Tools and resources for pentesting against API endpoints



Tool Description Directory
API Security Checklist Checklist of the most important security countermeasures when designing, testing, and releasing your API. GitHub last commit opensource
GraphQL OWASP OWASP GraphQL cheat sheet. opensource
Microservices OWASP Microservices Security opensource
OWASP API Top 10 OWASP API security Top 10. opensource
REST Security OWASP OWASP REST security cheat sheet. opensource
REST Assessment OWASP OWASP REST assessment cheat sheet. opensource
Web API Pentesting Web API pentesting GitBook. opensource


Tool Description Directory
MindAPI Organize your API security assessment by using MindAPI. GitHub last commit opensource

Manipulation & Testing

Tool Description Directory
Arjun HTTP parameter discovery suite. GitHub last commit opensource
Astra Automated Security Testing For REST API’s GitHub last commit opensource
Apache JMeter Java application designed to load test functional behavior and measure performance. opensource
Automatic API Attack Tool Imperva’s API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. GitHub last commit no-recent-update opensource
Burp Suite Arm yourself with the leading toolkit for web security testing. Test, find, and exploit vulnerabilities. freemium-service
Fiddler Everwhere A web debugging proxy for macOS, Windows, and Linux. Capture, inspect, monitor all HTTP(S) traffic between your computer and the Internet, mock requests, and diagnose network issue. freemium-service
Hoppscotch Open source tool that covers the entire testing spectrum (functional, security, load, mocking). GitHub last commit opensource
HttpMaster Master HTTP testing & debugging. freemium-service
Insomnia Quickly and easily send REST, SOAP, GraphQL, and GRPC requests directly within Insomnia. freemium-serviceopensource
Karate Test automation made simple. GitHub last commit opensource
Kiterunner Contextual Content Discovery Tool. GitHub last commit opensource
Postman A collaboration platform for API development. Postman’s features simplify each step of building an API and streamline collaboration so you can create better APIs—faster. freemium-service
SoapUI Open source tool that covers the entire testing spectrum (functional, security, load, mocking). opensource
Taurus Taurus improves experience of JMeter, Selenium and others. opensource
Test Mace A modern powerful crossplatform tool for working with an API and creating automated API tests. freemium-serviceopensource
vRESTng Automate API Requests as Runnable Test Cases, just by providing Request Details. Also, Validate API Responses using Test Case Assertions. freemium-service


Tool Description Directory
crAPI Completely ridiculous API (crAPI). GitHub last commit opensource
Damn Vulnerable GraphQL App An intentionally vulnerable implementation of Facebook’s GraphQL technology, to learn and practice GraphQL Security. GitHub last commit opensource
DVMS This is vulnerable microservice written in many language to demonstrating OWASP API Top Security Risk. GitHub last commit opensource
dvws-node Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities. GitHub last commit opensource
Kontra A series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints. N/A
VAmPI Vulnerable REST API with OWASP top 10 vulnerabilities for APIs. GitHub last commit opensource
vAPI Vulnerable Adversely Programmed Interface which is Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises. GitHub last commit opensource