Skip to content

Latest commit

 

History

History
54 lines (41 loc) · 6.09 KB

api.md

File metadata and controls

54 lines (41 loc) · 6.09 KB
title description
API
Tools and resources for pentesting against API endpoints.

Cheetsheets/Checklists

Documentation

  • MindAPI - Organize your API security assessment by using MindAPI. GitHub last commit

Manipulation & Testing

  • Arjun - HTTP parameter discovery suite. GitHub last commit
  • Astra - Automated Security Testing For REST API's. GitHub last commit
  • Apache JMeter - Java application designed to load test functional behavior and measure performance.
  • Automatic API Attack Tool - Imperva's API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. GitHub last commit
  • Burp Suite - Arm yourself with the leading toolkit for web security testing. Test, find, and exploit vulnerabilities.
  • Fiddler Everwhere - A web debugging proxy for macOS, Windows, and Linux. Capture, inspect, monitor all HTTP(S) traffic between your computer and the Internet, mock requests, and diagnose network issue.
  • Hoppscotch - Open source tool that covers the entire testing spectrum (functional, security, load, mocking). GitHub last commit
  • HttpMaster - Master HTTP testing & debugging.
  • Insomnia - Quickly and easily send REST, SOAP, GraphQL, and GRPC requests directly within Insomnia.
  • Karate - Test automation made simple. GitHub last commit
  • Kiterunner - Contextual Content Discovery Tool. GitHub last commit
  • Postman - A collaboration platform for API development. Postman's features simplify each step of building an API and streamline collaboration so you can create better APIs—faster.
  • SoapUI - Open source tool that covers the entire testing spectrum (functional, security, load, mocking).
  • Taurus - Taurus improves experience of JMeter, Selenium and others.
  • Test Mace - A modern powerful crossplatform tool for working with an API and creating automated API tests.
  • vRESTng - Automate API Requests as Runnable Test Cases, just by providing Request Details. Also, Validate API Responses using Test Case Assertions.

Training

  • crAPI - Completely ridiculous API (crAPI). GitHub last commit
  • Damn Vulnerable GraphQL App - An intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security. GitHub last commit
  • DVMS - This is vulnerable microservice written in many language to demonstrating OWASP API Top Security Risk. GitHub last commit
  • dvws-node - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities. GitHub last commit
  • Kontra - A series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
  • VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for APIs. GitHub last commit
  • vAPI - Vulnerable Adversely Programmed Interface which is Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises. GitHub last commit