REST API

RESTful APIs are stateless, so when a consumer authenticates to these APIs, no session is created between the client and server. Instead, the API consumer must prove their identity within every request sent to the API provider’s web server.

Swagger UI

Escape - OpenAPI Security

Swagger Jacker

GitHub - BishopFox/sj: A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.GitHub

CherryBomb

GitHub - blst-security/cherrybomb: Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.GitHub

cherrybomb --file swagger.json --profile passive

Astra

Automated Security Testing For REST API's

GitHub - flipkart-incubator/Astra: Automated Security Testing For REST API'sGitHub

Automatic API Attack Tool

GitHub - imperva/automatic-api-attack-tool: Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.GitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Hacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
• Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.