Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-api-security
A collection of awesome API Security tools and resources. The focus goes to open-source tools and resources that benefit all the community.
https://github.com/arainho/awesome-api-security
Last synced: 3 days ago
JSON representation
-
Books
- Defending APIs
- API Security for dummies - level introduction to the key concepts of API security and DevSecOps. |
- API Security in Action
- Black Hat GraphQL
- Hacking APIs
- Understanding API Security
- API Security for White Hat Hackers
- Defending APIs
-
Training, Workshops, Labs
- API Security University
- Hacking APIs
- API Security Academy
- API top 10 walkthrough - through. |
- GraphQL challenges
- BankGround API - like REST and GraphQL API for training/learning purposes. |
- OWASP Top 10 for API
- GraphQL Labs
- API security, REST Labs - attack & defense |
- Let's build an API to hack
- Practical API Security Walkthrough
- API Security Mini Course
-
Twitter
-
Contributions
-
API Keys: Find and validate
-
Cheatsheets
- GraphQL Cheat Sheet - OWASP Cheat Sheet Series |
- JSON Web Token Security Cheat Sheet - JSON Web Token Security Cheat Sheet |
- Injection Prevention Cheat Sheet - OWASP Cheat Sheet Series
- Microservices Security Cheat Sheet - OWASP Security Cheat Sheet |
- OWASP API Security Top 10 - OWASP API Security Top 10 |
- REST Assessment Cheat Sheet - OWASP Cheat Sheet Series |
- REST Security Cheat Sheet - OWASP Cheat Sheet Series |
-
Checklist
- another API Security checklist
- API audit checklist
- API Testing Checklist
- API penetration testing checklist
- OAuth2: Security checklist
- GraphQL API — GraphQL Security Checklist
- GraphQL API - The Complete Vulnerability Checklist - The Complete Vulnerability Checklist |
- REST API Security Essentials
- 31 days of API Security Tips
- API-Security-Checklist
-
Conferences
-
Deliberately vulnerable APIs
- Bookstore - A Beginner level box with basic web enumeration and REST API Fuzzing. |
- APISandbox - Security) | Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. |
- crAPI
- Damn Vulnerable GraphQL Application
- Damn Vulnerable Micro Services
- Damn Vulnerable RESTaurant API Game
- Damn Vulnerable Web Services
- Generic-University
- node-api-goat
- Pixi
- poc-graphql
- REST API Goat
- VAmPI
- vAPI - Hostable API that mimics OWASP API Top 10 scenarios through Exercises. |
- vulnapi
- Websheep
- VulnerableApp4APISecurity
-
Design, Architecture, Development
- The API Specification Toolbox
- Understanding gRPC, OpenAPI and REST
- API security design best practices
- REST API Design Guide
- How to design a REST API - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
- Awesome REST
- Collect API Requirements
- API Audit
- The API Specification Toolbox
-
Encyclopedias, Projects, Wikis and GitBooks
- APIs Pentest Book
- API Pentest tips
- Web API Pentesting - Web API Pentesting |
- GraphQL - GraphQL |
- API Security Empire
- Web API Pentesting - Web API Pentesting |
-
Enumeration, Scanning and exploration steps
-
Fuzzing, SecLists, Wordlists
- API HTTP requests methods
- API Routes Wordlists - Automated Wordlists provided by Assetnote |
- Common API endpoints
- Fuzzing APIs
- GraphQL SecList
- Kiterunner Wordlists
- List of API endpoints & objects
- List of Swagger endpoints
- SecLists for API's web-content discovery
- API names wordlist
- Filenames by fuzz.txt
- Hacking-APIs
- GraphQL wordlist
-
HTTP 101
- Know your HTTP Headers!
- Know your HTTP Methods!
- Know your HTTP Status codes!
