A collection of awesome API Security tools and resources.
Awesome Repositories
Tools
Name Description GraphQL BatchQL GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. clairvoyance Obtain GraphQL API schema despite disabled introspection! InQL InQL – A Burp Extension for GraphQL Security Testing. GraphQLmap GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. graphql-path-enum Tool that lists the different ways of reaching a given type in a GraphQL schema. graphql-playground GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration) REST APIs APICheck The DevSecOps toolset for REST APIs. APIClarity Reconstruct Open API Specifications from real-time workload traffic seamlessly. APIFuzzer Fuzz test your application using your OpenAPI or Swagger API definition without coding. APIKit APIKit:Discovery, Scan and Audit APIs Toolkit All In One. Arjun HTTP parameter discovery suite. Astra Automated Security Testing For REST API’s. Automatic API Attack Tool Imperva’s customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. Firecracker Firecracker from BLST security is an Intelligent attacker that simulates business flows in your API ffuf Fast web fuzzer written in Go. fuzzapi Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem. gotestwaf An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses kiterunner Contextual Content Discovery Tool. RESTler RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. Swagger-EZ A tool geared towards pentesting APIs using OpenAPI definitions. TnT-Fuzzer OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API. wadl-dumper Dump all available paths and/or endpoints on WADL file. fuzz-lightyear A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing. SOAP Wsdler WSDL Parser extension for Burp. wsdl-wizard WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files. Others SoapUI SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services.
Mind maps
Checklist
Cheatsheets
Wiki’s, Encyclopedias, GitBook’s
Books
Author Name Description Neil Madden API Security in Action API Security in Action teaches you how to create secure APIs for any situation. Corey Ball Hacking APIs Breaking Web Application Programming Interfaces
Training, Walkthrough, Labs
Name Description Kontra – OWASP Top 10 for API Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. Pentesting Lab: vAPI vAPI is Vulnerable Adversely Programmed Interface, Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises. ShipFast – Practical API Security Walkthrough Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation. Hacker101 CTFs – GraphQL challenges GraphQL Week on The Hacker101 Capture the Flag Challenges
Enumeration, Scanning
Fuzzing, SecLists
API Keys: Find and validate
Name Description Key-Checker Go scripts for checking API key / access token validity. Keyhacks Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they’re valid. API Key Leaks: Tools and exploits An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares. Private key usage verification Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
Firewalls
Name Description Wallarm Free API Firewall Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs.
Deliberately vulnerable APIs
Name Description APISandbox Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. crAPI completely ridiculous API (crAPI) Damn-Vulnerable-GraphQL-Application Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook’s GraphQL technology to learn and practice GraphQL Security. DamnVulnerableMicroServices This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development) dvws-node Damn Vulnerable Web Service is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities. Generic-University Vulnerable API with Laravel App VAmPI Vulnerable REST API with OWASP top 10 vulnerabilities for APIs Websheep Websheep is an app based on a willingly vulnerable ReSTful APIs.
Presentations, Videos
Playlists
Name Description Everything API Hacking A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!
Podcasts
Projects
Newsletters
Author Name Description 42Crunch api security articles API Security Articles – The Latest API Security News, Vulnerabilities & Best Practices.
Twitter
Author Name Description 42Crunch @apisecurityio API security news, standards, vulnerabilities, tools.
HTTP 101
Design, Architecture, Development
Name Description The API Specification Toolbox This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements. Understanding gRPC, OpenAPI and REST gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design API security design best practices API security design best practices for enterprise and public cloud. REST API Design Guide This design guide or style guide contains best practices suitable for most REST APIs. How to design a REST API How to design a REST API? – Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc. Awesome REST A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list. Collect API Requirements Collecting Requirements for your API with APIOps Cycles. API Audit API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.
Specifications
Other useful resources
文章来源: https://reconshell.com/api-security/ 如有侵权请联系:admin#unsafe.sh