awesome-apisec

<h4 align="center">A collection of awesome API Security tools and resources.</h4> <p align="center"> <a href="#about">About</a> • <a href="#api-keys-find-and-validate">API Keys: Find and validate</a> • <a href="#books">Books</a> • <a href="#cheatsheets">Cheatsheets</a> • <a href="#checklist">Checklist</a> • <a href="#conferences">Conferences</a> • </br> <a href="#deliberately-vulnerable-apis">Deliberately vulnerable APIs</a> • <a href="#design-architecture-development">Design, Architecture, Development</a> • <a href="#encyclopedias-projects-wikis-and-gitbooks">Encyclopedias, Projects, Wikis and GitBooks</a> • </br> <a href="#enumeration-scanning-and-exploration-steps">Enumeration, Scanning and exploration steps</a> • <a href="#firewalls">Firewalls</a> • <a href="#fuzzing-seclists-wordlists">Fuzzing, SecLists, Wordlists</a> • <a href="#http-101">HTTP 101</a> • <a href="#mind-maps">Mind maps</a> • </br> <a href="#newsletters">Newsletters</a> • <a href="#other-resources">Other resources</a> • <a href="#playlists">Playlists</a> • <a href="#podcasts">Podcasts</a> • <a href="#presentations-videos">Presentations, Videos</a> • <a href="#projects">Projects</a> • </br> <a href="#security-apis">Security APIs</a> • <a href="#specifications">Specifications</a> • <a href="#tools">Tools</a> • <a href="#training-workshops-labs">Training, Workshops, Labs</a> • <a href="#twitter">Twitter</a> • </br> • <a href="#contributions">Contributions</a> • </p>

---

About

The awesome-api-security (aka awesome-apisec) repository is collection of awesome API Security tools and resources.
The focus goes to open-source tools and resources that benefit all the community.

Please read the <a href="#contributions">contributions</a> section before opening a pull request.

API Keys: Find and validate

Name	Description
API Guesser	Simple website to guess API Key / OAuth Token by Muhammad Daffa
API Key Leaks: Tools and exploits	An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Key-Checker	Go scripts for checking API key / access token validity.
Keyhacks	Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
Private key usage verification	Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
Mantra	A tool used to hunt down API key leaks in JS files and pages

Books

Author	Publisher	Name	Description
Colin Domoney	Packt Publishing	Defending APIs	Focused on helping developers produce secure APIs
Confidence Staveley	Packt Publishing	API Security for White Hat Hackers	Uncover offensive defense strategies and get up to speed with secure API implementation
Corey Ball	No Starch Press	Hacking APIs	Breaking Web Application Programming Interfaces.
Dolev Farhi and Nick Aleks	No Starch Press	Black Hat GraphQL	Black Hat GraphQL.
Emily Freeman	Data Theorem Special Edition	API Security for dummies	This book is a high-level introduction to the key concepts of API security and DevSecOps.
Justing Richer and Antonio Sanso	Manning	Understanding API Security	Several chapters from several Manning books that give you some context for how API security works in the real world.
Neil Madden	Manning	API Security in Action	API Security in Action teaches you how to create secure APIs for any situation.

Cheatsheets

Name	Description
GraphQL Cheat Sheet	GraphQL - OWASP Cheat Sheet Series
JSON Web Token Security Cheat Sheet	PentesterLab - JSON Web Token Security Cheat Sheet
Injection Prevention Cheat Sheet	Injection - OWASP Cheat Sheet Series
Microservices Security Cheat Sheet	Microservices - OWASP Security Cheat Sheet
OWASP API Security Top 10	42Crunch - OWASP API Security Top 10
REST Assessment Cheat Sheet	REST Assessment - OWASP Cheat Sheet Series
REST Security Cheat Sheet	REST Security - OWASP Cheat Sheet Series

