OWASP APICheck
APICheck - The DevSecOps toolset for HTTP APIs
APICheck is an environment for integrating existing HTTP APIs tools and create execution chains easily. Designed with integration third party tools in mind.
APICheck is comprised of a set of tools that can be connected to each other to achieve different functionalities, depending on how they are connected. It allows you to create execution chains
Why another REST APIs tool?
APICheck aims to be a universal toolset for testing REST APIs, allowing you to mix and match the tools it provides, while enabling interoperability with third party tools. This way we hope that it will be useful to a wide spectrum of users that need to deal with REST APIs.
Who is APICheck for?
APICheck focuses not only in the security testing and hacking use cases, the goal of the project is to become a complete toolset for DevSecOps cycles. The tools are aimed to different user profiles:
- Developers
- System Administrators
- Security Engineers & Penetration Testers
Pipelines & data flow
In *NIX, you can chain multiple commands together in a pipeline. Consider this one:
In a similar way, you can build APICheck pipelines by chaining the different tools together.
To allow interoperability among commands and tools, all of them share a common JSON data format. In other words, APICheck commands output JSON documents, and accept them as input, too. This allows you to build pipelines (as we showed in the previous section).

Contribution
If your are a tool developer you can integrate with APICheck tools in no more than 10 minutes. Please check the Integrating new tools guide
Licensing
This project is distributed under Apache 2 license.
Requirements
APICheck relies heavily on Docker, so you must have the Docker daemon installed in order to use it.
Although you can run APICheck tools by directly pulling and running each Docker image, We recommend that you use the APICheck Package Manager. This document will explain how to use it to run APICheck.
Installation
Package Manager needs Python >= 3.5 installed. To install it just type in your console:
pip install apicheck-package-manager
Add APICheck config to PATH
You need to include APICheck
binary path to your global $PATH
var. So, add this line to your shell profile:
export PATH="$HOME/.apicheck_manager/bin:$PATH"
The First Run
Once installed, you can run the Package Manager by using the command acp.
$ acp
[!] Invalid action name
usage: acp [-h] [-w] {list,info,install,version} ...
APICheck Manager
positional arguments:
{list,info,install,version}
available actions
list search in A
info show expanded tool info
install install an APICheck tool
version displays version
optional arguments:
-h, --help show this help message and exit
-w, --disable-warning
disable check of RC Shell File
Package Manager allows you to list the available tools, install them and so on.
Listing available tools
The list command shows what are the available tools in the APICheck repository:
$ acp list
+--------------------------------------------------+
| Name | Version |
+--------------------------------------------------+
| apicheck-proxy | 1.0.2 |
+--------------------------------------------------+
| jwt-checker | 1.0.0 |
+--------------------------------------------------+
| send-to-proxy | 1.0.2 |
+--------------------------------------------------+
| acurl | 1.0.0 |
+--------------------------------------------------+
| replay | 1.0.0 |
+--------------------------------------------------+
| sensitive-data | 1.0.1 |
+--------------------------------------------------+
| openapiv2-lint | 1.0.0 |
+--------------------------------------------------+
| openapiv3-lint | 1.0.0 |
+--------------------------------------------------+
To get more info about any tool, use the info command:
$ acp info sensitive-data
+---------------------------------------------------------------------------+
| Tool name 'sensitive-data' |
+---------------------------------------------------------------------------+
| name | sensitive-data |
+---------------------------------------------------------------------------+
| display-name | Sensitive data detector |
+---------------------------------------------------------------------------+
| version | 1.0.1 |
+---------------------------------------------------------------------------+
| description | Find sensitive data in HTTP Request / |
| | / Headers |
+---------------------------------------------------------------------------+
| home | https://github.com/BBVA/apicheck |
+---------------------------------------------------------------------------+
| author | BBVA Labs Security |
+---------------------------------------------------------------------------+
| type | apicheck |
+---------------------------------------------------------------------------+
Installing a new tool
APICheck
uses Docker under the hoods. So when to install a new tool, Docker image fetch will be displayed.
