‎ PICheck - The DevSecOps toolset for REST

A
‎APIs.


‎ PIClarity - Reconstruct Open API

A
‎Specifications from real-time workload 
‎traffic seamlessly.

‎ PIFuzzer - Fuzz test your application using

A
‎your OpenAPI or Swagger API definition 
‎without coding

‎ PIKit - Discovery, Scan and Audit APIs

A
‎Toolkit All In One.


‎Arjun - HTTP parameter discovery suite. 

‎ stra - Automated Security Testing For REST

A
‎API's
 ‎ y:Mahmoud ibrahim
B
‎
‎ utomatic API Attack Tool - Imperva's
A ‎follow me :
‎customizable API attack tool takes an API ‎
 ‎Linkedin :link: https://www.linkedin.com/in/

‎specification as an input, and generates and
‎runs attacks that are based on it as an output. ‎mahmoud-ibrahim-9b5364244
‎ asics of HTTP - Mozilla’s in-depth guide
B
‎ 
‎to everything about HTTP
‎ atchQL - GraphQL security auditing script
B ‎github:https://github.com/Az0x7
‎with a focus on performing batch GraphQL  ‎ TTP Status Codes - Mozilla’s in-depth guide
H
‎queries and mutations. ‎to HTTP response codes


‎ urp Suite - Robust app security testing tool

B ‎ now your HTTP Well - HTTP encodings,
K
‎capable of attacking APIs ‎headers, media types, methods, relations,
‎and status codes, all summarized and linked

‎ ATS - A REST API Fuzzer and negative
C ‎to their specification.
‎testing tool for OpenAPI endpoints

‎HTTP Fundamentals ‎ now your HTTP Headers - A simplified and
K
‎ herrybomb - A CLI tool that helps you avoid
C ‎comprehensive table of HTTP headers
‎undefined user behaviour by validating your  ‎important for API security, stored in a single

‎API specifications. ‎PDF.

‎ lairvoyance - Obtain GraphQL API schema

c ‎ now your HTTP Status Codes - A simplified
K
‎despite disabled introspection!.
 ‎API Hacking Tools
‎and comprehensive table of HTTP status 
‎codes used in API calls, stored in a single PDF.
‎ffuf - Fast web fuzzer written in Go 
‎ now your HTTP Methods - A simplified and
K
f‎ uzzapi - A tool used for REST API pentesting ‎comprehensive table of HTTP methods used 
‎and uses API_Fuzzer gem.

‎in API requests, stored in a single PDF

‎ raphQLmap - GraphQLmap is a scripting

G
‎engine to interact with a graphql endpoint for 
‎pentesting purposes. ‎ syncAPI - The AsyncAPI Specification is a
A
‎project used to describe and document
‎ raphql-playground - GraphQL IDE for better
g ‎message-driven
‎development workflows
 ‎APIs in a machine-readable format. It’s
‎protocol-agnostic, so you can use it for APIs 
‎ otestwaf - An open-source project to test
g ‎that work over
‎different web application firewalls (WAF) for  ‎any protocol (e.g., AMQP, MQTT,
‎detection logic and bypasses ‎WebSockets, Kafka, STOMP, HTTP, Mercure,
‎etc).
I‎nQL - A Burp Extension for GraphQL
‎Security Testing.
 ‎ raphQL - GraphQL is a query language
G
‎designed to build client applications by
‎ iterunner - Contextual Content Discovery
k ‎providing an
 ‎intuitive and flexible syntax and system for

‎Tool great for finding API endpoints
‎describing their data requirements and
‎ itmproxy2swagger - Automagically
m ‎interactions.
‎reverse-engineer REST APIs via capturing 
‎traffic J‎ SON API - JSON:API is a specification for
‎how a client should request that resources be
‎ ostMan - API platform for developers to
P ‎fetched or 
‎design, build, test and iterate their APIs
 ‎modified, and how a server should respond
‎to those requests.
‎ ESTler - RESTler is the first stateful REST
R
‎API fuzzing tool for automatically testing  J‎ SON-RPC - JSON-RPC is a stateless, light-
‎weight remote procedure call (RPC) protocol.

‎cloud services

t‎ hrough their REST APIs and finding security ‎ penAPI - The OpenAPI Specification (OAS)
O
‎and reliability bugs in these services.
 ‎defines a standard, language-agnostic
‎interface to
‎RESTful APIs which allows both humans and
‎computers to discover and understand the 
‎ PI Security Testing for Hackers from
A ‎capabilities
‎BugCrowd’s LevelUp

‎API Protocols and Specifications ‎of the service without access to source code,
‎documentation, or through network traffic
‎ ad API, hAPI Hackers! from BugCrowd’s
B ‎inspection.
‎LevelUp

‎ AML - RAML is a language for the definition
R
‎ idden in Plain Site: Disclosing Information
H ‎of HTTP-based APIs that embody most or all
 ‎Webinars
‎via Your APIs from BugCrowd’s LevelUp ‎of the 
‎principles of Representational State Transfer (
‎ EST in Peace: Abusing GraphQL to Attack
R ‎REST).
‎Underlying Infrastructure from BugCrowd’s 
‎LevelUp ‎ OAP - SOAP is a lightweight protocol
S
‎intended for exchanging structured
‎ Hacker’s View of APIs: Vulnerabilities,
A ‎information in a
‎Exploits and Defense Options from Ping  ‎decentralized, distributed environment. It
‎Identity TV ‎uses XML to define an extensible messaging 
‎framework
‎API Hacking by Hack the Planet  ‎API Hacking Videos and Podcasts ‎providing a message construct that can be
‎exchanged over a variety of underlying
‎API hacking with Postman by The XSS rat  ‎YouTube Playlists ‎protocols.

