GraphQL-Application Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security.
DamnVulnerableMicroServices This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development)
dvws-node Damn Vulnerable Web Service is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
Generic-University Vulnerable API with Laravel App
Pixi The Pixi module is a MEAN Stack web app with wildly insecure APIs!
REST API Goat This is a "Goat" project so you can get familiar with REST API testing.
VAmPI Vulnerable REST API with OWASP top 10 vulnerabilities for APIs
vAPI vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
vulnerable-graphql-api A very vulnerable implementation of a GraphQL API.
Websheep Websheep is an app based on a willingly vulnerable ReSTful APIs.

Design, Architecture, Development

Name Description
The API Specification Toolbox This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements.
Understanding gRPC, OpenAPI and REST gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design
API security design best practices API security design best practices for enterprise and public cloud.
REST API Design Guide This design guide or style guide contains best practices suitable for most REST APIs.
How to design a REST API How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
Awesome REST A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
Collect API Requirements Collecting Requirements for your API with APIOps Cycles.
API Audit API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.

Encyclopedias, Projects, Wikis and GitBooks

Name Description
APIs Pentest Book six2dez - APIs Pentest Book
API Security Empire The API Security Empire Project aims to present unique attack & defense methods in the API Security field
API Security Encyclopedia APIsecurity.io - API Security Encyclopedia
Web API Pentesting HackTricks - Web API Pentesting
GraphQL HackTricks - GraphQL

Enumeration, Scanning and exploration steps

Name Description
Burp API enumeration Using Burp to Enumerate a REST API
ZAP scanning Scanning APIs with ZAP
ZAP exploring Exploring APIs with ZAP
w3af scanning Scan REST APIs with w3af

Firewalls

Name Description
Wallarm Free API Firewall Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs.

Fuzzing, SecLists, Wordlists

Name Description
API Common methods API Common methods provided by fuzzdb.
API names wordlist A wordlist of API names for web application assessments
API Routes Wordlists API Routes - Automated Wordlists provided by Assetnote
Common API endpoints Wordlist for common API endpoints.
Filenames by fuzz.txt Potentially dangerous files
Fuzzing APIs Fuzzing APIs chapter from "The Fuzzing Book".
GraphQL SecList It's a GraphQL list used during security assessments, collected in one place.
Hacking-APIs Wordlists and API paths by @hapi_hacker
Kiterunner Wordlists Kiterunner Wordlists provided by Assetnote
List of API endpoints & objects A list of 3203 common API endpoints and objects designed for fuzzing.
List of Swagger endpoints Swagger endpoints
SecLists for API's web-content discovery It is a collection of web content discovery lists for APIs used during security assessments.

HTTP 101

Name Description
Know your HTTP Headers! HTTP Headers: a simplified and comprehensive table.
Know your HTTP Methods! HTTP Methods: a simplified and comprehensive table.
Know your HTTP Status codes! HTTP Status codes: a simplified and comprehensive table.
HTTP Status Codes httpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place.
Know your HTTP * Well HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification.

Mind maps

Author Name Description
David Sopas MindAPI Organize your API security assessment by using MindAPI
Mufaddal Masalawala IDOR Techniques Mind map: IDOR Techniques
Harsh Bothra XML attacks Mind map: XML attacks
Cypro AB API Pentesting - Recon Mind map: API Pentesting - Recon
Cypro AB API Pentesting - ATTACK Mind map: API Pentesting - ATTACK
Cypro AB GraphQL Attacking Mind map: GraphQL Attacking

Newsletters

Author Name Description
42Crunch api security articles API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices.

Other resources

Name Author Description
API Security best practices guide Expedited Security API Security Best Practices MegaGuide
API Security: The Complete Guide Bright Security API Security, The Complete Guide
API Penetration Testing SecureLayer7 API Penetration Testing with OWASP 2017 Test Cases.
API Penetration Testing Report UnderDefense Anonymised API Penetration Testing Report - vendor sample template
API Pentesting with Swagger Files RhinoSecurityLabs Simplifying API Pentesting With Swagger Files.
API security articles Char49 API security articles.
API Security Testing Spherical Defence Principles of API Security Testing and how to perform a Security Test on an API.
Finding and Exploiting Web App APIs Bend Theory Finding and Exploiting Unintended Functionality in Main Web App APIs
How to Hack an API and Get Away with It SmartBear How to Hack an API and Get Away with It (Part 1 of 3).
How to Hack APIs in 2021 Detectify How to Hack APIs in 2021
How to Hack API in 60 minutes with Open Source Tools Wallarm How to Hack API in 60 minutes with Open Source Tools
GraphQL penetration testing YesWeHAck How to exploit GraphQL endpoint: introspection, query, mutations & tools.
Fixing the 13 most common GraphQL Vulnerabilities WunderGraph GraphQL Security Guide, Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready.
Hacking APIs - Notes from Bug Bounty Bootcamp Aakash Choudhary My Notes on Hacking APIs from Bug Bounty Bootcamp.
SOAP Security Vulnerabilities and Prevention NeuraLegion SOAP Security, Top Vulnerabilities and How to Prevent Them.
API and microservice security PortSwigger What are API and microservice security?
Strengthening Your API Security Posture 42Crunch Strengthening Your API Security Posture – Ford Motor Company.
The Fault in Our Stars Tenchi Security Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion.