- HTTP Status Codes
- Know your HTTP * Well - types, methods, relations and status codes, all summarized and linking to their specification. |
-
Mind maps
- Mufaddal Masalawala
- David Sopas
- Harsh Bothra
- Abhay Bhargav
- Cypro AB - SecurityEmpire/blob/main/assets/API%20Pentesting%20Mindmap%20%7B%7BGraphQL%20Attacking%7D%7D.pdf) | Mind map: GraphQL Attacking |
-
Newsletters
- api security articles - The Latest API Security News, Vulnerabilities & Best Practices. |
- api hacker’s inner circle
-
Other resources
- API Security: The Complete Guide
- API Penetration Testing
- API Penetration Testing Report - vendor sample template |
- API Pentesting with Swagger Files
- API security path resources
- API Security Testing
- Finding and Exploiting Web App APIs
- API Hacking Articles
- API Security best practices guide
- How to Hack APIs in 2021
- How to Hack API in 60 minutes with Open Source Tools
- GraphQL penetration testing
- Fixing the 13 most common GraphQL Vulnerabilities
- Hacking APIs - Notes from Bug Bounty Bootcamp
- SOAP Security Vulnerabilities and Prevention
- API and microservice security
- Strengthening Your API Security Posture
- The Fault in Our Stars
- How to Hack an API and Get Away with It
- GraphQL penetration testing
-
Playlists
- Everything API Hacking - Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge! |
- API hacking
-
Podcasts
-
Presentations, Videos
- pentesting-rest-apis
- Securing your APIs - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo. |
- api-security-testing-for-hackers
- bad-api-hapi-hackers
- disclosing-information-via-your-apis
- rest-in-peace-abusing-graphql
-
Projects
- owasp api security project - API Security Top 10 |
-
Specifications
-
Firewalls
- Wallarm Free API Firewall - weight API proxy firewall for request and response validation by OpenAPI specs. |
-
Security APIs
-
Tools
- BatchQL
- clairvoyance
- InQL - A Burp Extension for GraphQL Security Testing. |
- graphinder
- graphql-cop
- GraphQLmap
- graphql-path-enum
- graphql-playground
- graphql-threat-matrix
- graphw00f
- goctopus
- graphql-armor
- Akto
- APICheck
- APIClarity - time workload traffic seamlessly. |
- APIFuzzer
- APIKit
- Arjun
- Astra
- Automatic API Attack Tool
- CATS
- Cherrybomb - done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. |
- ffuf
- fuzzapi - Fuzzerd uses API_Fuzzer gem. |
- gotestwaf - source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses |
- kiterunner
- Metlo - source API security tool to discover, inventory, test, and protect your APIs. |
- mitmproxy2swagger - engineer REST APIs via capturing traffic |
- Optic - to-date |
- OFFAT
- REST-Attacker - of-concept for the feasibility of testing generic real-world REST implementations. Its goal is to provide a framework for REST security research. |
- RESTler
- Swagger-EZ
- TnT-Fuzzer
- wadl-dumper
- fuzz-lightyear - inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. |
- Wsdler
- wsdl-wizard
- dredd - agnostic HTTP API Testing Tool |
- getallurls (gau)
- SoapUI - source cross-platform functional testing solution for APIs and web services. |
- Step CI - source framework for API Quality Assurance, which tests REST, GraphQL and gRPC automated and from Open API spec. |
- unfurl
Programming Languages
Categories
Tools
43
Other resources
20
Deliberately vulnerable APIs
17
Fuzzing, SecLists, Wordlists
13
Training, Workshops, Labs
12
Checklist
10
Design, Architecture, Development
9
Books
8
Cheatsheets
7
Specifications
6
Encyclopedias, Projects, Wikis and GitBooks
6
Presentations, Videos
6
Twitter
5
Mind maps
5
HTTP 101
5
API Keys: Find and validate
5
Podcasts
4
Enumeration, Scanning and exploration steps
4
Playlists
2
Newsletters
2
Security APIs
1
Projects
1
Conferences
1
Firewalls
1
Contributions
1
Sub Categories
Keywords
security
20
graphql
14
api
12
api-security
9
openapi
9
swagger
9
penetration-testing
6
security-tools
6
owasp
6
bugbounty
6
fuzzer
5
pentesting
4
pentest
3
openapi3
3
infosec
3
api-testing
3
http
3
devsecops
3
api-rest
3
graphql-security
3
cybersecurity
3
fuzz
3
burp-extensions
2
integration-testing
2
web
2
bugbounty-tool
2
vulnerability-detection
2
hacking
2
owasp-top-10
2
api-gateway
2
rest-security
2
api-blueprint
2
web-application-security
2
web-application-firewall
2
apis
2
openapi-specification
2
waf
2
openapi-spec
2
testing
2
json
2
api-security-testing
2
apisecurity
2
api-documentation
2
fingerprinting
2
validation
2
vulnerability
2
json-api
2
python
2
java
2
api-client
2