Home

Awesome

awesome-apisec

<h4 align="center">A collection of awesome API Security tools and resources.</h4> <p align="center"> <a href="#about">About</a> • <a href="#api-keys-find-and-validate">API Keys: Find and validate</a> • <a href="#books">Books</a> • <a href="#cheatsheets">Cheatsheets</a> • <a href="#checklist">Checklist</a> • <a href="#conferences">Conferences</a> • </br> <a href="#deliberately-vulnerable-apis">Deliberately vulnerable APIs</a> • <a href="#design-architecture-development">Design, Architecture, Development</a> • <a href="#encyclopedias-projects-wikis-and-gitbooks">Encyclopedias, Projects, Wikis and GitBooks</a> • </br> <a href="#enumeration-scanning-and-exploration-steps">Enumeration, Scanning and exploration steps</a> • <a href="#firewalls">Firewalls</a> • <a href="#fuzzing-seclists-wordlists">Fuzzing, SecLists, Wordlists</a> • <a href="#http-101">HTTP 101</a> • <a href="#mind-maps">Mind maps</a> • </br> <a href="#newsletters">Newsletters</a> • <a href="#other-resources">Other resources</a> • <a href="#playlists">Playlists</a> • <a href="#podcasts">Podcasts</a> • <a href="#presentations-videos">Presentations, Videos</a> • <a href="#projects">Projects</a> • </br> <a href="#security-apis">Security APIs</a> • <a href="#specifications">Specifications</a> • <a href="#tools">Tools</a> • <a href="#training-workshops-labs">Training, Workshops, Labs</a> • <a href="#twitter">Twitter</a> • </br> • <a href="#contributions">Contributions</a> • </p>

About

The awesome-api-security (aka awesome-apisec) repository is collection of awesome API Security tools and resources.
The focus goes to open-source tools and resources that benefit all the community.

Please read the <a href="#contributions">contributions</a> section before opening a pull request.

API Keys: Find and validate

NameDescription
API GuesserSimple website to guess API Key / OAuth Token by Muhammad Daffa
API Key Leaks: Tools and exploitsAn API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Key-CheckerGo scripts for checking API key / access token validity.
KeyhacksKeyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
Private key usage verification Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
MantraA tool used to hunt down API key leaks in JS files and pages

Books

AuthorPublisherNameDescription
Colin DomoneyPackt PublishingDefending APIsFocused on helping developers produce secure APIs
Confidence StaveleyPackt PublishingAPI Security for White Hat HackersUncover offensive defense strategies and get up to speed with secure API implementation
Corey BallNo Starch PressHacking APIsBreaking Web Application Programming Interfaces.
Dolev Farhi and Nick AleksNo Starch PressBlack Hat GraphQLBlack Hat GraphQL.
Emily FreemanData Theorem Special EditionAPI Security for dummiesThis book is a high-level introduction to the key concepts of API security and DevSecOps.
Justing Richer and Antonio SansoManningUnderstanding API SecuritySeveral chapters from several Manning books that give you some context for how API security works in the real world.
Neil MaddenManningAPI Security in ActionAPI Security in Action teaches you how to create secure APIs for any situation.

Cheatsheets

NameDescription
GraphQL Cheat SheetGraphQL - OWASP Cheat Sheet Series
JSON Web Token Security Cheat SheetPentesterLab - JSON Web Token Security Cheat Sheet
Injection Prevention Cheat SheetInjection - OWASP Cheat Sheet Series
Microservices Security Cheat SheetMicroservices - OWASP Security Cheat Sheet
OWASP API Security Top 1042Crunch - OWASP API Security Top 10
REST Assessment Cheat SheetREST Assessment - OWASP Cheat Sheet Series
REST Security Cheat SheetREST Security - OWASP Cheat Sheet Series

