Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cyber-guy1/api-securityempire
API Security Project aims to present unique attack & defense methods in API Security field
https://github.com/cyber-guy1/api-securityempire
api apisecurity bug-bounty bugbounty bugbountytips cybersec cybersecurity information-security infosec penetration-testing tips
Last synced: about 19 hours ago
JSON representation
API Security Project aims to present unique attack & defense methods in API Security field
- Host: GitHub
- URL: https://github.com/cyber-guy1/api-securityempire
- Owner: Cyber-Guy1
- Created: 2022-02-23T20:48:34.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2024-03-05T15:56:37.000Z (11 months ago)
- Last Synced: 2025-02-01T05:45:00.945Z (about 19 hours ago)
- Topics: api, apisecurity, bug-bounty, bugbounty, bugbountytips, cybersec, cybersecurity, information-security, infosec, penetration-testing, tips
- Homepage:
- Size: 3.49 MB
- Stars: 1,368
- Watchers: 34
- Forks: 250
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# 🛡️ API Security Empire
In this repository you will find: Mindmaps, tips & tricks, resources and every thing related to API Security and API Penetration Testing. Our mindmaps and resources are based on OWASP TOP 10 API, our expereince in Penetration testing and other resources to deliver the most advanced and accurate API security and penetration testing resource in the WEB!!
## 🚪 First gate: ```{{Recon}}```
The first gate to enter the API Security Empire is to know how to gather information about the API infrastructure and how to perform a powerfull recon on API to extract the hidden doors which made you compromise the whole infrastructure from, so, we provide this updated API Recon mindmap with the latest tools and methodologies in API recon:
### ⚔️ Weapons you will need:
- [BurpSuite](https://portswigger.net/burp/releases)
- [FFUF](https://github.com/ffuf/ffuf)
- [Arjun](https://github.com/InsiderPhD/Arjun)
- [Postman](https://www.postman.com/downloads/)
- [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web-Content)
- [FuzzDB](https://github.com/fuzzdb-project/fuzzdb)
- [SoapUI](https://www.soapui.org/downloads/soapui/)
- [GraphQL Voyager](https://apis.guru/graphql-voyager/)
- [Graphinder](https://github.com/Escape-Technologies/graphinder)
- [Kiterunner](https://github.com/assetnote/kiterunner)
- [unfurl](https://github.com/tomnomnom/unfurl)
### 🏋️ Test your abilities and weapons:
- [vapi](https://github.com/roottusk/vapi)
- [Generic-University](https://github.com/InsiderPhD/Generic-University)
## 🚪 Second gate: ```{{Attacking}}```
### Attacking RESTful & SOAP:
### Attacking GraphQL:
Due to the limited attacks in the GraphQL we tried to generate all the possible attacks due to our experience in testing APIs in the coming mindmap:
While attacking GraphQL, the most important phase is the enumeration of mutations and queries, without which you will not be able to perform full GraphQL testing, to do so, I'm using the *Apollo GraphQL Sandbox*, Apollo enumerates the queries and mutations, then sorting them in front of you, after that you can chose the action you want to perform using mutations or the data you want to retrive using queries by just chosing them via GUI and Apollo will write down the query automatically. What makes Apollo special is that it's a web based explorer, which means no need to install and you can run it against your local GraphQl too!!
- [Apollo Sandbox](https://studio.apollographql.com/sandbox/explorer)
## 🙏 Special thanks:
- [roottusk](https://github.com/roottusk)
- [Portswigger](https://github.com/PortSwigger)
- [Tomnomnom](https://github.com/tomnomnom)
- [assetnote](https://github.com/assetnote/kiterunner)
- [danielmiessler](https://github.com/danielmiessler)
- [InsiderPhD](https://github.com/InsiderPhD)
- [ffuf](https://github.com/ffuf/)
- [OWASP](https://github.com/OWASP)
## 📝 License:
