0% found this document useful (0 votes)
186 views1 page

The Ultimate Guide of Api Hacking Resources

The document lists several tools for testing APIs and REST services including PICheck, PIClarity, PIFuzzer, PIKit, Arjun, Imperva's automatic API attack tool, BatchQL, Burp Suite, ATS, Cherrybomb, Clairvoyance, ffuf, and fuzzapi.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
186 views1 page

The Ultimate Guide of Api Hacking Resources

The document lists several tools for testing APIs and REST services including PICheck, PIClarity, PIFuzzer, PIKit, Arjun, Imperva's automatic API attack tool, BatchQL, Burp Suite, ATS, Cherrybomb, Clairvoyance, ffuf, and fuzzapi.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

‎ PICheck - The DevSecOps toolset for REST

A
‎APIs.

‎ PIClarity - Reconstruct Open API


A
‎Specifications from real-time workload 
‎traffic seamlessly.

‎ PIFuzzer - Fuzz test your application using


A
‎your OpenAPI or Swagger API definition 
‎without coding

‎ PIKit - Discovery, Scan and Audit APIs


A
‎Toolkit All In One.

‎Arjun - HTTP parameter discovery suite. 

‎ stra - Automated Security Testing For REST


A
‎API's
 ‎ y:Mahmoud ibrahim
B

‎ utomatic API Attack Tool - Imperva's
A ‎follow me :
‎customizable API attack tool takes an API ‎
 ‎Linkedin :link: https://www.linkedin.com/in/

‎specification as an input, and generates and
‎runs attacks that are based on it as an output. ‎mahmoud-ibrahim-9b5364244
‎ asics of HTTP - Mozilla’s in-depth guide
B
‎ 
‎to everything about HTTP
‎ atchQL - GraphQL security auditing script
B ‎github:https://github.com/Az0x7
‎with a focus on performing batch GraphQL  ‎ TTP Status Codes - Mozilla’s in-depth guide
H
‎queries and mutations. ‎to HTTP response codes

‎ urp Suite - Robust app security testing tool


B ‎ now your HTTP Well - HTTP encodings,
K
‎capable of attacking APIs ‎headers, media types, methods, relations,
‎and status codes, all summarized and linked

‎ ATS - A REST API Fuzzer and negative
C ‎to their specification.
‎testing tool for OpenAPI endpoints

‎HTTP Fundamentals ‎ now your HTTP Headers - A simplified and
K
‎ herrybomb - A CLI tool that helps you avoid
C ‎comprehensive table of HTTP headers
‎undefined user behaviour by validating your  ‎important for API security, stored in a single

‎API specifications. ‎PDF.

‎ lairvoyance - Obtain GraphQL API schema


c ‎ now your HTTP Status Codes - A simplified
K
‎despite disabled introspection!.
 ‎API Hacking Tools
‎and comprehensive table of HTTP status 
‎codes used in API calls, stored in a single PDF.
‎ffuf - Fast web fuzzer written in Go 
‎ now your HTTP Methods - A simplified and
K
f‎ uzzapi - A tool used for REST API pentesting ‎comprehensive table of HTTP methods used 
‎and uses API_Fuzzer gem.

‎in API requests, stored in a single PDF

‎ raphQLmap - GraphQLmap is a scripting


G
‎engine to interact with a graphql endpoint for 
‎pentesting purposes. ‎ syncAPI - The AsyncAPI Specification is a
A
‎project used to describe and document
‎ raphql-playground - GraphQL IDE for better
g ‎message-driven
‎development workflows
 ‎APIs in a machine-readable format. It’s
‎protocol-agnostic, so you can use it for APIs 
‎ otestwaf - An open-source project to test
g ‎that work over
‎different web application firewalls (WAF) for  ‎any protocol (e.g., AMQP, MQTT,
‎detection logic and bypasses ‎WebSockets, Kafka, STOMP, HTTP, Mercure,
‎etc).
I‎nQL - A Burp Extension for GraphQL
‎Security Testing.
 ‎ raphQL - GraphQL is a query language
G
‎designed to build client applications by
‎ iterunner - Contextual Content Discovery
k ‎providing an
 ‎intuitive and flexible syntax and system for

‎Tool great for finding API endpoints
‎describing their data requirements and
‎ itmproxy2swagger - Automagically
m ‎interactions.
‎reverse-engineer REST APIs via capturing 
‎traffic J‎ SON API - JSON:API is a specification for
‎how a client should request that resources be
‎ ostMan - API platform for developers to
P ‎fetched or 
‎design, build, test and iterate their APIs
 ‎modified, and how a server should respond
‎to those requests.
‎ ESTler - RESTler is the first stateful REST
R
‎API fuzzing tool for automatically testing  J‎ SON-RPC - JSON-RPC is a stateless, light-
‎weight remote procedure call (RPC) protocol.

‎cloud services

t‎ hrough their REST APIs and finding security ‎ penAPI - The OpenAPI Specification (OAS)
O
‎and reliability bugs in these services.
 ‎defines a standard, language-agnostic
‎interface to
‎RESTful APIs which allows both humans and
‎computers to discover and understand the 
‎ PI Security Testing for Hackers from
A ‎capabilities
‎BugCrowd’s LevelUp

‎API Protocols and Specifications ‎of the service without access to source code,
‎documentation, or through network traffic
‎ ad API, hAPI Hackers! from BugCrowd’s
B ‎inspection.
‎LevelUp

‎ AML - RAML is a language for the definition
R
‎ idden in Plain Site: Disclosing Information
H ‎of HTTP-based APIs that embody most or all
 ‎Webinars
‎via Your APIs from BugCrowd’s LevelUp ‎of the 
‎principles of Representational State Transfer (
‎ EST in Peace: Abusing GraphQL to Attack
R ‎REST).
‎Underlying Infrastructure from BugCrowd’s 
‎LevelUp ‎ OAP - SOAP is a lightweight protocol
S
‎intended for exchanging structured
‎ Hacker’s View of APIs: Vulnerabilities,
A ‎information in a
‎Exploits and Defense Options from Ping  ‎decentralized, distributed environment. It
‎Identity TV ‎uses XML to define an extensible messaging 
‎framework
‎API Hacking by Hack the Planet  ‎API Hacking Videos and Podcasts ‎providing a message construct that can be
‎exchanged over a variety of underlying
‎API hacking with Postman by The XSS rat  ‎YouTube Playlists ‎protocols.

‎ tandards.REST - A collection of standards


S
‎Everything API Hacking by InsiderPhd 
‎and specifications, that help make fantastic
‎HTTP/REST

‎ rez Yalon -- The OWASP API Security
E
‎Project
 ‎THE ULTIMATE ‎APIs

‎The Hacker Mind Podcast: Hacking APIs 


‎Floating Topic ‎GUIDE OF ‎ ML-RPC - XML-RPC is a set of
X
‎Podcasts ‎implementations that allow software running

‎Troy Hunt: Hack Your API-Security Testing  ‎API HACKING ‎on disparate
‎operating systems, running in different

‎We Hack Purple - API Security Best Practices  ‎RESOURCES ‎environments to make procedure calls over
‎the Internet. It's
‎remote procedure calling using HTTP as the
‎transport and XML as the encoding.
‎ uzzing APIs - Fuzzing APIs chapter from "
F
‎The Fuzzing Book"

‎ acking APIs: Breaking Web Application
H
‎ uzz Vectors - OWASP’s guidance on
F ‎Programming Interfaces
‎fuzzing in their Web Security Testing Guide (  ‎Fuzzing
‎WSTG) ‎ he Web Application Hacker's Handbook:
T
‎BOOKS ‎Finding and Exploiting Security Flaws ‎if you need any book send me
‎ ESTler: Stateful REST API Fuzzing -
R
‎Microsoft’s research on REST API fuzzing

‎ eb Application Security: Exploitation and
W
‎Countermeasures for Modern Web
‎ PI endpoints & objects - 3203 common API
A ‎Applications
‎endpoints and objects designed for fuzzing.

‎ PI HTTP Request Methods - HTTP requests


A ‎API Fuzzing
 ‎ ttps://pentestbook.six2dez.com/
h
‎methods wordlist from SecLists 
‎enumeration/webservices/apis

‎ PI Routes wordlist - AssesNote’s collection


A
 ‎ ttps://github.com/cyprosecurity/API-
h
‎of API routes
‎SecurityEmpire

‎ pi_wordlist - SecList’s collection of API


a
‎online article
 ‎ ttps://book.hacktricks.xyz/network-
h
‎names used for fuzzing web application APIs. ‎services-pentesting/pentesting-web/graphql

‎ ommon API endpoints - SecList’s collection


C ‎ ttps://book.hacktricks.xyz/network-
h
 ‎Wordlists
‎of API endpoints ‎services-pentesting/pentesting-web/web- 
‎api-pentesting
‎ raphQL wordlist - SecList’s collection of
G
‎GraphQL endpoints

‎API Security Top 10 


‎ acking-API wordlists - hAPI Hacker’s
H
‎collection of API paths and wordlists

‎GraphQL 
‎ iterunner wordlist - AssestNote’s collection
K
‎of API wordlists for Kiterunner
 ‎Injection Prevention 

‎ wagger / OpenAPI wordlist - SecList’s


S ‎Cheatsheets ‎JSON Web Token (JWT) Security 
‎collection of wordlists for finding API docs

‎Microservices Security 

‎REST Assessment 
‎ PISandbox - Pre-Built Vulnerable Multiple
A ‎Cheatsheets & Checklists
‎API Scenarios Environments Based on  ‎REST Securit 
‎Docker-Compose
‎API Penetration Testing 
‎ rAPI - Completely ridiculous API (crAPI) will
c
‎help you to understand the ten most critical 
‎Checklists ‎API Testing 
‎API security risks.

‎ amn Vulnerable GraphQL App - An


D ‎API Security Testing 
‎intentionally vulnerable implementation of 
‎Facebook's GraphQL technology,
‎The Beginner's Guide to API Hacking 
‎ VMS - The Damn Vulnerable Microservice is
D
‎written in many languages to demonstrate  ‎API and microservice security 
‎OWASP API Top Security Risks
‎ inding and Exploiting Unintended
F
‎ VWS-Node - Damn Vulnerable Web
D ‎Functionality in Main Web App APIs

‎Services is a vulnerable application with a
‎web service and an API that can be used to  ‎ ow To Hack API In 60 Minutes With Open
H
‎learn about web services/API-related ‎Source Tools

‎vulnerabilities. ‎Deliberately Vulnerable APIs
‎How to Hack APIs in 2021 
‎ eneric University - InsiderPhD’s Laravel
G
‎demo app that is purposely vulnerable to a ‎How to Hack an API and Get Away with It 
‎number of vulnerabilities on the OWASP API

‎Top 10. ‎ ow to exploit GraphQL endpoint:
H
‎API Hacking Articles ‎introspection, query, mutations & tools

‎ AmPI - VAmPI is a vulnerable API made
V
‎with Flask and it includes vulnerabilities from  ‎ otes from Hacking APIs from Bug Bounty
N
‎the OWASP top 10 vulnerabilities for APIs. ‎Bootcamp

‎ API - vAPI is a Vulnerable Adversely


v ‎Sample API Penetration Testing Report 
‎Programmed Interface which is Self-Hostable
‎API that mimics OWASP API Top 10 scenarios

‎Scanning APIs with Burp Scanner 
‎through Exercises.
‎Simplifying API Pentesting With Swagger Files 
‎ ulnerable-graphql-api - A very vulnerable
v
‎implementation of a GraphQL API.

‎ OAP Security: Top Vulnerabilities and How
S

‎ ebSheep -
W 🐑 WebSheep is an app based

‎to Prevent Them

‎on willingly vulnerable ReSTful APIs. ‎Using Burp to Enumerate a REST API 

You might also like