Checklist

AuthorNameDescription
HolyBugxanother API Security checklistHolyTips: API security checklist
APIOps CyclesAPI audit checklistAPI Audit checklist.
ShieldfyAPI-Security-ChecklistChecklist of the most important security countermeasures when designing, testing, and releasing your API.
API Mike, @api_secAPI penetration testing checklistCommon steps to include in any API penetration testing process.
Latish DanawaleAPI Testing ChecklistAPI Testing Checklist.
Inon Shkedy31 days of API Security TipsThis challenge is Inon Shkedy's 31 days API Security Tips.
Binary BrotherhoodOAuth2: Security checklistOAuth 2.0 Threat Model Pentesting Checklist
ApolloGraphQL API — GraphQL Security Checklist9 Ways To Secure your GraphQL API — GraphQL Security Checklist
LeapGraphGraphQL API - The Complete Vulnerability ChecklistHow to Secure a GraphQL API - The Complete Vulnerability Checklist
Lokesh GuptaREST API Security EssentialsREST API Tutorial blog entry.

Conferences

NameDescription
APIsecureThe world's first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.

Deliberately vulnerable APIs

NameAuthorDescription
APISandboxAPISecurity CommunityPre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.
BookstoresidchnTryHackMe room - A Beginner level box with basic web enumeration and REST API Fuzzing.
crAPIOWASPcompletely ridiculous API (crAPI)
Damn Vulnerable GraphQL ApplicationdolevfDamn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security.
Damn Vulnerable Micro Servicesne0zThis is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development).
Damn Vulnerable RESTaurant API GametheowniDamn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
Damn Vulnerable Web ServicessnoopysecurityDamn Vulnerable Web Services is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
Generic-UniversityInsiderPhDVulnerable API with Laravel App
node-api-goatlayro01A simple Express.JS REST API application that exposes endpoints with code that contains vulnerabilities.
PixiDevSlopThe Pixi module is a MEAN Stack web app with wildly insecure APIs!
poc-graphqlrighettodResearch on GraphQL from an AppSec point of view.
REST API GoatoptivThis is a "Goat" project so you can get familiar with REST API testing.
VAmPIerev0sVulnerable REST API with OWASP top 10 vulnerabilities for APIs
vAPIroottuskvAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
vulnapitkisasonIntentionaly very vulnerable API with bonus bad coding practices.
vulnerable-graphql-apiCarveSystemsA very vulnerable implementation of a GraphQL API.
WebsheepmarmicodeWebsheep is an app based on a willingly vulnerable ReSTful APIs.
VulnerableApp4APISecurityErdemstarThis repository was developed using .NET 7.0 API technology based on findings listed in the OWASP 2019 API Security Top 10.

Design, Architecture, Development

NameDescription
The API Specification ToolboxThis Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements.
Understanding gRPC, OpenAPI and RESTgRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design
API security design best practicesAPI security design best practices for enterprise and public cloud.
REST API Design GuideThis design guide or style guide contains best practices suitable for most REST APIs.
How to design a REST APIHow to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
Awesome RESTA collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
Collect API RequirementsCollecting Requirements for your API with APIOps Cycles.
API AuditAPI Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.

Encyclopedias, Projects, Wikis and GitBooks

AuthorNameDescription
@six2dezAPIs Pentest BookAPIs Pentest Book
@csbygbAPI Pentest tipsCSbyGB's Pentips
cyprosecurityAPI Security EmpireThe API Security Empire Project aims to present unique attack & defense methods in the API Security field
@APIsecurity.ioAPI Security EncyclopediaAPI Security Encyclopedia
@carlospolopWeb API PentestingHackTricks - Web API Pentesting
@carlospolopGraphQLHackTricks - GraphQL

Enumeration, Scanning and exploration steps

NameDescription
Burp API enumerationUsing Burp to Enumerate a REST API
ZAP scanningScanning APIs with ZAP
ZAP exploringExploring APIs with ZAP
w3af scanningScan REST APIs with w3af

Firewalls

NameDescription
Wallarm Free API FirewallFast and light-weight API proxy firewall for request and response validation by OpenAPI specs.

