API Tools & Resources
This page contains various tools and resources to help you analyze APIs, find vulnerabilities, and keep your APIs secure.
Vulnerable APIs
completely ridiculous API (crAPI) will help you to understand the ten most critical API security risks. crAPI is vulnerable by design, but each of the vulnerabilities can still be found in the wild. It’s a good target while learning
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs.
Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications.
Pixi is a MongoDB, Express.js, Angular, Node (MEAN) stack web application that was designed with deliberately vulnerable APIs.
This is a "Goat" project so you can get familiar with REST API testing. There is an included Postman project so you can see how everything is meant to be called.
Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities.
Websheep is an app based on a willingly vulnerable ReSTful APIs.
Hacking Tools
OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
Burp Suite is an integrated platform/graphical tool for performing security testing of web applications. Its tools work together to support the entire testing process, from initial mapping and analysis of an application's attack surface, to finding and exploiting security vulnerabilities.
Postman is an API platform for developers to design, build, test and iterate their APIs.
EthicalCheck performs automated, instantaneous API security scans covering the OWASP API Top 10.
FoxyProxy is an advanced proxy management tool that completely replaces Firefox's limited proxying capabilities.
mitmproxy is a free and open source interactive HTTPS proxy.
Converts mitmproxy captures to OpenAPI 3.0 specifications. Automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.
Kiterunner is a tool that performs traditional content discovery, and also bruteforces routes/endpoints in modern applications.
Arjun helps find query parameters for URL endpoints.
TruffleHog helps discover exposed secrets.
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions.
Nmap is a powerful tool for scanning ports, searching for vulnerabilities, enumerating services, and discovering live hosts. For API discovery, you should run two Nmap scans in particular: general detection and all port.
The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
DNSdumpster is a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.
The Google Hacking Database (GHDB) is a compiled list of common mistakes web/server admins make, which can be easily searched by using Google.
Gobuster is a tool used to brute-force URIs (directories and files) in web sites, DNS subdomains, Virtual Host names on target web servers, Open Amazon S3 buckets.
Burp Intruder is a tool for automating customized attacks against web applications. It can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities.
Wfuzz is a tool designed for bruteforcing Web Applications. It can be used to find resources not linked directories, servlets, scripts, etc., bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing, etc.
JWT_Tool is a toolkit for testing, tweaking and cracking JSON Web Tokens.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
API Research Sites
Google: try advanced searches to discover API information, for example:
- inurl:"/wp-json/wp/v2/users" - Finds all publicly available WordPress API user directories.
- intitle:"index.of" intext:"api.txt" - Finds publicly available API key files.
- inurl:"/api/v1" intext:"index of /" - Finds potentially interesting API directories.
- ext:php inurl:"api.php?action=" - Finds all sites with a XenAPI SQL injection vulnerability.
- intitle:"index of" api_key OR "api key" OR apiKey -pool - This lists potentially exposed API keys.
Try using parameters such as:
- filename:swagger.json
- extension:.json
Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters. You can use Shodan to discover external-facing APIs and get information about your target’s open ports.
The Wayback Machine is a digital archive of the World Wide Web. This site allows you to check out historical changes to your target and potentially previously published APIs/endpoints.
Browse the largest network of APIs, workspaces, and collections by developers across the planet.
ProgrammableWeb is the go-to source for API-related information. To learn about APIs, you can use its API University.
Our goal is to create a machine-readable Wikipedia for Web APIs in the OpenAPI Specification format.
A collective list of free APIs.
Browse the best premium and free APIs on the world's largest API Hub.
Password Lists
Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
The aim of the CUPP is to generate common passwords based on the input that you will give for your target.
Rockyou.txt
Rockyou.txt is a common password list that is included in Kali Linux. This file is located here: /usr/share/wordlists/rockyou.txt.gz
Training Labs
TryHackMe
- Bookstore: https://tryhackme.com/room/bookstoreoc
- IDOR: https://tryhackme.com/why-subscribe
- GraphQL: https://tryhackme.com/room/carpediem1
- Craft
- Postman
- JSON
- Node
- Help
Enroll Now - FREE
Start developing your API Security expertise.