Checklist

Author	Name	Description
HolyBugx	another API Security checklist	HolyTips: API security checklist
APIOps Cycles	API audit checklist	API Audit checklist.
Shieldfy	API-Security-Checklist	Checklist of the most important security countermeasures when designing, testing, and releasing your API.
API Mike, @api_sec	API penetration testing checklist	Common steps to include in any API penetration testing process.
Latish Danawale	API Testing Checklist	API Testing Checklist.
Inon Shkedy	31 days of API Security Tips	This challenge is Inon Shkedy's 31 days API Security Tips.
Binary Brotherhood	OAuth2: Security checklist	OAuth 2.0 Threat Model Pentesting Checklist
Apollo	GraphQL API — GraphQL Security Checklist	9 Ways To Secure your GraphQL API — GraphQL Security Checklist
LeapGraph	GraphQL API - The Complete Vulnerability Checklist	How to Secure a GraphQL API - The Complete Vulnerability Checklist
Lokesh Gupta	REST API Security Essentials	REST API Tutorial blog entry.

Conferences

Name	Description
APIsecure	The world's first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.

Deliberately vulnerable APIs

Name	Author	Description
APISandbox	APISecurity Community	Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.
Bookstore	sidchn	TryHackMe room - A Beginner level box with basic web enumeration and REST API Fuzzing.
crAPI	OWASP	completely ridiculous API (crAPI)
Damn Vulnerable GraphQL Application	dolevf	Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebook's GraphQL technology to learn and practice GraphQL Security.
Damn Vulnerable Micro Services	ne0z	This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development).
Damn Vulnerable RESTaurant API Game	theowni	Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
Damn Vulnerable Web Services	snoopysecurity	Damn Vulnerable Web Services is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
Generic-University	InsiderPhD	Vulnerable API with Laravel App
node-api-goat	layro01	A simple Express.JS REST API application that exposes endpoints with code that contains vulnerabilities.
Pixi	DevSlop	The Pixi module is a MEAN Stack web app with wildly insecure APIs!
poc-graphql	righettod	Research on GraphQL from an AppSec point of view.
REST API Goat	optiv	This is a "Goat" project so you can get familiar with REST API testing.
VAmPI	erev0s	Vulnerable REST API with OWASP top 10 vulnerabilities for APIs
vAPI	roottusk	vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
vulnapi	tkisason	Intentionaly very vulnerable API with bonus bad coding practices.
vulnerable-graphql-api	CarveSystems	A very vulnerable implementation of a GraphQL API.
Websheep	marmicode	Websheep is an app based on a willingly vulnerable ReSTful APIs.
VulnerableApp4APISecurity	Erdemstar	This repository was developed using .NET 7.0 API technology based on findings listed in the OWASP 2019 API Security Top 10.

Design, Architecture, Development

Name	Description
The API Specification Toolbox	This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements.
Understanding gRPC, OpenAPI and REST	gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design
API security design best practices	API security design best practices for enterprise and public cloud.
REST API Design Guide	This design guide or style guide contains best practices suitable for most REST APIs.
How to design a REST API	How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
Awesome REST	A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
Collect API Requirements	Collecting Requirements for your API with APIOps Cycles.
API Audit	API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility.

Encyclopedias, Projects, Wikis and GitBooks

Author	Name	Description
@six2dez	APIs Pentest Book	APIs Pentest Book
@csbygb	API Pentest tips	CSbyGB's Pentips
cyprosecurity	API Security Empire	The API Security Empire Project aims to present unique attack & defense methods in the API Security field
@APIsecurity.io	API Security Encyclopedia	API Security Encyclopedia
@carlospolop	Web API Pentesting	HackTricks - Web API Pentesting
@carlospolop	GraphQL	HackTricks - GraphQL

Enumeration, Scanning and exploration steps

Name	Description
Burp API enumeration	Using Burp to Enumerate a REST API
ZAP scanning	Scanning APIs with ZAP
ZAP exploring	Exploring APIs with ZAP
w3af scanning	Scan REST APIs with w3af

Firewalls

Name	Description
Wallarm Free API Firewall	Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs.

Fuzzing, SecLists, Wordlists

Name	Description
API names wordlist	A wordlist of API names for web application assessments
API HTTP requests methods	HTTP requests methods wordlist by @danielmiessler
[API Routes