Fuzzing, SecLists, Wordlists

NameDescription
API names wordlistA wordlist of API names for web application assessments
API HTTP requests methodsHTTP requests methods wordlist by @danielmiessler
API Routes WordlistsAPI Routes - Automated Wordlists provided by Assetnote
Common API endpointsWordlist for common API endpoints.
Filenames by fuzz.txtPotentially dangerous files
Fuzzing APIsFuzzing APIs chapter from "The Fuzzing Book".
GraphQL SecListIt's a GraphQL list used during security assessments, collected in one place.
Hacking-APIsWordlists and API paths by @hapi_hacker
Kiterunner WordlistsKiterunner Wordlists provided by Assetnote
List of API endpoints & objectsA list of 3203 common API endpoints and objects designed for fuzzing.
List of Swagger endpointsSwagger endpoints
SecLists for API's web-content discoveryIt is a collection of web content discovery lists for APIs used during security assessments.
GraphQL wordlistThe only GraphQL wordlist you'll ever need. Operations, field names, type names... Collected on more than 60k distinct GraphQL schemas.

HTTP 101

NameDescription
Know your HTTP Headers!HTTP Headers: a simplified and comprehensive table.
Know your HTTP Methods!HTTP Methods: a simplified and comprehensive table.
Know your HTTP Status codes!HTTP Status codes: a simplified and comprehensive table.
HTTP Status Codeshttpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place.
Know your HTTP * WellHTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification.

Mind maps

AuthorNameDescription
Abhay BhargavREST API defensesMind map: REST API defenses
Cypro ABAPI Pentesting - ATTACKMind map: API Pentesting - ATTACK
Cypro ABAPI Pentesting - ReconMind map: API Pentesting - Recon
Cypro ABGraphQL AttackingMind map: GraphQL Attacking
David SopasMindAPIOrganize your API security assessment by using MindAPI
Harsh BothraXML attacksMind map: XML attacks
Mosaad Sallam)GraphQL Security TestingMind map: GraphQL Security Testing
Mosaad Sallam)OWASP API Top10Mind map: OWASP API Top 10
Mufaddal MasalawalaIDOR TechniquesMind map: IDOR Techniques

Newsletters

AuthorNameDescription
42Crunchapi security articlesAPI Security Articles - The Latest API Security News, Vulnerabilities & Best Practices.
Dana Eppapi hacker’s inner circleAPI Hacker’s Inner Circle Newsletter.

Other resources

NameAuthorDescription
API Hacking ArticlesDana EppAPI Hacking Fundamentals, Tools, Techniques, Fails and Mindset articles.
API Security best practices guideExpedited SecurityAPI Security Best Practices MegaGuide
API Security: The Complete GuideBright SecurityAPI Security, The Complete Guide
API Penetration TestingSecureLayer7API Penetration Testing with OWASP 2017 Test Cases.
API Penetration Testing ReportUnderDefenseAnonymised API Penetration Testing Report - vendor sample template
API Pentesting with Swagger FilesRhinoSecurityLabsSimplifying API Pentesting With Swagger Files.
API security path resourcesMindAPIResources to help out in the API security path; diverse content from talks/webinards/videos, must read, writeups, bola/idors, oauth, jwt, rate limit, ssrf and practice entries.
API Security TestingSpherical DefencePrinciples of API Security Testing and how to perform a Security Test on an API.
Finding and Exploiting Web App APIsBend TheoryFinding and Exploiting Unintended Functionality in Main Web App APIs
How to Hack an API and Get Away with ItSmartBearHow to Hack an API and Get Away with It (Part 1 of 3).
How to Hack APIs in 2021DetectifyHow to Hack APIs in 2021
How to Hack API in 60 minutes with Open Source ToolsWallarmHow to Hack API in 60 minutes with Open Source Tools
GraphQL penetration testingYesWeHAckHow to exploit GraphQL endpoint: introspection, query, mutations & tools.
Fixing the 13 most common GraphQL VulnerabilitiesWunderGraphGraphQL Security Guide, Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready.
Hacking APIs - Notes from Bug Bounty BootcampAakash ChoudharyMy Notes on Hacking APIs from Bug Bounty Bootcamp.
SOAP Security Vulnerabilities and PreventionNeuraLegionSOAP Security, Top Vulnerabilities and How to Prevent Them.
API and microservice securityPortSwiggerWhat are API and microservice security?
Strengthening Your API Security Posture42CrunchStrengthening Your API Security Posture – Ford Motor Company.
The Fault in Our StarsTenchi SecuritySecurity Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion.

Playlists

NameDescription
Everything API HackingA video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!
API hackingAPI hacking videos from @theXSSrat

Podcasts

NameDescription
Hacking APIsThe Hacker Mind Podcast: Hacking APIs
Hack Your API-Security Testing21: Troy Hunt: Hack Your API-Security Testing.
The OWASP API Security ProjectErez Yalon — The OWASP API Security Project
Episode 38 API Security Best PracticesWe Hack Purple Podcast Episode 38 API Security Best Practices.

Presentations, Videos

NameDescription
pentesting-rest-apisPentesting Rest API's by Gaurang Bhatnagar
Securing your APIs"How Secure are you APIs?" - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo.
api-security-testing-for-hackersAPI Security Testing For Hackers
bad-api-hapi-hackersBad API, hAPI Hackers!
disclosing-information-via-your-apisHidden in Plain Site: Disclosing Information via Your APIs.
rest-in-peace-abusing-graphqlREST in Peace: Abusing GraphQL to Attack Underlying Infrastructure.

Projects

NameDescription
owasp api security projectOWASP API Security Project - API Security Top 10

Security APIs

NameDescription
awesome-security-apisA collective list of public JSON APIs for use in security.

Specifications

NameDescription
API BlueprintAPI Blueprint Specification
AscyncAPIAsyncAPI Specification
OpenAPIOpenAPI Specification
JSON APIJSON API Specification
GraphQLGraphQL Specification
RAMLRAML Specification

Tools

NameDescription
GraphQL
BatchQLGraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
clairvoyanceObtain GraphQL API schema despite disabled introspection!
InQLInQL - A Burp Extension for GraphQL Security Testing.
graphinderBlazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.
graphql-copSecurity Auditor Utility for GraphQL APIs.
GraphQLmapGraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
graphql-path-enumTool that lists the different ways of reaching a given type in a GraphQL schema.
graphql-playgroundGraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration)
graphql-threat-matrixGraphQL threat framework used by security professionals to research security gaps in GraphQL implementations.
graphw00fgraphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.
goctopusBlazing fast GraphQL discovery & fingerprinting toolbox.
graphql-armorThe missing GraphQL security security layer for Apollo GraphQL and Yoga / Envelop servers
REST APIs
AktoAPI discovery, automated business logic testing and runtime detection
APICheckThe DevSecOps toolset for REST APIs.
APIClarityReconstruct Open API Specifications from real-time workload traffic seamlessly.
APIFuzzerFuzz test your application using your OpenAPI or Swagger API definition without coding.
APIKitAPIKit:Discovery, Scan and Audit APIs Toolkit All In One.
ArjunHTTP parameter discovery suite.
AstraAutomated Security Testing For REST API's.
Automatic API Attack ToolImperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
CATSCATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints.
CherrybombStop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications.
ffufFast web fuzzer written in Go.
fuzzapiFuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem.
gotestwafAn open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses
kiterunnerContextual Content Discovery Tool.
MetloOpen-source API security tool to discover, inventory, test, and protect your APIs.
mitmproxy2swaggerAutomagically reverse-engineer REST APIs via capturing traffic
OpticVerify the accuracy of your OpenAPI 3.x spec using real traffic and automatically apply patches that keep it up-to-date
OFFATThe OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
REST-AttackerDesigned as a proof-of-concept for the feasibility of testing generic real-world REST implementations. Its goal is to provide a framework for REST security research.
RESTlerRESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
Swagger-EZA tool geared towards pentesting APIs using OpenAPI definitions.
TnT-FuzzerOpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.
wadl-dumperDump all available paths and/or endpoints on WADL file.
fuzz-lightyearA pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
SOAP
WsdlerWSDL Parser extension for Burp.
wsdl-wizardWSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
Others
dreddLanguage-agnostic HTTP API Testing Tool
getallurls (gau)Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. 
SoapUISoapUI is a free and open-source cross-platform functional testing solution for APIs and web services.
Step CIOpen-source framework for API Quality Assurance, which tests REST, GraphQL and gRPC automated and from Open API spec.
unfurlPull out bits of URLs provided on stdin
noirNoir is an attack surface detector form source code.

