API Security Tools

Author: Matt Tesauro
Contributor(s): kingthorin

APIs are becoming an increasingly large portion of the software that powers the Internet including mobile applications, single-page applications (SPAs) and cloud infrastructure. While APIs share much of the same security controls and software security issues with traditional web applications, they are different enough to make a distinction between ‘normal’ AppSec tools and ones that were built with APIs in mind. This page was created to list tools known to support APIs natively and by design.

Types of API Tools

Tools for API Security can be broken down into 3 broad categories.

API Security Posture: Creates an inventory of APIs, the methods exposed and classifies the data used by each method.
- Goal: Provide visibility into the security state of a collection of APIs.
API Runtime Security: provides protection to APIs during their normal running and handling of API requests.
- Goal: Detect and prevent malicious requests to an API.
API Security Testing: Dynamic assessment of an API’s security state.
- Goal: Evaluate the security of a running API by interacting with the API dynamically (DAST-like behavior)

For more detailed information on the 3 categories, see slides 14 to 17 of this presentation.

The goal is to provide as comprehensive a list of API tools as possible using the input of the diverse perspectives of the OWASP community.

API Tools List

42Crunch from 42Crunch

|

|

|

|

Akto from Akto

|

|

|

|

Both agentless and agent options available with 20+ traffic connectors

APIClarity from APIClarity

|

|

|

|

APIsec from APIsec

|

|

|

|

API Secure from Data Theorem

|

|

|

|

Note: See Data Theorem API Secure Data Sheet for a complete overview of product capabilities

API Security from Imperva

|

|

|

|

Astra from flipkart-incubator

|

|

|

|

Automatic API Attack Tool from Imperva

|

|

|

|

Beagle Security from Beagle Cyber Innovations

|

|

|

|

Note: Imports Postman and OpenAPI Collections, quick configuration, supports GraphQL.

Bright from Bright Security

|

|

|

|

BurpSuite Professional from PortSwigger

|

|

|

|

Note: See PortSwigger docs for testing APIs

Cequence Security - UAP from Cequence Security

|

|

|

|

Free Tool for finding APIs: https://apispyder.cequence.ai/

Cherrybomb from BLST Security

|

|

|

|

Contrast Security from Contrast Security

|

|

|

|

Note: Contrast performs vulnerability detection and runtime protection of APIs using an instrumentation-based approach

curl from curl

|

|

|

|

Note: Low level tool

Escape from Escape

|

|

|

|

Freemium, online versions of the tool are also available:

ffuf from ffuf

|

|

|

|

Note: General http/web fuzzer which can also fuzz http-based APIs

graphql-cop from dolevf

|

|

|

|

Note: Only for testing GraphQL APIs

Hoppscotch from Hoppscotch

|

|

|

|

Note: Developer-centric tool

httpie from httpie

|

|

|

|

Note: HTTP client designed to be a user-friendly terminal app

http-tanker from PierreKieffer

|

|

|

|

Note: Very manual terminal program e.g. Postman in your terminal

ImmuniWeb Neuron from ImmuniWeb

|

|

|

|

Insomnia from Kong

|

|

|

|

Note: Developer-centric tool

jerry-curl from mtesauro

|

|

|

|

Note: Low level curl automation

Jit from Jit

|

|

|

|

Note: Utilises (and supports) OWASP ZAP

Levo.ai from LEVO.AI

|

|

|

|

Noname API Security Platform from Noname Security

|

|

|

|

Note: Flexible deployment options (SaaS, hybrid, on-prem), multi-engine support, options for agentless and out-of-band or inline

Nuclei from ProjectDiscovery

|

|

|

|

Note: General scanning of TCP, DNS, HTTP, etc so can be used to test APIs

openapi3-fuzzer from VolkerWessels Telecom

|

|

|

|

Note: Low-level fuzzing tool

Postman from Postman

|

|

|

|

Note: Developer-centric tool

Probely from Probely

|

|

|

|

Note: imports Postman Collections and OpenAPI schemas. Full-featured API for integrations with CI/CD

Purpleteam from Purpleteam

|

|

|

|

Note: Dual licensed under non-OSI approved licenses details here

Pynt from Pynt

|

|

|

|

Note: Automated API security testing and discovery

rest-assured from rest-assured

|

|

|

|

Note: For the Java programming language

Resurface from Resurface

|

|

|

|

Salt Security API Protection Platform from Salt Security

|

|

|

|

automated discovery, runtime protection, remediation insights in pre-prod and from runtime learnings

SoapUI from SMARTBEAR

|

|

|

|

StackHawk from StackHawk

|

|

|

|

Threatspy from Secure Blink

|

|

|

|

Traceable AI from Traceable AI

|

|

|

|

Wallarm from Wallarm

|

|

|

|

WebInspect from Fortify

|

|

|

|

Note: Supports SOAP, REST, Swagger/OpenAPI and Postman

Wfuzz from xmendez

|

|

|

|

Note: General http/web fuzzer which can also fuzz http-based APIs

Zed Attack Proxy (ZAP) from OWASP

|

|

|

|

Note: See Zap FAQ for testing APIs

Adding Tools

To add items, please add a stanza to the yaml file here or email me at matt.tesauro AT owasp.org

Watch Star