https://github.com/fatihtuzunn/api-pentesting-tool

Node.js-based API penetration testing tool with a user-friendly web interface.
https://github.com/fatihtuzunn/api-pentesting-tool

api-pentesting api-testing pentest-tool pentesting pentesting-tools rest-api restful-api

Last synced: 11 months ago
JSON representation

Node.js-based API penetration testing tool with a user-friendly web interface.

• Host: GitHub
• URL: https://github.com/fatihtuzunn/api-pentesting-tool
• Owner: fatihtuzunn
• Created: 2025-01-18T14:27:51.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-01-18T14:45:03.000Z (about 1 year ago)
• Last Synced: 2025-01-25T19:12:54.952Z (about 1 year ago)
• Topics: api-pentesting, api-testing, pentest-tool, pentesting, pentesting-tools, rest-api, restful-api
• Language: EJS
• Homepage:
• Size: 25.4 KB
• Stars: 7
• Watchers: 1
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# API Pentesting Tool

## Overview

This is a Node.js-based API penetration testing tool with a user-friendly web interface. The tool allows security testers to perform detailed API security tests, including endpoint fuzzing, authentication bypass, rate-limiting tests, CORS policy checks, header manipulation, **JWT-based vulnerability tests**, and more. The results are presented in an easy-to-read format on the UI.

## Features

> - API endpoint fuzzing

> - CORS Policy Test: Checks for misconfigured CORS policies using HTTP OPTIONS requests.

> - Header Manipulation Test: Examines how APIs respond to manipulated headers.

> - Header Security Test: Detects missing or misconfigured HTTP security headers.

> - JWT Algorithm Manipulation Test: Tests JWT vulnerabilities by altering algorithms or injecting malicious payloads.

> - Key Injection Test: Injects unauthorized claims into JWTs to test validation.

> - Blank Password Test (CVE-2019-20933 / CVE-2020-28637): Exploits vulnerabilities related to JWTs signed with blank passwords.

> - Null Signature Test (CVE-2020-28042): Evaluates if JWTs with null signatures are accepted.

## Screenshots

![2025-01-18_17-09](https://github.com/user-attachments/assets/4c08ec92-4cf1-49a9-865c-e11f15e8e55a)

![2025-01-18_17-09_1](https://github.com/user-attachments/assets/10fb201f-cd81-4d9c-a9b0-ad6e90a9b1e0)

![2025-01-18_17-10](https://github.com/user-attachments/assets/2e3bb456-e30e-41ab-bb2b-631f625be83b)

![2025-01-18_17-10_1](https://github.com/user-attachments/assets/a3742937-be14-4b51-a781-018fb3141286)

## Installation

To install the API Pentesting Tool, follow these steps:

1. Clone the repository:

    ```bash

    git clone https://github.com/yourusername/api-pentesting-tool.git

    ```

2. Navigate to the project directory:

    ```bash

    cd api-pentesting-tool

    ```

3. Install the required dependencies:

    ```bash

    npm install

    ```

## Usage

To start using the tool, run the following command:

```bash

node server.js

```

Open your browser and navigate to:

```bash

http://localhost:3000

```

## Dependencies

> - Node.js: Server-side runtime.

> - Express: Web framework for building the API.

> - Axios: For HTTP requests.

> - jsonwebtoken: For decoding and manipulating JWTs.

> - EJS (or similar templating engine): For rendering the UI.

> - Bootstrap/TailwindCSS: For responsive design.

## Contributing

We welcome contributions from the community. To contribute, please follow these steps:

1. Fork the repository

2. Create a new branch (`git checkout -b feature-branch`)

3. Commit your changes (`git commit -am 'Add new feature'`)

4. Push to the branch (`git push origin feature-branch`)

5. Create a new Pull Request

## License

This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for more details.

## Contact

For any questions or feedback, please open an issue on GitHub or contact the project maintainer at [your-email@example.com].