Training, Workshops, Labs

AuthorNameDescription
APIsecAPI Security UniversityAPIsec University provides training courses for application security professionals
Corey BallHacking APIsHacking APIs: workshop
EscapeAPI Security AcademyAPI Security Academy, by escape
Grant OngersAPI top 10 walkthroughOWASP API Top 10 CTF Walk-through.
Hacker101GraphQL challengesGraphQL Week on The Hacker101 Capture the Flag Challenges
Karel HusaBankGround APIBanking-like REST and GraphQL API for training/learning purposes.
KontraOWASP Top 10 for APIIs a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
OWASP-SKFGraphQL LabsGraphQL Labs on the OWASP Security Knowledge Framework
Pentester AcademyAPI security, REST LabsPentester Academy - attack & defense
Semgrep AcademyAPI Security Mini CourseLearn the basics of API security in this short and fun mini course!
ShipFastPractical API Security WalkthroughLearn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation.
Wesley ThijsLet's build an API to hackAPI Hacking Excercises by @TheXSSrat

Twitter

AuthorNameDescription
42Crunch@apisecurityioAPI security news, standards, vulnerabilities, tools.
Corey J. Ball@hAPI_hackerCybersecurity consulting manager
Dana Epp@ddǝɐuɐpMicrosoft Security MVP
David Sopas@dsopasSecurity Researcher
Katie Paxton-Fear@InsiderPhDLecturer and hacker
Wesley Thijs@theXSSratEthical hacker

Contributions

  1. Repository Purpose: This repository aims to collect API security tools and resources. Preference is given to open-source or community editions of tools, Creative Commons resources, and content created by the community for the benefit of the community.

  2. Out of Scope: Pull requests that involve vendor-specific content, advertisements, commercial or restricted products, free trials, freemium services, closed-source (proprietary) software, or services that require users to provide private details will be considered out of scope and may be closed or ignored.

  3. Relevance: Contributions must be directly related to API security, bug hunting, API hardening, or API hacking. Materials unrelated to these topics may be discarded.

  4. Duplicates and Relevance: Duplicate entries or submissions that do not add new, relevant content beyond existing entries will not be considered.

  5. Out of Scope PRs: Pull requests that fall outside the scope of this repository are likely to be discarded, closed, or ignored without notice.

  6. Twitter Section: The Twitter section references authors of books, videos, workshops, courses, newsletters, or other content already present in this repository. While this section is somewhat subjective and may be divisive, it has been included as it might be helpful to some visitors of the repository.

  7. Content Accuracy: If you are an author of tools or content and notice that your description is inaccurate or outdated in any section (including the Twitter section), please reach out to update it.

  8. Book References: The only exception to the "out-of-scope" rule pertains to books. Some referenced books may have an associated cost, which is allowed under certain circumstances.

If you think your content fits the above purposes, please

For more details check GitHub quickstart/contributing-to-projects