Full Code of yogsec/API-Pentesting-Tools for AI

Repository: yogsec/API-Pentesting-Tools
Branch: main
Commit: d648ee784ed7
Files: 3
Total size: 22.4 KB

Directory structure:
gitextract_jwsxre7f/

├── .github/
│   └── FUNDING.yml
├── LICENSE
└── README.md

================================================
FILE CONTENTS
================================================

================================================
FILE: .github/FUNDING.yml
================================================
# These are supported funding model platforms

github: #[yogsec]
patreon: # Replace with a single Patreon username
open_collective: # Replace with a single Open Collective username
ko_fi: yogsec
tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
liberapay: # Replace with a single Liberapay username
issuehunt: # Replace with a single IssueHunt username
lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
polar: # Replace with a single Polar username
buy_me_a_coffee: # Replace with a single Buy Me a Coffee username
thanks_dev: # Replace with a single thanks.dev username
custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']


================================================
FILE: LICENSE
================================================
MIT License

Copyright (c) 2025 YogSec

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


================================================
FILE: README.md
================================================
# API Pentesting Tools

![API Pentesting Tools](https://media2.giphy.com/media/v1.Y2lkPTc5MGI3NjExeHhzM3plejZjYmdxeXk5bmx1ZDY0aGM3dnUwMTBkNzA1dXd5cmM1MyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/137EaR4vAOCn1S/giphy.gif)

API Pentesting Tools is an open-source list designed to automate and streamline the process of penetration testing APIs. It helps security researchers and bug bounty hunters identify common vulnerabilities in RESTful and GraphQL APIs.

<div align="center">
      <a href="https://www.whatsapp.com/channel/0029Vb68FeRFnSzGNOZC3h3x"><img src="https://img.shields.io/static/v1?style=for-the-badge&amp;message=WhatsApp+Channel&amp;color=25D366&amp;logo=&amp;logoColor=FFFFFF&amp;label=" alt="WhatsApp Channel"></a>
  <a href="https://t.me/HackerSecure"><img src="https://img.shields.io/static/v1?style=for-the-badge&amp;message=Telegram+Channel&amp;color=24A1DE&amp;logo=&amp;logoColor=FFFFFF&amp;label=" alt="Telegram Channel"></a>
  <a href="https://www.linkedin.com/in/cybersecurity-pentester/"><img src="https://img.shields.io/static/v1?style=for-the-badge&amp;message=LinkedIn&amp;color=0A66C2&amp;logo=LinkedIn&amp;logoColor=FFFFFF&amp;label=" alt="LinkedIn"></a>
  <a href="https://linktr.ee/yogsec"><img src="https://img.shields.io/static/v1?style=for-the-badge&amp;message=LinkTree&amp;color=25D366&amp;logo=&amp;logoColor=FFFFFF&amp;label=" alt="WhatsApp Channel"></a>
  <a href="https://x.com/home"><img src="https://img.shields.io/static/v1?style=for-the-badge&amp;message=X&amp;color=000000&amp;logo=&amp;logoColor=FFFFFF&amp;label=" alt="Lichess"></a>
  <a href="mailto:abhinavsingwal@gmail.com?subject=Hi%20YogSec%20,%20nice%20to%20meet%20you!"><img alt="Email" src="https://img.shields.io/static/v1?style=for-the-badge&amp;message=Gmail&amp;color=EA4335&amp;logo=Gmail&amp;logoColor=FFFFFF&amp;label="></a>
  <a href="https://yogsec.github.io/yogsec/"><img src="https://img.shields.io/static/v1?style=for-the-badge&amp;message=Website&amp;color=FFFFC5&amp;logo=&amp;logoColor=FFFFFF&amp;label=" alt="Telegram Channel"></a>  
  
</div>

---
## Methods of API Pentesting
API penetration testing involves several methodologies to assess security weaknesses:

