A collection of awesome API Security tools and resources.
Name
Description
GraphQL
BatchQL
GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
InQL
InQL - A Burp Extension for GraphQL Security Testing.
GraphQLmap
GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
graphql-path-enum
Tool that lists the different ways of reaching a given type in a GraphQL schema.
REST APIs
APICheck
The DevSecOps toolset for REST APIs.
APIFuzzer
Fuzz test your application using your OpenAPI or Swagger API definition without coding.
Arjun
HTTP parameter discovery suite.
Astra
Automated Security Testing For REST API's.
Automatic API Attack Tool
Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
ffuf
Fast web fuzzer written in Go.
fuzzapi
Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem.
kiterunner
Contextual Content Discovery Tool.
RESTler
RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
Swagger-EZ
A tool geared towards pentesting APIs using OpenAPI definitions.
TnT-Fuzzer
OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.
wadl-dumper
Dump all available paths and/or endpoints on WADL file.
SOAP
Wsdler
WSDL Parser extension for Burp.
wsdl-wizard
WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
Others
SoapUI
SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services.
Wiki's / Encyclopedias / GitBook's
Training / Walkthrough / Labs
Name
Description
Kontra - OWASP Top 10 for API
Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
Pentesting Lab: vAPI
vAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises.
ShipFast - Practical API Security Walkthrough
Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation.
API Keys: Find & validate
Name
Description
Key-Checker
Go scripts for checking API key / access token validity.
Keyhacks
Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
API Key Leaks: Tools and exploits
An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Deliberately vulnerable APIs
Name
Description
crAPI
completely ridiculous API (crAPI)
VAmPI
Vulnerable REST API with OWASP top 10 vulnerabilities for APIs
dvws-node
Damn Vulnerable Web Service is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
DamnVulnerableMicroServices
This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development)
Damn-Vulnerable-GraphQL-Application
Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security.
Generic-University
Vulnerable API with Laravel App
Name
Description
Everything API Hacking
A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!
Author
Name
Description
42Crunch
api security articles
API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices.
Twitter
Author
Name
Description
42Crunch
@apisecurityio
API security news, standards, vulnerabilities, tools.
Design / Architecture / Development
Name
Description
REST API Design Guide
This design guide or style guide contains best practices suitable for most REST APIs.
How to design a REST API
How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
Awesome REST
A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
Collect API Requirements
Collecting Requirements for your API with APIOps Cycles.
API Audit
API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.