API Security Tools
Author: Matt Tesauro
Contributor(s): kingthorin
Contributor(s): kingthorin
APIs are becoming an increasingly large portion of the software that powers the Internet including mobile applications, single-page applications (SPAs) and cloud infrastructure. While APIs share much of the same security controls and software security issues with traditional web applications, they are different enough to make a distinction between ‘normal’ AppSec tools and ones that were built with APIs in mind. This page was created to list tools known to support APIs natively and by design.
Types of API Tools
Tools for API Security can be broken down into 3 broad categories.
- API Security Posture: Creates an inventory of APIs, the methods exposed and classifies the data used by each method.
- Goal: Provide visibility into the security state of a collection of APIs.
- API Runtime Security: provides protection to APIs during their normal running and handling of API requests.
- Goal: Detect and prevent malicious requests to an API.
- API Security Testing: Dynamic assessment of an API’s security state.
- Goal: Evaluate the security of a running API by interacting with the API dynamically (DAST-like behavior)
For more detailed information on the 3 categories, see slides 14 to 17 of this presentation.
The goal is to provide as comprehensive a list of API tools as possible using the input of the diverse perspectives of the OWASP community.
API Tools List
42Crunch from 42Crunch
|
|
|
|
Akto from Akto
APIClarity from APIClarity
|
|
|
|
APIsec from APIsec
|
|
|
|
API Secure from Data Theorem
|
|
|
|
Note: See Data Theorem API Secure Data Sheet for a complete overview of product capabilities
API Security from Imperva
|
|
|
|
AppSentinels Full LifeCycle API Security Platform from AppSentinels
|
|
|
|
AppSentinels platform helps developers build secure API's as well as helps security teams in protecting their Applications from OWASP and OWASP API attacks. Delivered from cloud as well as on-prem. Highly scalable architecture . Contact at [email protected]
Aptori from Aptori
|
|
|
|
Astra from flipkart-incubator
|
|
|
|
Automatic API Attack Tool from Imperva
|
|
|
|
Beagle Security from Beagle Cyber Innovations
|
|
|
|
Note: Imports Postman and OpenAPI Collections, quick configuration, supports GraphQL.
Bright from Bright Security
|
|
|
|
BurpSuite Professional from PortSwigger
Cequence Security - UAP from Cequence Security
|
|
|
|
Free Tool for finding APIs: https://apispyder.cequence.ai/
Cherrybomb from BLST Security
|
|
|
|
Contrast Security from Contrast Security
|
|
|
|
Note: Contrast performs vulnerability detection and runtime protection of APIs using an instrumentation-based approach
curl from curl
|
|
|
|
Note: Low level tool
Escape from Escape
ffuf from ffuf
|
|
|
|
Note: General http/web fuzzer which can also fuzz http-based APIs
FireTail from FireTail
|
|
|
|
graphql-cop from dolevf
|
|
|
|
Note: Only for testing GraphQL APIs
Hoppscotch from Hoppscotch
|
|
|
|
Note: Developer-centric tool
httpie from httpie
|
|
|
|
Note: HTTP client designed to be a user-friendly terminal app
http-tanker from PierreKieffer
|
|
|
|
Note: Very manual terminal program e.g. Postman in your terminal
Hurl from Orange-OpenSource
|
|
|
|
Note: Command line tool that runs HTTP requests defined in a simple plain text format. It can chain requests, capture values and evaluate queries on headers and body response.
ImmuniWeb Neuron from ImmuniWeb
|
|
|
|
Insomnia from Kong
|
|
|
|
Note: Developer-centric tool
jerry-curl from mtesauro
|
|
|
|
Note: Low level curl automation
Levo.ai from LEVO.AI
|
|
|
|
Noname API Security Platform from Noname Security
|
|
|
|
Note: Flexible deployment options (SaaS, hybrid, on-prem), multi-engine support, options for agentless and out-of-band or inline
Nuclei from ProjectDiscovery
|
|
|
|
Note: General scanning of TCP, DNS, HTTP, etc so can be used to test APIs
openapi3-fuzzer from VolkerWessels Telecom
|
|
|
|
Note: Low-level fuzzing tool
Pentest-Tools.com API Scanner from Pentest-Tools.com
|
|
|
|
Note: Discover SQLi, SSRF, and Code Injections using both Postman Collections and OpenAPI schemas.
Postman from Postman
|
|
|
|
Note: Developer-centric tool
Probely from Probely
|
|
|
|
Note: imports Postman Collections and OpenAPI schemas. Full-featured API for integrations with CI/CD
Purpleteam from Purpleteam
Pynt from Pynt
|
|
|
|
Note: Automated API security testing and discovery
Rapid7 InsightAppSec from Rapid7 InsightAppSec
|
|
|
|
rest-assured from rest-assured
|
|
|
|
Note: For the Java programming language
Resurface from Resurface
|
|
|
|
Salt Security API Protection Platform from Salt Security
|
|
|
|
automated discovery, runtime protection, remediation insights in pre-prod and from runtime learnings
SoapUI from SMARTBEAR
|
|
|
|
StackHawk from StackHawk
|
|
|
|
Threatspy from Secure Blink
|
|
|
|
Traceable AI from Traceable AI
|
|
|
|
Discovery, posture management, testing, protection, threat and incident analysis, fraud prevention.
Deploy out-of-band mirroring, ebpf, edge, or in-app
Wallarm from Wallarm
|
|
|
|
WebInspect from Fortify
|
|
|
|
Note: Supports SOAP, REST, Swagger/OpenAPI and Postman
Wfuzz from xmendez
|
|
|
|
Note: General http/web fuzzer which can also fuzz http-based APIs
Zed Attack Proxy (ZAP) from OWASP
SecOps Solution from SecOps Solution
|
|
|
|
Equixly from Equixly
|
|
|
|
Note: AI-powered API Security Testing
Intruder from Intruder
|
|
|
|
Note: Upload your OpenAPI/Swagger API schema to get complete coverage of your API endpoints
VulnAPI from CerberAuth
|
|
|
|
Note: Use Curl-like command or OpenAPI contract to perform API scan. An existing Github Action can perform a scan automatically before deployment.
Adding Tools
To add items, please add a stanza to the yaml file here or email me at matt.tesauro AT owasp.org