1. **Reconnaissance** - Gathering information about the API endpoints, technologies, and authentication mechanisms.
2. **Authentication Testing** - Checking for weak or broken authentication mechanisms, including token mismanagement.
3. **Authorization Testing** - Verifying access controls to prevent privilege escalation and unauthorized access.
4. **Input Validation Testing** - Identifying injection vulnerabilities like SQL, NoSQL, and command injection.
5. **Rate Limiting & DoS Testing** - Evaluating API rate limits and potential Denial-of-Service (DoS) risks.
6. **Security Headers & CORS Testing** - Checking HTTP security headers and CORS configurations for misconfigurations.
7. **Session Management Testing** - Analyzing session tokens and cookies for hijacking vulnerabilities.
8. **Business Logic Testing** - Testing API workflows for logic flaws that could be abused.
9. **Fuzzing** - Sending unexpected inputs to uncover potential flaws in API handling.
10. **Logging & Monitoring Testing** - Ensuring security events are properly logged and monitored.

---

## Reconnaissance Tools for API Testing

Reconnaissance is the first phase of API penetration testing, where testers gather information about the target API to identify potential attack surfaces.

1. **[Nmap](https://nmap.org/)** – Scans for open ports, services, and API endpoints.
2. **[Amass](https://github.com/OWASP/Amass)** – Performs subdomain enumeration to discover API hosts.
3. **[Subfinder](https://github.com/projectdiscovery/subfinder)** – Finds subdomains that might host APIs.
4. **[crt.sh](https://crt.sh/)** – Searches for API subdomains in SSL certificates.
5. **[MassDNS](https://github.com/blechschmidt/massdns)** – Resolves and finds hidden API domains.
6. **[Aquatone](https://github.com/michenriksen/aquatone)** – Visual reconnaissance of API endpoints.
7. **[httprobe](https://github.com/tomnomnom/httprobe)** – Checks which API endpoints are live.
8. **[Waybackurls](https://github.com/tomnomnom/waybackurls)** / **[Gau](https://github.com/lc/gau)** – Finds archived API endpoints.
9. **[ffuf](https://github.com/ffuf/ffuf)** – Fuzzes for hidden API paths.
10. **[Kiterunner](https://github.com/assetnote/kiterunner)** – Discovers undocumented API endpoints.
11. **[Swagger Editor](https://editor.swagger.io/)** – Parses API documentation for potential endpoints.
12. **[GraphQL Voyager](https://github.com/APIs-guru/graphql-voyager)** – Analyzes GraphQL API schemas.
13. **[Burp Suite](https://portswigger.net/burp)** – Passive API endpoint discovery through traffic analysis.
14. **[Google Dorking](https://www.exploit-db.com/google-hacking-database)** – Finds exposed API endpoints via search engines.
15. **[Shodan](https://www.shodan.io/)** – Searches for exposed APIs running on specific technologies.

---

## Authentication Testing Tools for API Testing

Authentication testing focuses on verifying the security of API authentication mechanisms, such as API keys, JWTs, OAuth, and session tokens.

1. **[Burp Suite](https://portswigger.net/burp)** – Intercepts and manipulates authentication requests.
2. **[Postman](https://www.postman.com/)** – Manually tests API authentication flows.
3. **[JWT_TOOL](https://github.com/ticarpi/jwt_tool)** – Tests vulnerabilities in JWT authentication.
4. **[AuthAnalyzer (Burp Extension)](https://github.com/s0md3v/AuthAnalyzer)** – Analyzes authentication mechanisms.
5. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies authentication-related vulnerabilities.
6. **[SAML Raider](https://github.com/SAMLRaider/SAMLRaider)** – Tests SAML authentication security.
7. **[OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy)** – Analyzes OAuth2 authentication flows.
8. **[Kerbrute](https://github.com/ropnop/kerbrute)** – Brute-forces Kerberos authentication.
9. **[TokenSpray](https://github.com/0xZDH/TokenSpray)** – Tests API token authentication by spraying leaked tokens.
10. **[CyberChef](https://gchq.github.io/CyberChef/)** – Decodes and analyzes authentication tokens.
11. **[HackBrowserData](https://github.com/moonD4rk/HackBrowserData)** – Extracts stored API credentials from browsers.
12. **[mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies API authentication requests.
13. **[GraphQL Raider](https://github.com/doyensec/GraphQL-raider)** – Tests authentication in GraphQL APIs.
14. **[AQUATONE](https://github.com/michenriksen/aquatone)** – Discovers authentication endpoints in APIs.
15. **[ffuf](https://github.com/ffuf/ffuf)** – Brute-forces authentication tokens and session IDs.

