You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The awesome-api-security (aka awesome-apisec) repository is collection of awesome API Security tools and resources.
The focus goes to open-source tools and resources that benefit all the community.
Please read the contributions section before opening a pull request.
An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security.
This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements.
A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.
Resources to help out in the API security path; diverse content from talks/webinards/videos, must read, writeups, bola/idors, oauth, jwt, rate limit, ssrf and practice entries.
graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.
The missing GraphQL security security layer for Apollo GraphQL and Yoga / Envelop servers
| | |
| REST APIs |
| Akto | API discovery, automated business logic testing and runtime detection |
| APICheck | The DevSecOps toolset for REST APIs. |
| APIClarity | Reconstruct Open API Specifications from real-time workload traffic seamlessly. |
| APIFuzzer | Fuzz test your application using your OpenAPI or Swagger API definition without coding. |
| APIKit | APIKit:Discovery, Scan and Audit APIs Toolkit All In One. |
| Arjun | HTTP parameter discovery suite. |
| Astra | Automated Security Testing For REST API's. |
| Automatic API Attack Tool | Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. |
| CATS | CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. |
| Cherrybomb | Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. |
| ffuf | Fast web fuzzer written in Go. |
| fuzzapi| Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem. |
| gotestwaf | An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses |
| kiterunner | Contextual Content Discovery Tool. |
| Metlo | Open-source API security tool to discover, inventory, test, and protect your APIs. |
| mitmproxy2swagger | Automagically reverse-engineer REST APIs via capturing traffic |
| Optic | Verify the accuracy of your OpenAPI 3.x spec using real traffic and automatically apply patches that keep it up-to-date |
| REST-Attacker | Designed as a proof-of-concept for the feasibility of testing generic real-world REST implementations. Its goal is to provide a framework for REST security research. |
| RESTler | RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. |
| Swagger-EZ| A tool geared towards pentesting APIs using OpenAPI definitions. |
| TnT-Fuzzer | OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API. |
| wadl-dumper | Dump all available paths and/or endpoints on WADL file. |
| fuzz-lightyear| A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. |
| | |
| SOAP |
| Wsdler| WSDL Parser extension for Burp. |
| wsdl-wizard| WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files. |
| | |
| Others|
| dredd| Language-agnostic HTTP API Testing Tool |
| getallurls (gau) | Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. |
| SoapUI | SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services. |
| Step CI | Open-source framework for API Quality Assurance, which tests REST, GraphQL and gRPC automated and from Open API spec. |
| unfurl | Pull out bits of URLs provided on stdin |
| noir | Noir is an attack surface detector form source code. |
Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
The purpose of this repository is to collect API Security tools and resources. The preference goes to open-source or community editions tools, creative commons resources, and resources created by the community for the benefit of the community. The exception is in the book's topic, where some referenced items may have an associated cost.
Other content vendor-specific, ads, commercial, restricted, free trial, freemium, closed-source (proprietary software), products or services provided in exchange for private user details are considered out of scope pull requests.
Content or materials not directly related to API security, hunting bugs in APIs, hardening or hacking APIs may also be discarded.
Duplicated content or entries that do not provide additional or relevant content compared with existing entries may also not be considered.
Out of scope pull requests will be probably discarded, closed or ignored without notice.
The twitter section reference authors of books, videos, workshops, courses, newsletters or content already existent on this repository. This is a bit subjective and may not be consensual at all! Even though it can bring division I decided to add the section since it might be useful to some of the visitors of the repository.
If you are an author of tools/content and your description is not accurate on twitter or other section let me know!
If you think your content fits the above purposes, please