Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-api-security

A collection of awesome API Security tools and resources. The focus goes to open-source tools and resources that benefit all the community.
https://github.com/arainho/awesome-api-security

Last synced: 6 days ago
JSON representation

Books
- Defending APIs
- API Security for dummies - level introduction to the key concepts of API security and DevSecOps. |
- API Security in Action
- Black Hat GraphQL
- Hacking APIs
- Understanding API Security
- API Security for White Hat Hackers
- Defending APIs
Training, Workshops, Labs
- API Security University
- Hacking APIs
- API Security Academy
- API top 10 walkthrough - through. |
- GraphQL challenges
- BankGround API - like REST and GraphQL API for training/learning purposes. |
- OWASP Top 10 for API
- GraphQL Labs
- API security, REST Labs - attack & defense |
- Let's build an API to hack
- Practical API Security Walkthrough
- Hacking APIs
- API Security Mini Course
Twitter
- @hAPI_hacker
- @ddǝɐuɐp
- @dsopas
- @InsiderPhD
- @theXSSrat
Contributions
- quickstart/contributing-to-projects
API Keys: Find and validate
- API Guesser
- API Key Leaks: Tools and exploits
- Key-Checker
- Keyhacks
- Private key usage verification
- Mantra
Cheatsheets
- GraphQL Cheat Sheet - OWASP Cheat Sheet Series |
- JSON Web Token Security Cheat Sheet - JSON Web Token Security Cheat Sheet |
- Injection Prevention Cheat Sheet - OWASP Cheat Sheet Series
- Microservices Security Cheat Sheet - OWASP Security Cheat Sheet |
- OWASP API Security Top 10 - OWASP API Security Top 10 |
- REST Assessment Cheat Sheet - OWASP Cheat Sheet Series |
- REST Security Cheat Sheet - OWASP Cheat Sheet Series |
Checklist
- another API Security checklist
- API audit checklist
- API Testing Checklist
- API penetration testing checklist
- OAuth2: Security checklist
- GraphQL API — GraphQL Security Checklist
- GraphQL API - The Complete Vulnerability Checklist - The Complete Vulnerability Checklist |
- REST API Security Essentials
- API-Security-Checklist
Conferences
- APIsecure
Deliberately vulnerable APIs
- Bookstore - A Beginner level box with basic web enumeration and REST API Fuzzing. |
- APISandbox - Security) | Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. |
- crAPI
- Damn Vulnerable GraphQL Application
- Damn Vulnerable Micro Services
- Damn Vulnerable RESTaurant API Game
- Damn Vulnerable Web Services
- Generic-University
- node-api-goat
- Pixi
- poc-graphql
- REST API Goat
- VAmPI
- vAPI - Hostable API that mimics OWASP API Top 10 scenarios through Exercises. |
- vulnapi
- vulnerable-graphql-api
- Websheep
- VulnerableApp4APISecurity
Design, Architecture, Development
- The API Specification Toolbox
- Understanding gRPC, OpenAPI and REST
- API security design best practices
- REST API Design Guide
- How to design a REST API - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
- Awesome REST
- Collect API Requirements
- API Audit
- The API Specification Toolbox
Encyclopedias, Projects, Wikis and GitBooks
- APIs Pentest Book
- API Pentest tips
- Web API Pentesting - Web API Pentesting |
- GraphQL - GraphQL |
- API Security Empire
- Web API Pentesting - Web API Pentesting |
Enumeration, Scanning and exploration steps
- Burp API enumeration
- ZAP scanning
- ZAP exploring
- w3af scanning
Fuzzing, SecLists, Wordlists
- API HTTP requests methods
- API Routes Wordlists - Automated Wordlists provided by Assetnote |
- Common API endpoints
- Fuzzing APIs
- GraphQL SecList
- Kiterunner Wordlists
- List of API endpoints & objects
- List of Swagger endpoints
- SecLists for API's web-content discovery
- API names wordlist
- Filenames by fuzz.txt
- Hacking-APIs
- GraphQL wordlist
HTTP 101
- Know your HTTP Headers!
- Know your HTTP Methods!
- Know your HTTP Status codes!
- HTTP Status Codes
- Know your HTTP * Well - types, methods, relations and status codes, all summarized and linking to their specification. |
Mind maps
- Mufaddal Masalawala
- David Sopas
- Harsh Bothra
- Abhay Bhargav
- Cypro AB - SecurityEmpire/blob/main/assets/API%20Pentesting%20Mindmap%20%7B%7BGraphQL%20Attacking%7D%7D.pdf) | Mind map: GraphQL Attacking |
Newsletters
- api security articles - The Latest API Security News, Vulnerabilities & Best Practices. |
- api hacker’s inner circle
Other resources
- API Security: The Complete Guide
- API Penetration Testing
- API Penetration Testing Report - vendor sample template |
- API Pentesting with Swagger Files
- API security path resources
- API Security Testing
- Finding and Exploiting Web App APIs
- API Hacking Articles
- API Security best practices guide
- How to Hack APIs in 2021
- How to Hack API in 60 minutes with Open Source Tools
- GraphQL penetration testing
- Fixing the 13 most common GraphQL Vulnerabilities
- Hacking APIs - Notes from Bug Bounty Bootcamp
- SOAP Security Vulnerabilities and Prevention
- API and microservice security
- Strengthening Your API Security Posture
- The Fault in Our Stars
- How to Hack an API and Get Away with It
- GraphQL penetration testing
Playlists
- Everything API Hacking - Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge! |
- API hacking
Podcasts
- Hacking APIs
- Hack Your API-Security Testing - Security Testing. |
- The OWASP API Security Project
- Episode 38 API Security Best Practices
Presentations, Videos
- pentesting-rest-apis
- Securing your APIs - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo. |
- api-security-testing-for-hackers
- bad-api-hapi-hackers
- disclosing-information-via-your-apis
- rest-in-peace-abusing-graphql
Projects
- owasp api security project - API Security Top 10 |
Specifications
- API Blueprint
- AscyncAPI
- OpenAPI
- JSON API
- GraphQL
- RAML
Firewalls
- Wallarm Free API Firewall - weight API proxy firewall for request and response validation by OpenAPI specs. |
Security APIs
- awesome-security-apis
Tools
- BatchQL
- clairvoyance
- InQL - A Burp Extension for GraphQL Security Testing. |
- graphinder
- graphql-cop
- GraphQLmap
- graphql-path-enum
- graphql-playground
- graphql-threat-matrix
- graphw00f
- goctopus
- graphql-armor
- Akto
- APICheck
- APIClarity - time workload traffic seamlessly. |
- APIFuzzer
- APIKit
- Arjun
- Astra
- Automatic API Attack Tool
- CATS
- Cherrybomb - done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. |
- ffuf
- fuzzapi - Fuzzerd uses API_Fuzzer gem. |
- gotestwaf - source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses |
- kiterunner
- Metlo - source API security tool to discover, inventory, test, and protect your APIs. |
- mitmproxy2swagger - engineer REST APIs via capturing traffic |
- Optic - to-date |
- OFFAT
- REST-Attacker - of-concept for the feasibility of testing generic real-world REST implementations. Its goal is to provide a framework for REST security research. |
- RESTler
- Swagger-EZ
- TnT-Fuzzer
- wadl-dumper
- fuzz-lightyear - inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. |
- Wsdler
- wsdl-wizard
- dredd - agnostic HTTP API Testing Tool |
- getallurls (gau)
- SoapUI - source cross-platform functional testing solution for APIs and web services. |
- Step CI - source framework for API Quality Assurance, which tests REST, GraphQL and gRPC automated and from Open API spec. |
- unfurl