---

## Authorization Testing Tools for API Testing

Authorization testing ensures that users and API clients can only access resources they are permitted to. It helps identify vulnerabilities like IDOR, privilege escalation, and role-based access control (RBAC) flaws.

1. **[Burp Suite](https://portswigger.net/burp)** – Manipulates API requests to test authorization flaws.
2. **[Postman](https://www.postman.com/)** – Manually modifies headers, tokens, and roles for access control testing.
3. **[Autorize (Burp Extension)](https://github.com/Quitten/Autorize)** – Automatically checks authorization vulnerabilities.
4. **[JWT_TOOL](https://github.com/ticarpi/jwt_tool)** – Analyzes and manipulates JWT tokens to test privilege escalation.
5. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies API authorization weaknesses.
6. **[GraphQL Raider](https://github.com/doyensec/GraphQL-raider)** – Explores GraphQL authorization issues.
7. **[Arjun](https://github.com/s0md3v/Arjun)** – Detects hidden parameters that might bypass authorization.
8. **[AuthMatrix (Burp Extension)](https://github.com/SecurityInnovation/AuthMatrix)** – Tests role-based access control (RBAC) vulnerabilities.
9. **[ffuf](https://github.com/ffuf/ffuf)** – Fuzzes API endpoints for unauthorized access.
10. **[Hoppscotch](https://hoppscotch.io/)** – Tests API authorization with different user roles.
11. **[mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies API requests to test access control.
12. **[Google Dorking](https://www.exploit-db.com/google-hacking-database)** – Finds exposed endpoints with weak authorization.
13. **[IAM Vulnerability Scanner](https://github.com/nccgroup/iam-vulnerability-scanner)** – Identifies IAM misconfigurations in APIs.
14. **[GraphQL Voyager](https://github.com/APIs-guru/graphql-voyager)** – Visualizes GraphQL permissions to detect flaws.
15. **[CyberChef](https://gchq.github.io/CyberChef/)** – Decodes and analyzes authorization tokens.

---

## Input Validation Testing Tools for API Testing

Input validation testing ensures that APIs properly sanitize and handle user inputs to prevent attacks like SQL injection, command injection, and XSS.

1. **[Burp Suite](https://portswigger.net/burp)** – Fuzzes and manipulates API parameters for injection attacks.
2. **[Postman](https://www.postman.com/)** – Sends crafted inputs to test validation mechanisms.
3. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies input validation flaws in API endpoints.
4. **[SQLmap](https://sqlmap.org/)** – Detects and exploits SQL injection vulnerabilities.
5. **[Commix](https://github.com/commixproject/commix)** – Tests for command injection vulnerabilities.
6. **[XSStrike](https://github.com/s0md3v/XSStrike)** – Detects and exploits XSS vulnerabilities in API responses.
7. **[ffuf](https://github.com/ffuf/ffuf)** – Fuzzes API endpoints for input-based vulnerabilities.
8. **[Arjun](https://github.com/s0md3v/Arjun)** – Finds hidden API parameters that may lack validation.
9. **[WFuzz](https://github.com/xmendez/wfuzz)** – Automates fuzzing attacks against API input fields.
10. **[Nikto](https://cirt.net/Nikto2)** – Scans APIs for common misconfigurations and vulnerabilities.
11. **[NoSQLMap](https://github.com/codingo/NoSQLMap)** – Detects NoSQL injection vulnerabilities.
12. **[GraphQL Raider](https://github.com/doyensec/GraphQL-raider)** – Finds input validation flaws in GraphQL APIs.
13. **[CyberChef](https://gchq.github.io/CyberChef/)** – Encodes and decodes inputs to bypass filters.
14. **[mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies API requests to test input validation.
15. **[KNOXSS](https://knoxss.me/)** – Automated XSS scanner for API responses.

