访问官网
Githubawesome-apisec
A collection of awesome API Security tools and resources.
About •
API Keys: Find and validate •
Books •
Cheatsheets •
Checklist •
Conferences •
Deliberately vulnerable APIs •
Design, Architecture, Development •
Encyclopedias, Projects, Wikis and GitBooks •
Enumeration, Scanning and exploration steps •
Firewalls •
Fuzzing, SecLists, Wordlists •
HTTP 101 •
Mind maps •
Newsletters •
Other resources •
Playlists •
Podcasts •
Presentations, Videos •
Projects •
Security APIs •
Specifications •
Tools •
Training, Workshops, Labs •
Twitter •
• Contributions •
About
The awesome-api-security (aka awesome-apisec) repository is collection of awesome API Security tools and resources.
The focus goes to open-source tools and resources that benefit all the community.
Please read the contributions section before opening a pull request.
API Keys: Find and validate
| Name | Description |
|---|---|
| API Guesser | Simple website to guess API Key / OAuth Token by Muhammad Daffa |
| API Key Leaks: Tools and exploits | An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares. |
| Key-Checker | Go scripts for checking API key / access token validity. |
| Keyhacks | Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. |
| Private key usage verification | Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user. |
| Mantra | A tool used to hunt down API key leaks in JS files and pages |
Books
| Author | Publisher | Name | Description |
|---|---|---|---|
| Colin Domoney | Packt Publishing | Defending APIs | Focused on helping developers produce secure APIs |
| Confidence Staveley | Packt Publishing | API Security for White Hat Hackers | Uncover offensive defense strategies and get up to speed with secure API implementation |
| Corey Ball | No Starch Press | Hacking APIs | Breaking Web Application Programming Interfaces. |
| Dolev Farhi and Nick Aleks | No Starch Press | Black Hat GraphQL | Black Hat GraphQL. |
| Emily Freeman | Data Theorem Special Edition | API Security for dummies | This book is a high-level introduction to the key concepts of API security and DevSecOps. |
| Justing Richer and Antonio Sanso | Manning | Understanding API Security | Several chapters from several Manning books that give you some context for how API security works in the real world. |
| Neil Madden | Manning | API Security in Action | API Security in Action teaches you how to create secure APIs for any situation. |
Cheatsheets
| Name | Description |
|---|---|
| GraphQL Cheat Sheet | GraphQL - OWASP Cheat Sheet Series |
| JSON Web Token Security Cheat Sheet | PentesterLab - JSON Web Token Security Cheat Sheet |
| Injection Prevention Cheat Sheet | Injection - OWASP Cheat Sheet Series |
| Microservices Security Cheat Sheet | Microservices - OWASP Security Cheat Sheet |
| OWASP API Security Top 10 | 42Crunch - OWASP API Security Top 10 |
| REST Assessment Cheat Sheet | REST Assessment - OWASP Cheat Sheet Series |
| REST Security Cheat Sheet | REST Security - OWASP Cheat Sheet Series |
Checklist
| Author | Name | Description |
|---|---|---|
| HolyBugx | another API Security checklist | HolyTips: API security checklist |
| APIOps Cycles | API audit checklist | API Audit checklist. |
| Shieldfy | API-Security-Checklist | Checklist of the most important security countermeasures when designing, testing, and releasing your API. |
| API Mike, @api_sec | API penetration testing checklist | Common steps to include in any API penetration testing process. |
| Latish Danawale | API Testing Checklist | API Testing Checklist. |
| Inon Shkedy | 31 days of API Security Tips | This challenge is Inon Shkedy's 31 days API Security Tips. |
| Binary Brotherhood | OAuth2: Security checklist | OAuth 2.0 Threat Model Pentesting Checklist |
| Apollo | GraphQL API — GraphQL Security Checklist | 9 Ways To Secure your GraphQL API — GraphQL Security Checklist |
| LeapGraph | GraphQL API - The Complete Vulnerability Checklist | How to Secure a GraphQL API - The Complete Vulnerability Checklist |
| Lokesh Gupta | REST API Security Essentials | REST API Tutorial blog entry. |
Conferences
| Name | Description |
|---|---|
| APIsecure | The world's first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security. |
Deliberately vulnerable APIs
| Name | Author | Description |
|---|---|---|
| APISandbox | APISecurity Community | Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose. |
| Bookstore | sidchn | TryHackMe room - A Beginner level box with basic web enumeration and REST API Fuzzing. |
| crAPI | OWASP | completely ridiculous API (crAPI) |
| Damn Vulnerable GraphQL Application | dolevf | Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security. |
| Damn Vulnerable Micro Services | ne0z | This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development). |
| Damn Vulnerable RESTaurant API Game | theowni | Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers. |
| Damn Vulnerable Web Services | snoopysecurity | Damn Vulnerable Web Services is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities. |
| Generic-University | InsiderPhD | Vulnerable API with Laravel App |
| node-api-goat | layro01 | A simple Express.JS REST API application that exposes endpoints with code that contains vulnerabilities. |
| Pixi | DevSlop | The Pixi module is a MEAN Stack web app with wildly insecure APIs! |
| poc-graphql | righettod | Research on GraphQL from an AppSec point of view. |
| REST API Goat | optiv | This is a "Goat" project so you can get familiar with REST API testing. |
| VAmPI | erev0s | Vulnerable REST API with OWASP top 10 vulnerabilities for APIs |
| vAPI | roottusk | vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises. |
| vulnapi | tkisason | Intentionaly very vulnerable API with bonus bad coding practices. |
| vulnerable-graphql-api | CarveSystems | A very vulnerable implementation of a GraphQL API. |
| Websheep | marmicode | Websheep is an app based on a willingly vulnerable ReSTful APIs. |
| VulnerableApp4APISecurity | Erdemstar | This repository was developed using .NET 7.0 API technology based on findings listed in the OWASP 2019 API Security Top 10. |
Design, Architecture, Development
| Name | Description |
|---|---|
| The API Specification Toolbox | This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements. |
| Understanding gRPC, OpenAPI and REST | gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design |
| API security design best practices | API security design best practices for enterprise and public cloud. |
| REST API Design Guide | This design guide or style guide contains best practices suitable for most REST APIs. |
| How to design a REST API | How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc. |
| Awesome REST | A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list. |
| Collect API Requirements | Collecting Requirements for your API with APIOps Cycles. |
| API Audit | API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility. |
Encyclopedias, Projects, Wikis and GitBooks
| Author | Name | Description |
|---|---|---|
| @six2dez | APIs Pentest Book | APIs Pentest Book |
| @csbygb | API Pentest tips | CSbyGB's Pentips |
| cyprosecurity | API Security Empire | The API Security Empire Project aims to present unique attack & defense methods in the API Security field |
| @APIsecurity.io | API Security Encyclopedia | API Security Encyclopedia |
| @carlospolop | Web API Pentesting | HackTricks - Web API Pentesting |
| @carlospolop | GraphQL | HackTricks - GraphQL |
Enumeration, Scanning and exploration steps
| Name | Description |
|---|---|
| Burp API enumeration | Using Burp to Enumerate a REST API |
| ZAP scanning | Scanning APIs with ZAP |
| ZAP exploring | Exploring APIs with ZAP |
| w3af scanning | Scan REST APIs with w3af |
Firewalls
| Name | Description |
|---|---|
| Wallarm Free API Firewall | Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs. |
Fuzzing, SecLists, Wordlists
| Name | Description |
|---|---|
| API names wordlist | A wordlist of API names for web application assessments |
| API HTTP requests methods | HTTP requests methods wordlist by @danielmiessler |
| [API Routes |