Programming Languages

Python 21 Go 12 Java 8 TypeScript 7 JavaScript 6 HTML 2 Kotlin 1 Ruby 1 Rust 1 Emacs Lisp 1

Categories

Tools 43 Other resources 20 Deliberately vulnerable APIs 18 Training, Workshops, Labs 13 Fuzzing, SecLists, Wordlists 13 Checklist 9 Design, Architecture, Development 9 Books 8 Cheatsheets 7 API Keys: Find and validate 6 Specifications 6 Encyclopedias, Projects, Wikis and GitBooks 6 Presentations, Videos 6 Twitter 5 Mind maps 5 HTTP 101 5 Podcasts 4 Enumeration, Scanning and exploration steps 4 Playlists 2 Newsletters 2 Security APIs 1 Projects 1 Conferences 1 Firewalls 1 Contributions 1

Sub Categories

Keywords

security 21 graphql 14 api 13 openapi 9 api-security 9 swagger 9 bugbounty 7 security-tools 6 penetration-testing 6 owasp 6 fuzzer 5 pentest 4 pentesting 4 infosec 3 hacking 3 cybersecurity 3 devsecops 3 api-rest 3 fuzz 3 openapi3 3 graphql-security 3 api-testing 3 http 3 api-gateway 2 integration-testing 2 rest-api 2 appsec 2 web-application-security 2 api-blueprint 2 web-application-firewall 2 docker 2 waf 2 openapi-spec 2 owasp-top-10 2 rest-security 2 apis 2 openapi-specification 2 burp-extensions 2 bugbounty-tool 2 json 2 validation 2 json-api 2 files 2 testing 2 hacktoberfest2023 2 python 2 vulnerability-detection 2 fingerprinting 2 rest 2 api-security-testing 2