API and WS Hacking
Last updated
Last updated
MindAPI: Bringing order to API hacking caos!
CookieMindMap: Fuzz cookies and proceed!
A collection of awesome API Security tools and resources.
Name | Description |
---|---|
Simple website to guess API Key / OAuth Token by Muhammad Daffa | |
An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares. | |
Go scripts for checking API key / access token validity. | |
Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. | |
Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user. | |
A tool used to hunt down API key leaks in JS files and pages |
Author | Publisher | Name | Description |
---|---|---|---|
Colin Domoney | Packt Publishing | Focused on helping developers produce secure APIs | |
Confidence Staveley | Packt Publishing | Uncover offensive defense strategies and get up to speed with secure API implementation | |
Corey Ball | No Starch Press | Breaking Web Application Programming Interfaces. | |
Dolev Farhi and Nick Aleks | No Starch Press | Black Hat GraphQL. | |
Emily Freeman | Data Theorem Special Edition | This book is a high-level introduction to the key concepts of API security and DevSecOps. | |
Justing Richer and Antonio Sanso | Manning | Several chapters from several Manning books that give you some context for how API security works in the real world. | |
Neil Madden | Manning | API Security in Action teaches you how to create secure APIs for any situation. |
Name | Description |
---|---|
GraphQL - OWASP Cheat Sheet Series | |
PentesterLab - JSON Web Token Security Cheat Sheet | |
Injection - OWASP Cheat Sheet Series | |
Microservices - OWASP Security Cheat Sheet | |
42Crunch - OWASP API Security Top 10 | |
REST Assessment - OWASP Cheat Sheet Series | |
REST Security - OWASP Cheat Sheet Series |
Author | Name | Description |
---|---|---|
HolyBugx | HolyTips: API security checklist | |
APIOps Cycles | API Audit checklist. | |
Shieldfy | Checklist of the most important security countermeasures when designing, testing, and releasing your API. | |
API Mike, @api_sec | Common steps to include in any API penetration testing process. | |
Latish Danawale | API Testing Checklist. | |
Inon Shkedy | This challenge is Inon Shkedy's 31 days API Security Tips. | |
Binary Brotherhood | OAuth 2.0 Threat Model Pentesting Checklist | |
Apollo | 9 Ways To Secure your GraphQL API — GraphQL Security Checklist | |
LeapGraph | How to Secure a GraphQL API - The Complete Vulnerability Checklist | |
Lokesh Gupta | REST API Tutorial blog entry. |
Name | Description |
---|---|
The world's first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. |
Name | Author | Description |
---|---|---|
Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. | ||
TryHackMe room - A Beginner level box with basic web enumeration and REST API Fuzzing. | ||
completely ridiculous API (crAPI) | ||
Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security. | ||
This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development). | ||
Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers. | ||
Damn Vulnerable Web Services is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities. | ||
Vulnerable API with Laravel App | ||
A simple Express.JS REST API application that exposes endpoints with code that contains vulnerabilities. | ||
The Pixi module is a MEAN Stack web app with wildly insecure APIs! | ||
Research on GraphQL from an AppSec point of view. | ||
This is a "Goat" project so you can get familiar with REST API testing. | ||
Vulnerable REST API with OWASP top 10 vulnerabilities for APIs | ||
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises. | ||
Intentionaly very vulnerable API with bonus bad coding practices. | ||
A very vulnerable implementation of a GraphQL API. | ||
Websheep is an app based on a willingly vulnerable ReSTful APIs. | ||
This repository was developed using .NET 7.0 API technology based on findings listed in the OWASP 2019 API Security Top 10. |
Name | Description |
---|---|
This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements. | |
gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design | |
API security design best practices for enterprise and public cloud. | |
This design guide or style guide contains best practices suitable for most REST APIs. | |
How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc. | |
A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list. | |
Collecting Requirements for your API with APIOps Cycles. | |
API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility. |
Author | Name | Description |
