API and WS Hacking
API Hacking
MindAPI: Bringing order to API hacking caos!
CookieMindMap: Fuzz cookies and proceed!
Awesome API
A collection of awesome API Security tools and resources.
API Keys: Find and validate
Simple website to guess API Key / OAuth Token by Muhammad Daffa
An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Go scripts for checking API key / access token validity.
Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
A tool used to hunt down API key leaks in JS files and pages
Books
Confidence Staveley
Packt Publishing
Uncover offensive defense strategies and get up to speed with secure API implementation
Emily Freeman
Data Theorem Special Edition
This book is a high-level introduction to the key concepts of API security and DevSecOps.
Justing Richer and Antonio Sanso
Manning
Several chapters from several Manning books that give you some context for how API security works in the real world.
Neil Madden
Manning
API Security in Action teaches you how to create secure APIs for any situation.
Cheatsheets
GraphQL - OWASP Cheat Sheet Series
PentesterLab - JSON Web Token Security Cheat Sheet
Injection - OWASP Cheat Sheet Series
Microservices - OWASP Security Cheat Sheet
42Crunch - OWASP API Security Top 10
REST Assessment - OWASP Cheat Sheet Series
REST Security - OWASP Cheat Sheet Series
Checklist
Shieldfy
Checklist of the most important security countermeasures when designing, testing, and releasing your API.
API Mike, @api_sec
Common steps to include in any API penetration testing process.
Apollo
9 Ways To Secure your GraphQL API — GraphQL Security Checklist
LeapGraph
How to Secure a GraphQL API - The Complete Vulnerability Checklist
Conferences
The world's first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Deliberately vulnerable APIs
Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.
TryHackMe room - A Beginner level box with basic web enumeration and REST API Fuzzing.
Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security.
This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development).
Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
Damn Vulnerable Web Services is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
A simple Express.JS REST API application that exposes endpoints with code that contains vulnerabilities.
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
This repository was developed using .NET 7.0 API technology based on findings listed in the OWASP 2019 API Security Top 10.
Design, Architecture, Development
This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements.
gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design
API security design best practices for enterprise and public cloud.
This design guide or style guide contains best practices suitable for most REST APIs.
How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
Collecting Requirements for your API with APIOps Cycles.
API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.
Encyclopedias, Projects, Wikis and GitBooks
cyprosecurity
The API Security Empire Project aims to present unique attack & defense methods in the API Security field
Enumeration, Scanning and exploration steps
Using Burp to Enumerate a REST API
Scanning APIs with ZAP
Exploring APIs with ZAP
Scan REST APIs with w3af
Firewalls
Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs.
Fuzzing, SecLists, Wordlists
A wordlist of API names for web application assessments
HTTP requests methods wordlist by @danielmiessler
API Routes - Automated Wordlists provided by Assetnote
Wordlist for common API endpoints.
Potentially dangerous files
Fuzzing APIs chapter from "The Fuzzing Book".
It's a GraphQL list used during security assessments, collected in one place.
Wordlists and API paths by @hapi_hacker
Kiterunner Wordlists provided by Assetnote
A list of 3203 common API endpoints and objects designed for fuzzing.
Swagger endpoints
It is a collection of web content discovery lists for APIs used during security assessments.
The only GraphQL wordlist you'll ever need. Operations, field names, type names... Collected on more than 60k distinct GraphQL schemas.
HTTP 101
HTTP Headers: a simplified and comprehensive table.
HTTP Methods: a simplified and comprehensive table.
HTTP Status codes: a simplified and comprehensive table.
httpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place.
HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification.
Mind maps
Newsletters
42Crunch
API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices.
Other resources
Dana Epp
API Hacking Fundamentals, Tools, Techniques, Fails and Mindset articles.
UnderDefense
Anonymised API Penetration Testing Report - vendor sample template
MindAPI
Resources to help out in the API security path; diverse content from talks/webinards/videos, must read, writeups, bola/idors, oauth, jwt, rate limit, ssrf and practice entries.
Spherical Defence
Principles of API Security Testing and how to perform a Security Test on an API.
Bend Theory
Finding and Exploiting Unintended Functionality in Main Web App APIs
SmartBear
How to Hack an API and Get Away with It (Part 1 of 3).
Wallarm
How to Hack API in 60 minutes with Open Source Tools
YesWeHAck
How to exploit GraphQL endpoint: introspection, query, mutations & tools.
WunderGraph
GraphQL Security Guide, Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready.
Aakash Choudhary
My Notes on Hacking APIs from Bug Bounty Bootcamp.
NeuraLegion
SOAP Security, Top Vulnerabilities and How to Prevent Them.
42Crunch
Strengthening Your API Security Posture – Ford Motor Company.
Tenchi Security
Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion.
Playlists
A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!
API hacking videos from @theXSSrat
Podcasts
The Hacker Mind Podcast: Hacking APIs
21: Troy Hunt: Hack Your API-Security Testing.
Erez Yalon — The OWASP API Security Project
We Hack Purple Podcast Episode 38 API Security Best Practices.
Presentations, Videos
Pentesting Rest API's by Gaurang Bhatnagar
"How Secure are you APIs?" - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo.
API Security Testing For Hackers
Bad API, hAPI Hackers!
Hidden in Plain Site: Disclosing Information via Your APIs.
REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure.
Projects
OWASP API Security Project - API Security Top 10
Security APIs
A collective list of public JSON APIs for use in security.
Specifications
Tools
GraphQL
GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
Obtain GraphQL API schema despite disabled introspection!
InQL - A Burp Extension for GraphQL Security Testing.
Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.
Security Auditor Utility for GraphQL APIs.
GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
Tool that lists the different ways of reaching a given type in a GraphQL schema.
GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration)
GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations.
graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.
Blazing fast GraphQL discovery & fingerprinting toolbox.
The missing GraphQL security security layer for Apollo GraphQL and Yoga / Envelop servers
REST APIs
API discovery, automated business logic testing and runtime detection
The DevSecOps toolset for REST APIs.
Reconstruct Open API Specifications from real-time workload traffic seamlessly.
Fuzz test your application using your OpenAPI or Swagger API definition without coding.
APIKit:Discovery, Scan and Audit APIs Toolkit All In One.
HTTP parameter discovery suite.
Automated Security Testing For REST API's.
Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints.
Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications.
Fast web fuzzer written in Go.
Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem.
An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses
Contextual Content Discovery Tool.
Open-source API security tool to discover, inventory, test, and protect your APIs.
Automagically reverse-engineer REST APIs via capturing traffic
Verify the accuracy of your OpenAPI 3.x spec using real traffic and automatically apply patches that keep it up-to-date
The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
Designed as a proof-of-concept for the feasibility of testing generic real-world REST implementations. Its goal is to provide a framework for REST security research.
RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
A tool geared towards pentesting APIs using OpenAPI definitions.
OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.
Dump all available paths and/or endpoints on WADL file.
A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
SOAP
WSDL Parser extension for Burp.
WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
Others
Language-agnostic HTTP API Testing Tool
Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services.
Open-source framework for API Quality Assurance, which tests REST, GraphQL and gRPC automated and from Open API spec.
Pull out bits of URLs provided on stdin
Noir is an attack surface detector form source code.
Training, Workshops, Labs
APIsec
APIsec University provides training courses for application security professionals
Kontra
Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
Semgrep Academy
Learn the basics of API security in this short and fun mini course!
ShipFast
Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation.
Twitter
Last updated
Was this helpful?