‎ tandards.REST - A collection of standards

S
‎Everything API Hacking by InsiderPhd 
‎and specifications, that help make fantastic
‎HTTP/REST

‎ rez Yalon -- The OWASP API Security
E
‎Project
 ‎THE ULTIMATE ‎APIs

‎The Hacker Mind Podcast: Hacking APIs 

‎Floating Topic ‎GUIDE OF ‎ ML-RPC - XML-RPC is a set of
X
‎Podcasts ‎implementations that allow software running

‎Troy Hunt: Hack Your API-Security Testing  ‎API HACKING ‎on disparate
‎operating systems, running in different

‎We Hack Purple - API Security Best Practices  ‎RESOURCES ‎environments to make procedure calls over
‎the Internet. It's
‎remote procedure calling using HTTP as the
‎transport and XML as the encoding.
‎ uzzing APIs - Fuzzing APIs chapter from "
F
‎The Fuzzing Book"

‎ acking APIs: Breaking Web Application
H
‎ uzz Vectors - OWASP’s guidance on
F ‎Programming Interfaces
‎fuzzing in their Web Security Testing Guide (  ‎Fuzzing
‎WSTG) ‎ he Web Application Hacker's Handbook:
T
‎BOOKS ‎Finding and Exploiting Security Flaws ‎if you need any book send me
‎ ESTler: Stateful REST API Fuzzing -
R
‎Microsoft’s research on REST API fuzzing

‎ eb Application Security: Exploitation and
W
‎Countermeasures for Modern Web
‎ PI endpoints & objects - 3203 common API
A ‎Applications
‎endpoints and objects designed for fuzzing.


‎ PI HTTP Request Methods - HTTP requests

A ‎API Fuzzing
 ‎ ttps://pentestbook.six2dez.com/
h
‎methods wordlist from SecLists 
‎enumeration/webservices/apis

‎ PI Routes wordlist - AssesNote’s collection

A
 ‎ ttps://github.com/cyprosecurity/API-
h
‎of API routes
‎SecurityEmpire


‎ pi_wordlist - SecList’s collection of API

a
‎online article
 ‎ ttps://book.hacktricks.xyz/network-
h
‎names used for fuzzing web application APIs. ‎services-pentesting/pentesting-web/graphql


‎ ommon API endpoints - SecList’s collection

C ‎ ttps://book.hacktricks.xyz/network-
h
 ‎Wordlists
‎of API endpoints ‎services-pentesting/pentesting-web/web- 
‎api-pentesting
‎ raphQL wordlist - SecList’s collection of
G
‎GraphQL endpoints


‎API Security Top 10 

‎ acking-API wordlists - hAPI Hacker’s
H
‎collection of API paths and wordlists

‎GraphQL 
‎ iterunner wordlist - AssestNote’s collection
K
‎of API wordlists for Kiterunner
 ‎Injection Prevention 

‎ wagger / OpenAPI wordlist - SecList’s

S ‎Cheatsheets ‎JSON Web Token (JWT) Security 
‎collection of wordlists for finding API docs

‎Microservices Security 

‎REST Assessment 
‎ PISandbox - Pre-Built Vulnerable Multiple
A ‎Cheatsheets & Checklists
‎API Scenarios Environments Based on  ‎REST Securit 
‎Docker-Compose
‎API Penetration Testing 
‎ rAPI - Completely ridiculous API (crAPI) will
c
‎help you to understand the ten most critical 
‎Checklists ‎API Testing 
‎API security risks.

‎ amn Vulnerable GraphQL App - An

D ‎API Security Testing 
‎intentionally vulnerable implementation of 
‎Facebook's GraphQL technology,
‎The Beginner's Guide to API Hacking 
‎ VMS - The Damn Vulnerable Microservice is
D
‎written in many languages to demonstrate  ‎API and microservice security 
‎OWASP API Top Security Risks
‎ inding and Exploiting Unintended
F
‎ VWS-Node - Damn Vulnerable Web
D ‎Functionality in Main Web App APIs

‎Services is a vulnerable application with a
‎web service and an API that can be used to  ‎ ow To Hack API In 60 Minutes With Open
H
‎learn about web services/API-related ‎Source Tools

‎vulnerabilities. ‎Deliberately Vulnerable APIs
‎How to Hack APIs in 2021 
‎ eneric University - InsiderPhD’s Laravel
G
‎demo app that is purposely vulnerable to a ‎How to Hack an API and Get Away with It 
‎number of vulnerabilities on the OWASP API

‎Top 10. ‎ ow to exploit GraphQL endpoint:
H
‎API Hacking Articles ‎introspection, query, mutations & tools

‎ AmPI - VAmPI is a vulnerable API made
V
‎with Flask and it includes vulnerabilities from  ‎ otes from Hacking APIs from Bug Bounty
N
‎the OWASP top 10 vulnerabilities for APIs. ‎Bootcamp


‎ API - vAPI is a Vulnerable Adversely

v ‎Sample API Penetration Testing Report 
‎Programmed Interface which is Self-Hostable
‎API that mimics OWASP API Top 10 scenarios

‎Scanning APIs with Burp Scanner 
‎through Exercises.
‎Simplifying API Pentesting With Swagger Files 
‎ ulnerable-graphql-api - A very vulnerable
v
‎implementation of a GraphQL API.

‎ OAP Security: Top Vulnerabilities and How
S

‎ ebSheep -
W 🐑 WebSheep is an app based

‎to Prevent Them

‎on willingly vulnerable ReSTful APIs. ‎Using Burp to Enumerate a REST API 