awesome-api-security
A collection of awesome API Security tools and resources. The focus goes to open-source tools and resources that benefit all the community.
https://github.com/arainho/awesome-api-security
Last synced: 2 days ago
JSON representation
-
Training, Workshops, Labs
- API Security University
- Hacking APIs
- API Security Academy
- API top 10 walkthrough - through. |
- GraphQL challenges
- BankGround API - like REST and GraphQL API for training/learning purposes. |
- OWASP Top 10 for API
- GraphQL Labs
- API security, REST Labs - attack & defense |
- Let's build an API to hack
- Practical API Security Walkthrough
- API Security Mini Course
- API Security University
- Hacking APIs
- GraphQL challenges
- BankGround API - like REST and GraphQL API for training/learning purposes. |
- API security, REST Labs - attack & defense |
-
Twitter
-
API Keys: Find and validate
-
Books
- Black Hat GraphQL
- API Security for dummies - level introduction to the key concepts of API security and DevSecOps. |
- API Security in Action
- Hacking APIs
- Understanding API Security
- API Security for White Hat Hackers
- Defending APIs
- Defending APIs
- Understanding API Security
- Secure APIs: Design, build, and implement - tested techniques to recognize and prevent attacks on your APIs. |
-
Cheatsheets
- GraphQL Cheat Sheet - OWASP Cheat Sheet Series |
- JSON Web Token Security Cheat Sheet - JSON Web Token Security Cheat Sheet |
- Injection Prevention Cheat Sheet - OWASP Cheat Sheet Series
- Microservices Security Cheat Sheet - OWASP Security Cheat Sheet |
- OWASP API Security Top 10 - OWASP API Security Top 10 |
- REST Assessment Cheat Sheet - OWASP Cheat Sheet Series |
- REST Security Cheat Sheet - OWASP Cheat Sheet Series |
-
Checklist
- another API Security checklist
- API audit checklist
- API penetration testing checklist
- API Testing Checklist
- OAuth2: Security checklist
- GraphQL API — GraphQL Security Checklist
- GraphQL API - The Complete Vulnerability Checklist - The Complete Vulnerability Checklist |
- REST API Security Essentials
- 31 days of API Security Tips
- API-Security-Checklist
- GraphQL API — GraphQL Security Checklist
-
Conferences
-
Design, Architecture, Development
- The API Specification Toolbox
- Understanding gRPC, OpenAPI and REST
- API security design best practices
- REST API Design Guide
- How to design a REST API - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
- Awesome REST
- Collect API Requirements
- API Audit
- The API Specification Toolbox
- The API Specification Toolbox
- API Audit
- API security design best practices
- The API Specification Toolbox
-
Encyclopedias, Projects, Wikis and GitBooks
- APIs Pentest Book
- API Pentest tips
- Web API Pentesting - Web API Pentesting |
- GraphQL - GraphQL |
- API Security Empire
- API Security Encyclopedia
- Web API Pentesting - Web API Pentesting |
- GraphQL - GraphQL |
-
Enumeration, Scanning and exploration steps
-
Fuzzing, SecLists, Wordlists
- API HTTP requests methods
- API Routes Wordlists - Automated Wordlists provided by Assetnote |
- Common API endpoints
- Fuzzing APIs
- GraphQL SecList
- Kiterunner Wordlists
- List of API endpoints & objects
- List of Swagger endpoints
- SecLists for API's web-content discovery
- API names wordlist
- Filenames by fuzz.txt
- Hacking-APIs
- GraphQL wordlist
-
HTTP 101
- Know your HTTP Headers!
- Know your HTTP Methods!
- Know your HTTP Status codes!
- HTTP Status Codes
- Know your HTTP * Well - types, methods, relations and status codes, all summarized and linking to their specification. |
- HTTP Status Codes
- Know your HTTP Headers!
- Know your HTTP Methods!
- Know your HTTP Status codes!
