APIs
APIs are essential nowadays, make them secure
About
A foundational element of innovation in todayβs app-driven world is the API. From banks, retail and transportation to IoT, autonomous vehicles and smart cities, APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible. [1]
Best practices
Extracted from [2], [3] and [4].
Authentication
JWT (JSON Web Tokens)
Access
OAuth
Input
Processing
Output
CI/CD
Monitoring
More!
Resources
Find here other resources for APIs security...
Tools
Generic
API Development tools: A collection of useful resources for building RESTful HTTP+JSON APIs.
API Guesser: Simple website to guess API Key / OAuth Token by Muhammad Daffa.
API Key Leaks: Tools and exploits: An API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Key-Checker (β οΈ): Go scripts for checking API key / access token validity.
Keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if theyβre valid.
Private key usage verification: Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
Burp API enumeration: Using Burp to Enumerate a REST API.
ZAP scanning: Scanning APIs with ZAP.
ZAP exploring: Exploring APIs with ZAP.
ZAP API Scan: A ZAP add-on that automates API security scanning.
w3af scanning: Scan REST APIs with w3af.
Wallarm Free API Firewall: Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs.
dredd: Language-agnostic HTTP API Testing Tool.
getallurls (gau): Fetch known URLs from AlienVaultβs Open Threat Exchange, the Wayback Machine, and Common Crawl.
SoapUI: SoapUI is a free and open-source cross-platform functional testing solution for APIs and web services.
Step CI: Open-source framework for API Quality Assurance, which tests REST, GraphQL and gRPC automated and from Open API spec.
unfurl: Pull out bits of URLs provided on stdin.
ModSecurity: An open-source web application firewall (WAF) that can help protect APIs.
GraphQL
BatchQL (β οΈ): GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
clairvoyance: Obtain GraphQL API schema despite disabled introspection!.
GraphQLmap: GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
graphql-path-enum: Tool that lists the different ways of reaching a given type in a GraphQL schema.
graphql-playground: GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration).
graphql-threat-matrix: GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations.
graphw00f: graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.
graphql-shield: A library for securing GraphQL APIs with fine-grained access control.
SOAP
Wsdler (β οΈ): WSDL Parser extension for Burp.
wsdl-wizard (β οΈ): WSDL Wizard is a Burp Suite plugin written in Python to detect current and discover new WSDL (Web Service Definition Language) files.
REST APIs
Akto: API discovery, automated business logic testing and runtime detection.
APICheck: The DevSecOps toolset for REST APIs.
APIClarity: Reconstruct Open API Specifications from real-time workload traffic seamlessly.
APIFuzzer: Fuzz test your application using your OpenAPI or Swagger API definition without coding.
APIKit: Discovery, Scan and Audit APIs Toolkit All In One.
Arjun: HTTP parameter discovery suite.
Astra: Automated Security Testing For REST APIβs.
Automatic API Attack Tool (β οΈ): Impervaβs customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
CATS: CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints.
Cherrybomb: Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications.
ffuf: Fast web fuzzer written in Go.
fuzzapi (β οΈ): Fuzzapi is a tool used for REST API pentesting anTnT-Fuzzerd uses API_Fuzzer gem.
gotestwaf: An open-source project in Golang to test different web application firewalls (WAF) for detection logic and bypasses.
kiterunner (β οΈ): Contextual Content Discovery Tool.
Metlo | Open-source API security tool: to discover, inventory, test, and protect your APIs.
mitmproxy2swagger: Automagically reverse-engineer REST APIs via capturing traffic.
Optic: Verify the accuracy of your OpenAPI 3.x spec using real traffic and automatically apply patches that keep it up-to-date.
RESTler: RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
Swagger-EZ: A tool geared towards pentesting APIs using OpenAPI definitions.
TnT-Fuzzer (β οΈ): OpenAPI 2.0 (Swagger) fuzzer written in python. Basically TnT for your API.
wadl-dumper: Dump all available paths and/or endpoints on WADL file.
fuzz-lightyear (β οΈ): A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
Books
API Security for dummies: This book is a high-level introduction to the key concepts of API security and DevSecOps.
API Security in Action: API Security in Action teaches you how to create secure APIs for any situation.
Black Hat GraphQL: Black Hat GraphQL book.
Hacking APIs: Breaking Web Application Programming Interfaces.
Understanding API Security: Several chapters from several Manning books that give you some context for how API security works in the real world.