---|---|---|
@six2dez | APIs Pentest Book | |
@csbygb | CSbyGB's Pentips | |
cyprosecurity | The API Security Empire Project aims to present unique attack & defense methods in the API Security field | |
@APIsecurity.io | API Security Encyclopedia | |
@carlospolop | HackTricks - Web API Pentesting | |
@carlospolop | HackTricks - GraphQL |
Name | Description |
---|---|
Using Burp to Enumerate a REST API | |
Scanning APIs with ZAP | |
Exploring APIs with ZAP | |
Scan REST APIs with w3af |
Name | Description |
---|---|
Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs. |
Name | Description |
---|---|
A wordlist of API names for web application assessments | |
HTTP requests methods wordlist by @danielmiessler | |
API Routes - Automated Wordlists provided by Assetnote | |
Wordlist for common API endpoints. | |
Potentially dangerous files | |
Fuzzing APIs chapter from "The Fuzzing Book". | |
It's a GraphQL list used during security assessments, collected in one place. | |
Wordlists and API paths by @hapi_hacker | |
Kiterunner Wordlists provided by Assetnote | |
A list of 3203 common API endpoints and objects designed for fuzzing. | |
Swagger endpoints | |
It is a collection of web content discovery lists for APIs used during security assessments. | |
The only GraphQL wordlist you'll ever need. Operations, field names, type names... Collected on more than 60k distinct GraphQL schemas. |
Name | Description |
---|---|
HTTP Headers: a simplified and comprehensive table. | |
HTTP Methods: a simplified and comprehensive table. | |
HTTP Status codes: a simplified and comprehensive table. | |
httpstatuses.com is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place. | |
HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification. |
Author | Name | Description |
---|---|---|
Mind map: REST API defenses | ||
Mind map: API Pentesting - ATTACK | ||
Mind map: API Pentesting - Recon | ||
Mind map: GraphQL Attacking | ||
Organize your API security assessment by using MindAPI | ||
Mind map: XML attacks | ||
Mind map: GraphQL Security Testing | ||
Mind map: OWASP API Top 10 | ||
Mind map: IDOR Techniques |
Author | Name | Description |
---|---|---|
42Crunch | API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices. | |
Dana Epp | API Hacker’s Inner Circle Newsletter. |
Name | Author | Description |
---|---|---|
Dana Epp | API Hacking Fundamentals, Tools, Techniques, Fails and Mindset articles. | |
Expedited Security | API Security Best Practices MegaGuide | |
Bright Security | API Security, The Complete Guide | |
SecureLayer7 | API Penetration Testing with OWASP 2017 Test Cases. | |
UnderDefense | Anonymised API Penetration Testing Report - vendor sample template | |
RhinoSecurityLabs | Simplifying API Pentesting With Swagger Files. | |
MindAPI | Resources to help out in the API security path; diverse content from talks/webinards/videos, must read, writeups, bola/idors, oauth, jwt, rate limit, ssrf and practice entries. | |
Spherical Defence | Principles of API Security Testing and how to perform a Security Test on an API. | |
Bend Theory | Finding and Exploiting Unintended Functionality in Main Web App APIs | |
SmartBear | How to Hack an API and Get Away with It (Part 1 of 3). | |
Detectify | How to Hack APIs in 2021 | |
Wallarm | How to Hack API in 60 minutes with Open Source Tools | |
YesWeHAck | How to exploit GraphQL endpoint: introspection, query, mutations & tools. | |
WunderGraph | GraphQL Security Guide, Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready. | |
Aakash Choudhary | My Notes on Hacking APIs from Bug Bounty Bootcamp. | |
NeuraLegion | SOAP Security, Top Vulnerabilities and How to Prevent Them. | |
PortSwigger | What are API and microservice security? | |
42Crunch | Strengthening Your API Security Posture – Ford Motor Company. | |
Tenchi Security | Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion. |
Name | Description |
---|---|
A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge! | |
API hacking videos from @theXSSrat |
Name | Description |
---|---|
The Hacker Mind Podcast: Hacking APIs | |
21: Troy Hunt: Hack Your API-Security Testing. | |
Erez Yalon — The OWASP API Security Project | |
We Hack Purple Podcast Episode 38 API Security Best Practices. |
Name | Description |
---|---|
Pentesting Rest API's by Gaurang Bhatnagar | |
"How Secure are you APIs?" - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo. | |
API Security Testing For Hackers | |
Bad API, hAPI Hackers! | |
Hidden in Plain Site: Disclosing Information via Your APIs. | |
REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure. |
Name | Description |
---|---|
OWASP API Security Project - API Security Top 10 |
Name | Description |
---|---|
A collective list of public JSON APIs for use in security. |
Name | Description |
---|---|
API Blueprint Specification | |
AsyncAPI Specification | |
OpenAPI Specification | |
JSON API Specification | |
GraphQL Specification | |
RAML Specification |
Name | Description |
---|---|
GraphQL | |
GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. | |
Obtain GraphQL API schema despite disabled introspection! | |
InQL - A Burp Extension for GraphQL Security Testing. | |
Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce. | |
Security Auditor Utility for GraphQL APIs. | |
GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. | |
Tool that lists the different ways of reaching a given type in a GraphQL schema. | |
GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration) | |
GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations. | |
graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint. | |
Blazing fast GraphQL discovery & fingerprinting toolbox. | |
The missing GraphQL security security layer for Apollo GraphQL and Yoga / Envelop servers | |
REST APIs | |
API discovery, automated business logic testing and runtime detection | |
The DevSecOps toolset for REST APIs. | |
Reconstruct Open API Specifications from real-time workload traffic seamlessly. | |
Fuzz test your application using your OpenAPI or Swagger API definition without coding. | |
APIKit:Discovery, Scan and Audit APIs Toolkit All In One. | |
HTTP parameter discovery suite. | |
Automated Security Testing For REST API's. | |
Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. | |
CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. | |
Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. | |
Fast web fuzzer written in Go. | |
Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem. | |
An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses | |
Contextual Content Discovery Tool. | |
Open-source API security tool to discover, inventory, test, and protect your APIs. | |
Automagically reverse-engineer REST APIs via capturing traffic | |
Verify the accuracy of your OpenAPI 3.x spec using real traffic and automatically apply patches that keep it up-to-date | |
The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion. | |
Designed as a proof-of-concept for the feasibility of testing generic real-world REST implementations. Its goal is to provide a framework for REST security research. | |
RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. | |
A tool geared towards pentesting APIs using OpenAPI definitions. | |
OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API. | |
Dump all available paths and/or endpoints on WADL file. | |
A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. | |
SOAP | |
WSDL Parser extension for Burp. | |
WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files. | |
Others | |
Language-agnostic HTTP API Testing Tool | |
Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. | |
SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services. | |
Open-source framework for API Quality Assurance, which tests REST, GraphQL and gRPC automated and from Open API spec. | |
Pull out bits of URLs provided on stdin | |
Noir is an attack surface detector form source code. |
Author | Name | Description |
---|---|---|
APIsec | APIsec University provides training courses for application security professionals | |
Corey Ball | Hacking APIs: workshop | |
Escape | API Security Academy, by escape | |
Grant Ongers | OWASP API Top 10 CTF Walk-through. | |
Hacker101 | GraphQL Week on The Hacker101 Capture the Flag Challenges | |
Karel Husa | Banking-like REST and GraphQL API for training/learning purposes. | |
Kontra | Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. | |
OWASP-SKF | GraphQL Labs on the OWASP Security Knowledge Framework | |
Pentester Academy | Pentester Academy - attack & defense | |
Semgrep Academy | Learn the basics of API security in this short and fun mini course! | |
ShipFast | Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation. | |
Wesley Thijs | API Hacking Excercises by @TheXSSrat |
Author | Name | Description |
---|---|---|
42Crunch | API security news, standards, vulnerabilities, tools. | |
Corey J. Ball | Cybersecurity consulting manager | |
Dana Epp | Microsoft Security MVP | |
David Sopas | Security Researcher | |
Katie Paxton-Fear | Lecturer and hacker | |
Wesley Thijs | Ethical hacker |