OWASP API Security Testing Framework

OWASP API Security Testing Framework

Description

The OWASP API Security Testing Framework (ASTF) is a specialized security testing tool designed to identify vulnerabilities in APIs based on the OWASP API Security Top 10. In an era where APIs form the backbone of modern applications, this framework enables automated security validation, making it easier to integrate security testing into development pipelines.

Project Purpose

Modern applications rely heavily on APIs, but specialized tools for testing API security are lacking. The ASTF fills this gap by providing:

  1. Automated detection of API-specific vulnerabilities
  2. Integration capabilities with CI/CD pipelines
  3. Comprehensive security reporting
  4. Support for multiple API architectures (REST, GraphQL, gRPC)

Key Features

  • Comprehensive Test Suite: Pre-built test cases covering all OWASP API Security Top 10 vulnerabilities
  • Flexible Architecture: Support for different API types and authentication mechanisms
  • CI/CD Integration: Native integrations with popular CI/CD platforms
  • Customizable Rules: Ability to create custom test cases beyond the default set
  • Detailed Reporting: Comprehensive vulnerability reports with remediation guidance
  • Real-world Attack Patterns: Incorporates patterns observed in actual API breaches

Getting Involved

The API Security Testing Framework welcomes contributions from the community. Here’s how you can get involved:

  • Code Contributions: Help develop new test cases or improve existing ones
  • Documentation: Assist with improving guides and examples
  • Testing: Try the framework on your APIs and provide feedback
  • Use Cases: Share your API security testing scenarios

Join us on GitHub to contribute.

Roadmap

Phase 1 (Q2 2025)

  • Core framework development
  • Basic test cases for top 5 API vulnerabilities
  • Initial documentation
  • Proof of concept demonstrations

Phase 2 (Q3-Q4 2025)

  • Expanded test case coverage
  • CI/CD integration modules
  • API attack pattern database
  • Community contribution guidelines

Phase 3 (Q1-Q2 2026)

  • Advanced detection capabilities
  • Custom rule engine
  • Enterprise integration features
  • Comprehensive documentation

Licensing

This project is licensed under the Apache 2.0 License.

Project Leaders

  • [Govindarajan Lakshmikanthan] - Project Leader
    • GitHub: @GovindarajanL
    • Email: govindarajan.lakshmikanthan@owasp.com/govind.lkanthan@gmail.com

Getting Started

# Clone the repository
git clone https://github.com/OWASP/api-security-testing-framework.git

# Build the project
mvn clean install

# Run a basic scan
java -jar astf.jar --target http://example-api.com --auth-token TOKEN

For more detailed instructions, please refer to our GitHub repository.

Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.

Edit on GitHub
Watch Star