RESTful API Design: Best Practices in API Design with REST: A book focusing on RESTful API design principles, including security considerations, by Matthias Biehl.
OAuth 2.0: Getting Started in API Security: A practical guide to OAuth 2.0 and API security by Matthias Biehl.
GraphQL in Action: A book covering GraphQL API design, development, and security best practices by Samer Buna.
Practical API Architecture and Development with Azure and AWS: A book on API architecture and development, including security considerations, for both Azure and AWS by Thurupathan Vijayakumar.
API Management: An Architectβs Guide to Developing and Managing APIs for Your Organization: A book by Brajesh De that includes API security aspects and best practices.
Advanced API Security: OAuth 2.0 and Beyond: A book by Prabath Siriwardena that focuses on OAuth 2.0 and OpenID Connect protocols for API security.
Videos & presentations
YouTube Playlists
Other videos & presentations
pentesting-rest-apis: Pentesting Rest APIβs by Gaurang Bhatnagar.
Securing your APIs: βHow Secure are you APIs?β - Securing your APIs: OWASP API Top 10 2019, Case Study and Demo.
api-security-testing-for-hackers: API Security Testing For Hackers.
bad-api-hapi-hackers: Bad API, hAPI Hackers!
disclosing-information-via-your-apis: Hidden in Plain Site: Disclosing Information via Your APIs.
rest-in-peace-abusing-graphql: REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure.
Everything API Hacking: A video collection from Katie Paxton-Fear, @InsiderPhD, and other people creating a playlist of API hacking knowledge!
API hacking: API hacking videos from @theXSSrat.
Specifications
API Blueprint: API Blueprint Specification.
AscyncAPI: AsyncAPI Specification.
OpenAPI: OpenAPI Specification.
JSON API: JSON API Specification.
GraphQL: GraphQL Specification.
RAML: RAML Specification.
JSON Web Tokens (JWT): A compact, URL-safe means of representing claims to be transferred between parties.
OAuth 2.0: A widely-adopted authorization framework for securing API access.
OpenID Connect: An identity layer built on top of OAuth 2.0 for authentication and single sign-on.
HAL (Hypertext Application Language): A standard for describing RESTful APIs using hypermedia.
WS-Security: A set of specifications for securing SOAP-based web services.
Learning
Know your HTTP Headers!: HTTP Headers: a simplified and comprehensive table.
Know your HTTP Status codes!: HTTP Status codes: a simplified and comprehensive table.
HTTP Status Codes: is an easy to reference database of HTTP Status Codes with their definitions and helpful code references all in one place.
Know your HTTP * Well: HTTP headers, media-types, methods, relations and status codes, all summarized and linking to their specification.
Learning Path
Topic | Resources |
Understanding APIs and their importance | |
API Security Basics | |
Authentication and Authorization | |
API Security Best Practices | |
Rate Limiting and Throttling | |
Input Validation and Sanitization | |
Transport Security | |
API Security Testing | |
Project 1 - Building a Secure RESTful API | |
Project 2 - Implementing OAuth 2.0 and JWT | |
Project 3 - API Security Audit |
Workshops & labs
API security, REST Labs: Pentester Academy - attack & defense.
API Security University: APIsec University provides training courses for application security professionals.
BankGround API: Banking-like REST and GraphQL API for training/learning purposes.
GraphQL challenges: GraphQL Week on The Hacker101 Capture the Flag Challenges.
GraphQL Labs: GraphQL Labs on the OWASP Security Knowledge Framework.
Hacking APIs: Hacking APIs: workshop.
OWASP Top 10 for API: Is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.
Practical API Security Walkthrough: Learn practical Mobile and API security techniques: API Key, Static and Dynamic HMAC, Dynamic Certificate Pinning, and Mobile App Attestation.
Fuzzing and others
API names wordlist: A wordlist of API names for web application assessments.
API HTTP requests methods: HTTP requests methods wordlist by @danielmiessler.
API Routes Wordlists: API Routes - Automated Wordlists provided by Assetnote.
Common API endpoints (β οΈ): Wordlist for common API endpoints.
Filenames by fuzz.txt: Potentially dangerous files.
Fuzzing APIs: Fuzzing APIs chapter from βThe Fuzzing Bookβ.
GraphQL SecList (β οΈ): Itβs a GraphQL list used during security assessments, collected in one place.
Hacking-APIs: Wordlists and API paths by @hapi_hacker.
