API Security Tools

Author: Matt Tesauro
Contributor(s): kingthorin

APIs are becoming an increasingly large portion of the software that powers the Internet including mobile applications, single-page applications (SPAs) and cloud infrastructure. While APIs share much of the same security controls and software security issues with traditional web applications, they are different enough to make a distinction between ‘normal’ AppSec tools and ones that were built with APIs in mind. This page was created to list tools known to support APIs natively and by design.

Types of API Tools

Tools for API Security can be broken down into 3 broad categories.

  • API Security Posture: Creates an inventory of APIs, the methods exposed and classifies the data used by each method.
    • Goal: Provide visibility into the security state of a collection of APIs.
  • API Runtime Security: provides protection to APIs during their normal running and handling of API requests.
    • Goal: Detect and prevent malicious requests to an API.
  • API Security Testing: Dynamic assessment of an API’s security state.
    • Goal: Evaluate the security of a running API by interacting with the API dynamically (DAST-like behavior)

For more detailed information on the 3 categories, see slides 14 to 17 of this presentation.

The goal is to provide as comprehensive a list of API tools as possible using the input of the diverse perspectives of the OWASP community.

API Tools List

Levo.ai from LEVO.AI

License | Platform | API Posture | API Runtime | API Testing

42Crunch from 42Crunch

License | Platform | API Posture | API Runtime | API Testing

APIClarity from APIClarity

License | Platform | API Posture | API Runtime | API Testing

APIsec from APIsec

License | Platform | API Posture | API Runtime | API Testing

API Security from Imperva

License | Platform | API Posture | API Runtime | API Testing

Astra from flipkart-incubator

License | Platform | API Posture | API Runtime | API Testing
License | Platform | API Posture | API Runtime | API Testing

Beagle Security from Beagle Cyber Innovations

License | Platform | API Posture | API Runtime | API Testing
Note: Imports Postman and OpenAPI Collections, quick configuration, supports GraphQL.

Bright from Bright Security

License | Platform | API Posture | API Runtime | API Testing

BurpSuite Professional from PortSwigger

License | Platform | API Posture | API Runtime | API Testing
Note: See PortSwigger docs for testing APIs

Cherrybomb from BLST Security

License | Platform | API Posture | API Runtime | API Testing

curl from curl

License | Platform | API Posture | API Runtime | API Testing
Note: Low level tool

ffuf from ffuf

License | Platform | API Posture | API Runtime | API Testing
Note: General http/web fuzzer which can also fuzz http-based APIs

graphql-cop from dolevf

License | Platform | API Posture | API Runtime | API Testing
Note: Only for testing GraphQL APIs

Hoppscotch from Hoppscotch

License | Platform | API Posture | API Runtime | API Testing
Note: Developer-centric tool

httpie from httpie

License | Platform | API Posture | API Runtime | API Testing
Note: HTTP client designed to be a user-friendly terminal app

http-tanker from PierreKieffer

License | Platform | API Posture | API Runtime | API Testing
Note: Very manual terminal program e.g. Postman in your terminal

Insomnia from Kong

License | Platform | API Posture | API Runtime | API Testing
Note: Developer-centric tool

jerry-curl from mtesauro

License | Platform | API Posture | API Runtime | API Testing
Note: Low level curl automation

Noname API Security Platform from Noname Security

License | Platform | API Posture | API Runtime | API Testing
Note: Flexible deployment options (SaaS, hybrid, on-prem), multi-engine support, options for agentless and out-of-band or inline

Nuclei from ProjectDiscovery

License | Platform | API Posture | API Runtime | API Testing
Note: General scanning of TCP, DNS, HTTP, etc so can be used to test APIs

openapi3-fuzzer from VolkerWessels Telecom

License | Platform | API Posture | API Runtime | API Testing
Note: Low-level fuzzing tool

Postman from Postman

License | Platform | API Posture | API Runtime | API Testing
Note: Developer-centric tool

Probely from Probely

License | Platform | API Posture | API Runtime | API Testing
Note: imports Postman Collections and OpenAPI schemas. Full-featured API for integrations with CI/CD

Purpleteam from Purpleteam

License | Platform | API Posture | API Runtime | API Testing
Note: Dual licensed under non-OSI approved licenses details here

rest-assured from rest-assured

License | Platform | API Posture | API Runtime | API Testing
Note: For the Java programming language

Resurface from Resurface

License | Platform | API Posture | API Runtime | API Testing
License | Platform | API Posture | API Runtime | API Testing automated discovery, runtime protection, remediation insights in pre-prod and from runtime learnings

SoapUI from SMARTBEAR

License | Platform | API Posture | API Runtime | API Testing

StackHawk from StackHawk

License | Platform | API Posture | API Runtime | API Testing

Traceable AI from Traceable AI

License | Platform | API Posture | API Runtime | API Testing

Wallarm from Wallarm

License | Platform | API Posture | API Runtime | API Testing

WebInspect from Fortify

License | Platform | API Posture | API Runtime | API Testing
Note: Supports SOAP, REST, Swagger/OpenAPI and Postman

Wfuzz from xmendez

License | Platform | API Posture | API Runtime | API Testing
Note: General http/web fuzzer which can also fuzz http-based APIs
License | Platform | API Posture | API Runtime | API Testing
Note: See Zap FAQ for testing APIs


Adding Tools

To add items, please add a stanza to the yaml file here or email me at matt.tesauro AT owasp.org