$ acp install sensitive-data
[*] Creating path for storing apicheck tools at : /Users/Dani/.apicheck_manager/bin
[*] Fetching Docker image for tool 'sensitive-data'
1.0.1: Pulling from bbvalabs/sensitive-data
cbdbe7a5bc2a: Already exists
26ebcd19a4e3: Already exists
a29d43ca1bb4: Pulling fs layer
979dbbcf63e0: Pulling fs layer
30beed04940c: Pulling fs layer
7ac3561504a8: Pulling fs layer
3619e044d33d: Pulling fs layer
d3c293fd2442: Pulling fs layer
d0feb92e4bbc: Pulling fs layer
7ac3561504a8: Waiting
3619e044d33d: Waiting
d3c293fd2442: Waiting
d0feb92e4bbc: Waiting
979dbbcf63e0: Verifying Checksum
979dbbcf63e0: Download complete
30beed04940c: Verifying Checksum
30beed04940c: Download complete
7ac3561504a8: Verifying Checksum
7ac3561504a8: Download complete
a29d43ca1bb4: Verifying Checksum
a29d43ca1bb4: Download complete
d0feb92e4bbc: Verifying Checksum
d0feb92e4bbc: Download complete
d3c293fd2442: Verifying Checksum
d3c293fd2442: Download complete
3619e044d33d: Verifying Checksum
3619e044d33d: Download complete
a29d43ca1bb4: Pull complete
979dbbcf63e0: Pull complete
30beed04940c: Pull complete
7ac3561504a8: Pull complete
3619e044d33d: Pull complete
d3c293fd2442: Pull complete
d0feb92e4bbc: Pull complete
Digest: sha256:be66ed12618ce5786e7a8d234ddbf0116e466180e02ef5dd75b09c830b6687dc
Status: Downloaded newer image for bbvalabs/sensitive-data:1.0.1
docker.io/bbvalabs/sensitive-data:1.0.1
[*] Making launch scripts
[*] Updating configuration file
Running tools
Once you have installed a tool and added APICheck binary path you will have available a tool command with the name of the tool:
$ sensitive-data -h
usage: sensitive-data [-h] [-q] [-F IGNORE_FILE] [-i IGNORE_RULE]
[-r RULES_FILE] [--server SERVER] [-C] [-D]
Analyze a HTTP Request / Response searching for sensitive data
optional arguments:
-h, --help show this help message and exit
-q, --quiet quiet mode
-F IGNORE_FILE, --ignore-file IGNORE_FILE
file with ignores rules
-i IGNORE_RULE, --ignore-rule IGNORE_RULE
rule to ignore
-r RULES_FILE, --rules-file RULES_FILE
rules file. One rule ID per line
--server SERVER launch in server mode listening at localhost:8000
Server mode options:
-C, --show-in-console
show results in console
-D, --dont-check always returns OK although a rule matches
Some tools can have an alias (short-command, you can see it with the acp info command), so you can also run the command by using its alias.
APICheck has a repository of tools from which you can download them and access to their documentation in order to get usage information, APICheck documentation.
Tools & Pipelines
The power of APICheck resides in its capability of chaining tools by using *NIX-like pipelines.
In this example we’ll use a .json file that contains a message (in APICheck format) for searching sensitive data within the body of the Request (You can find this file at demo .json file)
$ cat demo-request.json | sensitive-data
http://my-company.com
---------------------
> rule -> core-001
> where -> request
> url -> http://my-company.com/api/entry-point
> description -> Find 'password' keyword in flow data
> sensitiveData -> password
ApiCheck tools
This page contains a list of the currently available tools.
APICheck tools
Replay HTTP Requests
Replays a HTTP conversation capturing the new responses obtained
Send data to a proxy server
Read a request from stdin and send it to a proxy
APICheck proxy
launch a local proxy and intercept request / responses a perform some actions
acurl
curl with reqres output
Sensitive data detector
Find sensitive data in HTTP Request / Response / Headers
JWT token validator
Validates issued JWT tokens to check for common pitfalls
Edge tools
OpenAPI v2 Linter
Lint the endpoint specification provided using OpenAPI v2 spec
OpenAPI v3 checker
Check the endpoint specification provided using OpenAPI v3 spec
OpenAPI v3 Linter
Lint the endpoint specification provided using OpenAPI v3 spec