Kiterunner Wordlists (β οΈ): Kiterunner Wordlists provided by Assetnote.
List of API endpoints & objects: A list of common API endpoints and objects designed for fuzzing.
List of Swagger endpoints: Swagger endpoints.
SecLists for APIβs web-content discovery: It is a collection of web content discovery lists for APIs used during security assessments.
Vulnerable APIs to learn
APISandbox: Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.
Bookstore: TryHackMe room - A Beginner level box with basic web enumeration and REST API Fuzzing.
crAPI: completely ridiculous API (crAPI)
Damn-Vulnerable-GraphQL-Application: Damn Vulnerable GraphQL Application is intentionally vulnerable implementation of Facebookβs GraphQL technology to learn and practice GraphQL Security.
Damn Vulnerable Micro Services (β οΈ): This is a vulnerable microservice written in many languages to demonstrating OWASP API Top Security Risk (under development).
Damn Vulnerable Web Services: Damn Vulnerable Web Services is a vulnerable web service/API/application that we can use to learn webservices/API vulnerabilities.
Generic-University: Vulnerable API with Laravel App.
node-api-goat: A simple Express.JS REST API application that exposes endpoints with code that contains vulnerabilities.
Pixi (β οΈ): The Pixi module is a MEAN Stack web app with wildly insecure APIs!
REST API Goat (β οΈ): This is a βGoatβ project so you can get familiar with REST API testing.
VAmPI: Vulnerable REST API with OWASP top 10 vulnerabilities for APIs.
vAPI: vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
vulnapi: Intentionaly very vulnerable API with bonus bad coding practices.
vulnerable-graphql-api (β οΈ): A very vulnerable implementation of a GraphQL API.
Websheep: Websheep is an app based on a willingly vulnerable ReSTful APIs.
DVNA (β οΈ): Damn Vulnerable Node.js Application with insecure APIs.
WebGoat: A deliberately insecure web app for security training.
Juice Shop: A modern, intentionally insecure web application
Gruyere: A web application with security holes used for training.
Railsgoat: A vulnerable Ruby on Rails application for learning security.
Mutillidae: A deliberately vulnerable set of PHP scripts.
NodeGoat: A Node.js/Express app with security vulnerabilities.
Hackazon (β οΈ): A modern, vulnerable e-commerce web app.
GoatDroid (β οΈ): A vulnerable Android app with insecure APIs.
AltoroJ: A vulnerable Java web app for learning application security.
Hackademic (β οΈ): A vulnerable web app to learn and practice web application security.
Others
The API Specification Toolbox: This Toolbox goal is to try and map out all of the different API specifications in use, as well as the services, tooling, extensions, and other supporting elements.
Understanding gRPC, OpenAPI and REST: gRPC vs REST: Understanding gRPC, OpenAPI and REST and when to use them in API design.
API security design best practices: API security design best practices for enterprise and public cloud.
REST API Design Guide: This design guide or style guide contains best practices suitable for most REST APIs.
How to design a REST API: How to design a REST API? - Full guide tackling security, pagination, filtering, versioning, partial answers, CORS, etc.
Awesome REST: A collaborative list of great resources about RESTful API architecture, development, test, and performance. Feel free to contribute to this ongoing list.
Collect API Requirements: Collecting Requirements for your API with APIOps Cycles.
API Audit: API Audit is a method to ensure APIs are matching the API Design guidelines. It also helps check for usability, security and API management platform compatibility
Podcasts
The Secure Developer: A podcast that discusses security best practices for developers, including API security topics.
Application Security Weekly: A weekly podcast covering application security news, including API security updates.
The New Stack Podcast: A podcast that covers various technology topics, occasionally featuring API security discussions.
The CyberWire Daily Podcast: A daily cybersecurity news podcast that occasionally discusses API security.
Security Now: A weekly podcast discussing a wide range of security topics, including API security.
Darknet Diaries: A podcast that tells true stories from the dark side of the internet, occasionally featuring episodes about API security incidents.
Risky Business: A podcast that covers information security news and events, sometimes discussing API security.
Smashing Security: A cybersecurity podcast that occasionally discusses API security topics.
The Privacy, Security, & OSINT Show: A podcast focusing on privacy, security, and open-source intelligence topics, occasionally featuring API security discussions.
Hacking APIs: The Hacker Mind Podcast: Hacking APIs.
Hack Your API-Security Testing: 21: Troy Hunt: Hack Your API-Security Testing.