-
Mind maps
- Mufaddal Masalawala
- David Sopas
- Harsh Bothra
- Abhay Bhargav
- Cypro AB - SecurityEmpire/blob/main/assets/API%20Pentesting%20Mindmap%20%7B%7BGraphQL%20Attacking%7D%7D.pdf) | Mind map: GraphQL Attacking |
- Abhay Bhargav
- Mosaad Sallam
-
Newsletters
- api security articles - The Latest API Security News, Vulnerabilities & Best Practices. |
- api hacker’s inner circle
-
Other resources
- API Security: The Complete Guide
- API Penetration Testing
- API Penetration Testing Report - vendor sample template |
- API Pentesting with Swagger Files
- API security path resources
- API Security Testing
- API Hacking Articles
- API Security best practices guide
- Finding and Exploiting Web App APIs
- How to Hack APIs in 2021
- How to Hack API in 60 minutes with Open Source Tools
- GraphQL penetration testing
- Fixing the 13 most common GraphQL Vulnerabilities
- Hacking APIs - Notes from Bug Bounty Bootcamp
- SOAP Security Vulnerabilities and Prevention
- API and microservice security
- Strengthening Your API Security Posture
- The Fault in Our Stars
- GraphQL penetration testing
- API Security: The Complete Guide
- API Penetration Testing
- API Security Testing
- How to Hack APIs in 2021
- GraphQL penetration testing
- Strengthening Your API Security Posture
- The Fault in Our Stars
- SOAP Security Vulnerabilities and Prevention
-
Playlists
- Everything API Hacking - Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge! |
- API hacking
- Everything API Hacking - Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge! |
- API hacking
- API hacking
-
Podcasts
-
Presentations, Videos
- pentesting-rest-apis
- Securing your APIs - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo. |
- api-security-testing-for-hackers
- bad-api-hapi-hackers
- disclosing-information-via-your-apis
- rest-in-peace-abusing-graphql
- pentesting-rest-apis
- api-security-testing-for-hackers
- bad-api-hapi-hackers
- disclosing-information-via-your-apis
- rest-in-peace-abusing-graphql
-
Projects
- owasp api security project - API Security Top 10 |
-
Specifications
-
Tools
- noir
- BatchQL
- clairvoyance
- InQL - A Burp Extension for GraphQL Security Testing. |
- graphinder
- graphql-cop
- GraphQLmap
- graphql-path-enum
- graphql-playground
- graphql-threat-matrix
- graphw00f
- goctopus
- graphql-armor
- Akto
- APICheck
- APIClarity - time workload traffic seamlessly. |
- APIFuzzer
- APIKit
- Arjun
- Astra
- Automatic API Attack Tool
- CATS
- Cherrybomb - done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. |
- ffuf
- fuzzapi - Fuzzerd uses API_Fuzzer gem. |
- gotestwaf - source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses |
- kiterunner
- Metlo - source API security tool to discover, inventory, test, and protect your APIs. |
- mitmproxy2swagger - engineer REST APIs via capturing traffic |
- Optic - to-date |
- OFFAT
- REST-Attacker - of-concept for the feasibility of testing generic real-world REST implementations. Its goal is to provide a framework for REST security research. |
- RESTler
- Swagger-EZ
- TnT-Fuzzer
- wadl-dumper
- fuzz-lightyear - inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. |
- Wsdler
- wsdl-wizard
- dredd - agnostic HTTP API Testing Tool |
- getallurls (gau)
- SoapUI - source cross-platform functional testing solution for APIs and web services. |
- Step CI - source framework for API Quality Assurance, which tests REST, GraphQL and gRPC automated and from Open API spec. |
- unfurl
- APIClarity - time workload traffic seamlessly. |
- CentralMind/Gateway - Agents. Supports PostgreSQL, Clickhouse, MySQL, Snowflake, BigQuery. |
- WuppieFuzz - guided REST API fuzzer developed on top of LibAFL, targeting a wide audience of end-users, with a strong focus on ease-of-use, explainability of the discovered flaws and modularity. WuppieFuzz supports all three settings of testing (black box, grey box and white box). |
-
Deliberately vulnerable APIs
- APISandbox - Security) | Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. |
- crAPI
- Damn Vulnerable GraphQL Application
- Damn Vulnerable Micro Services
- Damn Vulnerable RESTaurant API Game
- Damn Vulnerable Web Services
- Generic-University
- node-api-goat
- Pixi
- poc-graphql
- REST API Goat
- VAmPI
- vAPI - Hostable API that mimics OWASP API Top 10 scenarios through Exercises. |
- vulnapi
- Websheep
- VulnerableApp4APISecurity
- Bookstore - A Beginner level box with basic web enumeration and REST API Fuzzing. |
- vulnerable-graphql-api
-
Firewalls
- Wallarm Free API Firewall - weight API proxy firewall for request and response validation by OpenAPI specs. |
-
Security APIs
Programming Languages
Categories
Tools
47
Other resources
27
Deliberately vulnerable APIs
18
Training, Workshops, Labs
17
Fuzzing, SecLists, Wordlists
13
Design, Architecture, Development
13
Presentations, Videos
11
Twitter
11
Checklist
11
Books
10
HTTP 101
9
Encyclopedias, Projects, Wikis and GitBooks
8
Mind maps
7
Cheatsheets
7
Podcasts
6
Specifications
6
API Keys: Find and validate
6
Playlists
5
Enumeration, Scanning and exploration steps
5
Conferences
2
Newsletters
2
Security APIs
1
Projects
1
Firewalls
1
Sub Categories
Keywords
security
22
api
14
graphql
14
openapi
11
api-security
11
swagger
10
bugbounty
8
penetration-testing
6
security-tools
6
owasp
6
fuzzer
6
pentest
5
infosec
4
pentesting
4
cybersecurity
3
fuzz
3
graphql-security
3
rest-api
3
hacking
3
api-testing
3
openapi-specification
3
openapi3
3
api-rest
3
http
3
devsecops
3
openapi-spec
3
waf
2
integration-testing
2
open-source
2
rest-security
2
envoy
2
istio
2
k8s
2
kubernetes
2
microservice
2
microservices
2
service-mesh
2
shadow-api
2
web-application-firewall
2
web-application-security
2
apis
2
api-gateway
2
api-pentest
2
files
2
vulnerability
2
api-blueprint
2
testing
2
fingerprinting
2
validation
2
python
2