Playlists

Name Description
Everything API Hacking A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!
API hacking API hacking videos from @theXSSrat

Podcasts

Name Description
Hacking APIs The Hacker Mind Podcast: Hacking APIs
Hack Your API-Security Testing 21: Troy Hunt: Hack Your API-Security Testing.
The OWASP API Security Project Erez Yalon — The OWASP API Security Project
Episode 38 API Security Best Practices We Hack Purple Podcast Episode 38 API Security Best Practices.

Presentations, Videos

Name Description
pentesting-rest-apis Pentesting Rest API's by Gaurang Bhatnagar
Securing your APIs "How Secure are you APIs?" - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo.
api-security-testing-for-hackers API Security Testing For Hackers
bad-api-hapi-hackers Bad API, hAPI Hackers!
disclosing-information-via-your-apis Hidden in Plain Site: Disclosing Information via Your APIs.
rest-in-peace-abusing-graphql REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure.

Projects

Name Description
owasp api security project OWASP API Security Project - API Security Top 10

Security APIs

Name Description
awesome-security-apis A collective list of public JSON APIs for use in security.

Specifications

Name Description
AscyncAPI AsyncAPI Specification
OpenAPI OpenAPI Specification
JSON API JSON API Specification
GraphQL GraphQL Specification
RAML RAML Specification

Tools

Name Description
   
GraphQL  
BatchQL GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
clairvoyance Obtain GraphQL API schema despite disabled introspection!
InQL InQL - A Burp Extension for GraphQL Security Testing.
GraphQLmap GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
graphql-path-enum Tool that lists the different ways of reaching a given type in a GraphQL schema.
graphql-playground GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration)
graphql-threat-matrix GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations.
graphw00f graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.
   
REST APIs  
APICheck The DevSecOps toolset for REST APIs.
APIClarity Reconstruct Open API Specifications from real-time workload traffic seamlessly.
APIFuzzer Fuzz test your application using your OpenAPI or Swagger API definition without coding.
APIKit APIKit:Discovery, Scan and Audit APIs Toolkit All In One.
Arjun HTTP parameter discovery suite.
Astra Automated Security Testing For REST API's.
Automatic API Attack Tool Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
CATS CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints.
Cherrybomb Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications.
ffuf Fast web fuzzer written in Go.
fuzzapi Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem.
gotestwaf An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses
kiterunner Contextual Content Discovery Tool.
mitmproxy2swagger Automagically reverse-engineer REST APIs via capturing traffic
RESTler RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
Swagger-EZ A tool geared towards pentesting APIs using OpenAPI definitions.
TnT-Fuzzer OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.
wadl-dumper Dump all available paths and/or endpoints on WADL file.
fuzz-lightyear A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
   
SOAP  
Wsdler WSDL Parser extension for Burp.
wsdl-wizard WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
   
Others  
SoapUI SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services.
unfurl Pull out bits of URLs provided on stdin

Training, Walkthrough, Labs

Author Name Description
Kontra OWASP Top 10 for API Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
Tushar Kulkarni vAPI vAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises.
Grant Ongers API top 10 walkthrough OWASP API Top 10 CTF Walk-through.
ShipFast Practical API Security Walkthrough Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation.
Pentester Academy API security, REST Labs Pentester Academy - attack & defense
Hacker101 GraphQL challenges GraphQL Week on The Hacker101 Capture the Flag Challenges
OWASP-SKF GraphQL Labs GraphQL Labs on the OWASP Security Knowledge Framework
Wesley Thijs Let's build an API to hack API Hacking Excercises by @TheXSSrat

原因:https://github.com/arainho/awesome-api-security