Episode 38 API Security Best Practices: We Hack Purple Podcast Episode 38 API Security Best Practices.
Wikis & Collections
OWASP API Security Project: An OWASP project that provides resources and guidelines on API security.
API Security Encyclopedia: A comprehensive encyclopedia of API security terms and concepts.
API Security on Infosec: A collection of API security articles and resources by Infosec Institute.
API Security on DZone: A collection of API security articles, tutorials, and news on DZone.
API Security on Medium: A collection of API security articles and stories on Medium, contributed by various authors.
API Security on Hacker Noon: A collection of API security articles on Hacker Noon, contributed by various authors.
API Security on Dev.to: A collection of API security articles, tutorials, and discussions on Dev.to.
Mind maps:
API Pentesting - ATTACK: Mind map: API Pentesting - ATTACK.
API Pentesting - Recon: Mind map: API Pentesting - Recon.
GraphQL Attacking: Mind map: GraphQL Attacking.
IDOR Techniques: Mind map: IDOR Techniques.
MindAPI: Organize your API security assessment by using MindAPI.
XML attacks: Mind map: XML attacks.
REST API defenses: Mind map: REST API defenses.
REST API Security Mind Map: A mind map that covers key security aspects of RESTful APIs.
OAuth 2.0 Mind Map: A visual representation of OAuth 2.0 concepts and components, which are crucial for API security.
API Security Testing Mind Map: A mind map that provides an overview of API security testing concepts and techniques.
API Management Mind Map: A mind map covering various aspects of API management, including security considerations.
Web Services Security Mind Map: A mind map that delves into security aspects of web services, including APIs.
Books, collections:
APIs Pentest Book: APIs Pentest Book.
API Pentest tips: CSbyGBβs Pentips.
API Security Empire: The API Security Empire Project aims to present unique attack & defense methods in the API Security field.
API Security Encyclopedia: API Security Encyclopedia.
Web API Pentesting: HackTricks - Web API Pentesting.
GraphQL: HackTricks - GraphQL.
Newsletters
The Hacker News: A blog and newsletter that covers various API topics, including security.
API Evangelist: A blog and newsletter by Kin Lane that covers various API topics, including security.
The New Stack: A platform for news and analysis on various technology topics, including API security. Subscribe to their newsletter for regular updates.
Secjuice: A cybersecurity publication with a dedicated section for API security articles. Subscribe to their newsletter for updates.
Security Weekly: A cybersecurity podcast network and newsletter that occasionally covers API security topics.
StatusCode Weekly: A weekly newsletter that covers web operations and occasionally includes API security articles.
api security articles: API Security Articles - The Latest API Security News, Vulnerabilities & Best Practices.
Conferences
APIsecure: The worldβs first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Others
awesome-security-apis: A collective list of public JSON APIs for use in security.
API Hacking Articles: API Hacking Fundamentals, Tools, Techniques, Fails and Mindset articles.
API Security: The Complete Guide: API Security, The Complete Guide.
API Penetration Testing: API Penetration Testing with OWASP 2017 Test Cases.
API Penetration Testing Report: Anonymised API Penetration Testing Report - vendor sample template.
API Pentesting with Swagger Files: Simplifying API Pentesting With Swagger Files.
API security path resources: Resources to help out in the API security path; diverse content from talks/webinards/videos, must read, writeups, bola/idors, oauth, jwt, rate limit, ssrf and practice entries.
API Security Testing: Principles of API Security Testing and how to perform a Security Test on an API.
Finding and Exploiting Web App APIs: Finding and Exploiting Unintended Functionality in Main Web App APIs.
How to Hack an API and Get Away with It: How to Hack an API and Get Away with It (Part 1 of 3).
How to Hack APIs in 2021: How to Hack APIs in 2021.
How to Hack API in 60 minutes with Open Source Tools: How to Hack API in 60 minutes with Open Source Tools.
GraphQL penetration testing: How to exploit GraphQL endpoint: introspection, query, mutations & tools.
Fixing the 13 most common GraphQL Vulnerabilities: GraphQL Security Guide, Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready.
Hacking APIs - Notes from Bug Bounty Bootcamp: My Notes on Hacking APIs from Bug Bounty Bootcamp.
SOAP Security Vulnerabilities and Prevention: SOAP Security, Top Vulnerabilities and How to Prevent Them.
API and microservice security: What are API and microservice security?
Strengthening Your API Security Posture: Strengthening Your API Security Posture β Ford Motor Company.
Sources
Last updated