---

## Rate Limiting & DoS Testing Tools for API Testing

Rate limiting and Denial-of-Service (DoS) testing helps identify vulnerabilities that could allow attackers to overload an API with excessive requests.

1. **[Burp Suite](https://portswigger.net/burp)** – Tests API rate limits by automating rapid requests.
2. **[Postman](https://www.postman.com/)** – Manually sends repeated requests to observe rate-limiting behavior.
3. **[OWASP ZAP](https://www.zaproxy.org/)** – Automates request bursts to test API rate limitations.
4. **[Slowloris](https://github.com/gkbrk/slowloris)** – Simulates low-bandwidth DoS attacks against APIs.
5. **[hping3](https://github.com/antirez/hping)** – Generates high-traffic API requests for stress testing.
6. **[Taurus](https://gettaurus.org/)** – Load tests APIs to measure their rate-limiting responses.
7. **[Gatling](https://gatling.io/)** – Simulates API load testing to identify performance bottlenecks.
8. **[Apache JMeter](https://jmeter.apache.org/)** – Performs high-load API testing to detect rate-limiting issues.
9. **[ffuf](https://github.com/ffuf/ffuf)** – Sends high-frequency requests to test rate limits.
10. **[K6](https://k6.io/)** – Load testing tool for evaluating API performance under heavy requests.
11. **[Locust](https://locust.io/)** – Distributed load testing tool for stress testing APIs.
12. **[Artillery](https://www.artillery.io/)** – Scalable load testing tool for DoS and rate-limiting validation.
13. **[Tsunami Security Scanner](https://github.com/google/tsunami-security-scanner)** – Identifies API rate-limiting weaknesses.
14. **[Metasploit (auxiliary modules)](https://www.metasploit.com/)** – Simulates DoS attacks on API endpoints.
15. **[Boofuzz](https://github.com/jtpereyda/boofuzz)** – Fuzzes API endpoints to detect rate-limiting bypass vulnerabilities.

---

## Security Headers & CORS Testing Tools for API Testing

Security headers and CORS (Cross-Origin Resource Sharing) testing helps identify misconfigurations that can lead to data exposure, unauthorized access, or security bypasses.

1. **[Burp Suite](https://portswigger.net/burp)** – Tests and manipulates security headers and CORS policies.
2. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies insecure CORS configurations and missing security headers.
3. **[Postman](https://www.postman.com/)** – Manually inspects API responses for CORS-related issues.
4. **[Curl](https://curl.se/)** – Fetches API responses to analyze CORS headers.
5. **[Nikto](https://cirt.net/Nikto2)** – Scans for missing security headers in API responses.
6. **[HTTP Toolkit](https://httptoolkit.tech/)** – Captures and inspects API traffic for CORS vulnerabilities.
7. **[CORS Scanner (OWASP)](https://github.com/awslabs/cors-scanner)** – Identifies CORS misconfigurations in APIs.
8. **[Mitmproxy](https://mitmproxy.org/)** – Intercepts API requests to analyze security headers and CORS policies.
9. **[SecurityHeaders.com](https://securityheaders.com/)** – Online tool for evaluating API security headers.
10. **[CSRF Tester](https://github.com/cure53/CSRF-Tester)** – Checks for CSRF vulnerabilities in APIs relying on security headers.
11. **[Header Security Tool (Mozilla Observatory)](https://observatory.mozilla.org/)** – Tests APIs for missing security headers.
12. **[Retire.js](https://github.com/RetireJS/retire.js)** – Detects outdated JavaScript libraries that could impact CORS security.
13. **[CSP Evaluator (Google)](https://csp-evaluator.withgoogle.com/)** – Tests Content Security Policy (CSP) configurations.
14. **[Nmap (http-headers script)](https://nmap.org/nsedoc/scripts/http-headers.html)** – Extracts and evaluates security headers from APIs.
15. **[TestCORS.com](https://testcors.com/)** – Online tool for checking CORS policy configurations.

