# API

# Cheetsheets/Checklists

• API Security Checklist - Checklist of the most important security countermeasures when designing, testing, and releasing your API.
• GraphQL OWASP - OWASP GraphQL cheat sheet.
• Microservices OWASP - Microservices Security
• OWASP API Top 10 - OWASP API security Top 10.
• REST Security OWASP - OWASP REST security cheat sheet.
• REST Assessment OWASP - OWASP REST assessment cheat sheet.
• Web API Pentesting - Web API pentesting GitBook.

# Documentation

• MindAPI - Organize your API security assessment by using MindAPI.

# Manipulation & Testing

• Arjun - HTTP parameter discovery suite.
• Astra - Automated Security Testing For REST API's.
• Apache JMeter - Java application designed to load test functional behavior and measure performance.
• Automatic API Attack Tool - Imperva's API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
• Burp Suite - Arm yourself with the leading toolkit for web security testing. Test, find, and exploit vulnerabilities.
• Fiddler Everwhere - A web debugging proxy for macOS, Windows, and Linux. Capture, inspect, monitor all HTTP(S) traffic between your computer and the Internet, mock requests, and diagnose network issue.
• Hoppscotch - Open source tool that covers the entire testing spectrum (functional, security, load, mocking).
• HttpMaster - Master HTTP testing & debugging.
• Insomnia - Quickly and easily send REST, SOAP, GraphQL, and GRPC requests directly within Insomnia.
• Karate - Test automation made simple.
• Kiterunner - Contextual Content Discovery Tool.
• Postman - A collaboration platform for API development. Postman's features simplify each step of building an API and streamline collaboration so you can create better APIs—faster.
• SoapUI - Open source tool that covers the entire testing spectrum (functional, security, load, mocking).
• Taurus - Taurus improves experience of JMeter, Selenium and others.
• Test Mace - A modern powerful crossplatform tool for working with an API and creating automated API tests.
• vRESTng - Automate API Requests as Runnable Test Cases, just by providing Request Details. Also, Validate API Responses using Test Case Assertions.

# Training

• crAPI - Completely ridiculous API (crAPI).
• Damn Vulnerable GraphQL App - An intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
• DVMS - This is vulnerable microservice written in many language to demonstrating OWASP API Top Security Risk.
• dvws-node - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.
• Kontra - A series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
• VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for APIs.
• vAPI - Vulnerable Adversely Programmed Interface which is Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises.