Tools and resources for pentesting against API endpoints
- API Security Checklist - Checklist of the most important security countermeasures when designing, testing, and releasing your API.
- GraphQL OWASP - OWASP GraphQL cheat sheet.
- Microservices OWASP - Microservices Security
- OWASP API Top 10 - OWASP API security Top 10.
- REST Security OWASP - OWASP REST security cheat sheet.
- REST Assessment OWASP - OWASP REST assessment cheat sheet.
- Web API Pentesting - Web API pentesting GitBook.
- MindAPI - Organize your API security assessment by using MindAPI.
Manipulation & Testing
- Arjun - HTTP parameter discovery suite.
- Astra - Automated Security Testing For REST API's.
- Apache JMeter - Java application designed to load test functional behavior and measure performance.
- Automatic API Attack Tool - Imperva's API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
- Burp Suite - Arm yourself with the leading toolkit for web security testing. Test, find, and exploit vulnerabilities.
- Fiddler Everwhere - A web debugging proxy for macOS, Windows, and Linux. Capture, inspect, monitor all HTTP(S) traffic between your computer and the Internet, mock requests, and diagnose network issue.
- Hoppscotch - Open source tool that covers the entire testing spectrum (functional, security, load, mocking).
- HttpMaster - Master HTTP testing & debugging.
- Insomnia - Quickly and easily send REST, SOAP, GraphQL, and GRPC requests directly within Insomnia.
- Karate - Test automation made simple.
- Kiterunner - Contextual Content Discovery Tool.
- Postman - A collaboration platform for API development. Postman's features simplify each step of building an API and streamline collaboration so you can create better APIs—faster.
- SoapUI - Open source tool that covers the entire testing spectrum (functional, security, load, mocking).
- Taurus - Taurus improves experience of JMeter, Selenium and others.
- Test Mace - A modern powerful crossplatform tool for working with an API and creating automated API tests.
- vRESTng - Automate API Requests as Runnable Test Cases, just by providing Request Details. Also, Validate API Responses using Test Case Assertions.
- crAPI - Completely ridiculous API (crAPI).
- Damn Vulnerable GraphQL App - An intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
- DVMS - This is vulnerable microservice written in many language to demonstrating OWASP API Top Security Risk.
- dvws-node - Damn Vulnerable Web Service is a vulnerable web service/API/application that can be used to learn webservices/API vulnerabilities.
- Kontra - A series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
- VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for APIs.
- vAPI - Vulnerable Adversely Programmed Interface which is Self-Hostable PHP Interface that mimics OWASP API Top 10 scenarios in the means of Exercises.