---

## Session Management Testing Tools for API Testing

Session management testing ensures that APIs handle user sessions securely, preventing session hijacking, fixation, or improper session termination.

1. **[Burp Suite](https://portswigger.net/burp)** – Tests session token generation, management, and expiration.
2. **[OWASP ZAP](https://www.zaproxy.org/)** – Identifies session management flaws in API responses.
3. **[Postman](https://www.postman.com/)** – Manages and inspects session tokens in API requests.
4. **[mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies session tokens for vulnerability analysis.
5. **[JWT.io](https://jwt.io/)** – Decodes and analyzes JWT tokens for security flaws.
6. **[AuthAnalyzer (Burp Extension)](https://github.com/qllone/AuthAnalyzer)** – Identifies authentication and session management issues.
7. **[Session Hijacking Toolkit](https://github.com/antichown/SessionHijackingToolkit)** – Tests API session management weaknesses.
8. **[CSRF Tester](https://owasp.org/www-project-csrfguard/)** – Assesses API session security against CSRF attacks.
9. **[Nmap (http-sessions script)](https://nmap.org/nsedoc/scripts/http-sessions.html)** – Extracts and evaluates session cookies.
10. **[Ettercap](https://www.ettercap-project.org/)** – Tests API session security in network environments.
11. **[Wireshark](https://www.wireshark.org/)** – Captures and analyzes API session tokens in network traffic.
12. **[Cookie Cadger](http://www.cookiecadger.com/)** – Detects insecure API session cookies in transit.
13. **[ModHeader (Browser Extension)](https://modheader.com/)** – Modifies session tokens for API security testing.
14. **[Session Fixation Tester](https://github.com/codingo/SessionFixationTester)** – Tests APIs for session fixation vulnerabilities.
15. **[JWT Cracker](https://github.com/brendan-rius/c-jwt-cracker)** – Attempts brute-force attacks on JWT session tokens.

---

## Business Logic Testing Tools for API Testing

Business logic testing focuses on identifying security flaws in an API’s core functionalities, ensuring that workflows, access controls, and user interactions are not exploitable.

1. **[Burp Suite (Manual Testing & Extensions)](https://portswigger.net/burp)** – Identifies logic flaws by modifying API requests.
2. **[OWASP ZAP](https://www.zaproxy.org/)** – Tests API workflows by intercepting and modifying requests.
3. **[Postman](https://www.postman.com/)** – Manually manipulates API calls to check for unexpected behavior.
4. **[Mitmproxy](https://mitmproxy.org/)** – Intercepts and modifies API traffic to analyze logic vulnerabilities.
5. **[GraphQL Voyager](https://github.com/APIs-guru/graphql-voyager)** – Analyzes GraphQL schema for logical security flaws.
6. **[Kiterunner](https://github.com/assetnote/kiterunner)** – Fuzzes API endpoints to uncover hidden logic vulnerabilities.
7. **[Fuzzapi](https://github.com/Fuzzapi)** – Automates API fuzzing to detect unusual business logic flaws.
8. **[Restler Fuzzer](https://github.com/microsoft/restler-fuzzer)** – Detects logic flaws in REST API sequences and workflows.
9. **[GraphQL Raider (Burp Extension)](https://github.com/doyensec/GraphQL-raider)** – Finds logical vulnerabilities in GraphQL APIs.
10. **[AuthMatrix (Burp Extension)](https://portswigger.net/bappstore/745fb476395d4973b7ac09b1df5c8dc8)** – Tests privilege escalation and business logic flaws.
11. **[SecApps Logic Analyzer](https://secapps.com/)** – Examines API responses for logical inconsistencies.
12. **[API Hammer](https://github.com/Azure/api-hammer)** – Simulates different API request scenarios to test workflow security.
13. **[BOLA Detector](https://github.com/BOLA-Detector)** – Identifies Broken Object Level Authorization (BOLA) issues.
14. **[GadgetProbe](https://github.com/BishopFox/GadgetProbe)** – Tests serialization vulnerabilities affecting API logic.
15. **Custom Python Scripts** – Tailor-made automation for detecting API logic flaws.
---

## Fuzzing Tools for API Testing

Fuzzing in API testing helps identify security vulnerabilities by sending malformed, unexpected, or random data to API endpoints to observe how they respond.

1. **[Burp Suite Intruder](https://portswigger.net/burp/documentation/desktop/tools/intruder)** – Automates API fuzzing with customizable payloads.
2. **[ffuf](https://github.com/ffuf/ffuf)** – Fast web fuzzer used for API endpoint discovery and fuzzing.
3. **[wfuzz](https://github.com/xmendez/wfuzz)** – CLI-based fuzzer for testing API parameters and endpoints.
4. **[Kiterunner](https://github.com/assetnote/kiterunner)** – API-specific fuzzer that brute forces undocumented endpoints.
5. **[Restler Fuzzer](https://github.com/microsoft/restler-fuzzer)** – Microsoft’s API fuzzing tool for REST APIs.
6. **[Fuzzapi](https://github.com/laluka/fuzzapi)** – Fuzzing framework for testing API security vulnerabilities.
7. **[Gfuzz](https://github.com/google/gfuzz)** – Lightweight API fuzzer for detecting input validation flaws.
8. **[Radamsa](https://gitlab.com/akihe/radamsa)** – Generates test cases by mutating API requests.
9. **[JBroFuzz](https://www.owasp.org/index.php/OWASP_JBroFuzz)** – OWASP’s fuzzing tool for testing API stability and security.
10. **[Corpus-based Fuzzing (e.g., AFL, LibFuzzer)](https://llvm.org/docs/LibFuzzer.html)** – Custom fuzzing for API responses.

---

## Logging & Monitoring Testing Tools for API Testing

Logging and monitoring are crucial for detecting security threats, ensuring compliance, and maintaining API security. These tools help analyze logs, detect anomalies, and monitor API activity.


1. **[Graylog](https://www.graylog.org/)** – Centralized log management and analysis tool for API security monitoring.
2. **[Splunk](https://www.splunk.com/)** – Provides real-time security analytics and API activity monitoring.
3. **[ELK Stack (Elasticsearch, Logstash, Kibana)](https://www.elastic.co/what-is/elk-stack)** – Open-source log analysis and monitoring platform.
4. **[OpenTelemetry](https://opentelemetry.io/)** – API observability and tracing tool for monitoring API requests.
5. **[Prometheus](https://prometheus.io/)** – Monitors API performance and detects unusual activity.
6. **[Grafana](https://grafana.com/)** – Visualizes API logs and monitoring data for security insights.
7. **[Sumo Logic](https://www.sumologic.com/)** – Cloud-based log management tool for API security analysis.
8. **[Datadog](https://www.datadoghq.com/)** – Monitors API traffic, logs, and security events.
9. **[Wazuh](https://wazuh.com/)** – Open-source security monitoring and log analysis tool.
10. **[New Relic](https://newrelic.com/)** – Tracks API performance and detects security anomalies.