API Security Tools

Author: Matt Tesauro
Contributor(s): kingthorin

APIs are becoming an increasingly large portion of the software that powers the Internet including mobile applications, single-page applications (SPAs) and cloud infrastructure. While APIs share much of the same security controls and software security issues with traditional web applications, they are different enough to make a distinction between ‘normal’ AppSec tools and ones that were built with APIs in mind. This page was created to list tools known to support APIs natively and by design.

Types of API Tools

Tools for API Security can be broken down into 3 broad categories.

  • API Security Posture: Creates an inventory of APIs, the methods exposed and classifies the data used by each method.
    • Goal: Provide visibility into the security state of a collection of APIs.
  • API Runtime Security: provides protection to APIs during their normal running and handling of API requests.
    • Goal: Detect and prevent malicious requests to an API.
  • API Security Testing: Dynamic assessment of an API’s security state.
    • Goal: Evaluate the security of a running API by interacting with the API dynamically (DAST-like behavior)

For more detailed information on the 3 categories, see slides 14 to 17 of this presentation.

The goal is to provide as comprehensive a list of API tools as possible using the input of the diverse perspectives of the OWASP community.

API Tools List

42Crunch from 42Crunch

License | Platform | API Posture | API Runtime | API Testing

Acunetix from Invicti Security

License | Platform | API Posture | API Runtime | API Testing

Akto from Akto

License | Platform | API Posture | API Runtime | API Testing Both agentless and agent options available with 50+ traffic connectors

APIClarity from APIClarity

License | Platform | API Posture | API Runtime | API Testing

APIsec from APIsec

License | Platform | API Posture | API Runtime | API Testing
License | Platform | API Posture | API Runtime | API Testing
AI-powered, fully managed API protection against OWASP API Top 10 threats, DDoS and bot attacks. Unified platform for API discovery, vulnerability scanning and protection

API Scanning from Indusface

License | Platform | API Posture | API Runtime | API Testing
A complete vulnerability analysis and penetration testing platform for APIs

API Secure from Data Theorem

License | Platform | API Posture | API Runtime | API Testing
Note: See Data Theorem API Secure Data Sheet for a complete overview of product capabilities

API Security from Imperva

License | Platform | API Posture | API Runtime | API Testing
License | Platform | API Posture | API Runtime | API Testing AppSentinels platform helps developers build secure API's as well as helps security teams in protecting their Applications from OWASP and OWASP API attacks. Delivered from cloud as well as on-prem. Highly scalable architecture . Contact at [email protected]

Aptori from Aptori

License | Platform | API Posture | API Runtime | API Testing

Astra from flipkart-incubator

License | Platform | API Posture | API Runtime | API Testing
License | Platform | API Posture | API Runtime | API Testing

Beagle Security from Beagle Cyber Innovations

License | Platform | API Posture | API Runtime | API Testing
Note: Imports Postman and OpenAPI Collections, quick configuration, supports GraphQL.

Bright from Bright Security

License | Platform | API Posture | API Runtime | API Testing

BurpSuite Professional from PortSwigger

License | Platform | API Posture | API Runtime | API Testing
Note: See PortSwigger docs for testing APIs

Cequence Security - UAP from Cequence Security

License | Platform | API Posture | API Runtime | API Testing Free Tool for finding APIs: https://apispyder.cequence.ai/

Cherrybomb from BLST Security

License | Platform | API Posture | API Runtime | API Testing

Contrast Security from Contrast Security

License | Platform | API Posture | API Runtime | API Testing
Note: Contrast performs vulnerability detection and runtime protection of APIs using an instrumentation-based approach

curl from curl

License | Platform | API Posture | API Runtime | API Testing
Note: Low level tool

Escape from Escape

License | Platform | API Posture | API Runtime | API Testing Freemium, online versions of the tool are also available:

ffuf from ffuf

License | Platform | API Posture | API Runtime | API Testing
Note: General http/web fuzzer which can also fuzz http-based APIs

FireTail from FireTail

License | Platform | API Posture | API Runtime | API Testing

graphql-cop from dolevf

License | Platform | API Posture | API Runtime | API Testing
Note: Only for testing GraphQL APIs

Hoppscotch from Hoppscotch

License | Platform | API Posture | API Runtime | API Testing
Note: Developer-centric tool

httpie from httpie

License | Platform | API Posture | API Runtime | API Testing
Note: HTTP client designed to be a user-friendly terminal app

http-tanker from PierreKieffer

License | Platform | API Posture | API Runtime | API Testing
Note: Very manual terminal program e.g. Postman in your terminal

Hurl from Orange-OpenSource

License | Platform | API Posture | API Runtime | API Testing
Note: Command line tool that runs HTTP requests defined in a simple plain text format. It can chain requests, capture values and evaluate queries on headers and body response.

ImmuniWeb Neuron from ImmuniWeb

License | Platform | API Posture | API Runtime | API Testing

Insomnia from Kong

License | Platform | API Posture | API Runtime | API Testing
Note: Developer-centric tool

Invicti Enterprise from Invicti Security

License | Platform | API Posture | API Runtime | API Testing

jerry-curl from mtesauro

License | Platform | API Posture | API Runtime | API Testing
Note: Low level curl automation

Jit from Jit

License | Platform | API Posture | API Runtime | API Testing
Note: Utilizes ZAP

Levo.ai from LEVO.AI

License | Platform | API Posture | API Runtime | API Testing

Noname API Security Platform from Noname Security

License | Platform | API Posture | API Runtime | API Testing
Note: Flexible deployment options (SaaS, hybrid, on-prem), multi-engine support, options for agentless and out-of-band or inline

Nuclei from ProjectDiscovery

License | Platform | API Posture | API Runtime | API Testing
Note: General scanning of TCP, DNS, HTTP, etc so can be used to test APIs

openapi3-fuzzer from VolkerWessels Telecom

License | Platform | API Posture | API Runtime | API Testing
Note: Low-level fuzzing tool

Pentest-Tools.com API Scanner from Pentest-Tools.com

License | Platform | API Posture | API Runtime | API Testing
Note: Discover SQLi, SSRF, and Code Injections using both Postman Collections and OpenAPI schemas.

Postman from Postman

License | Platform | API Posture | API Runtime | API Testing
Note: Developer-centric tool

Probely from Probely

License | Platform | API Posture | API Runtime | API Testing
Note: imports Postman Collections and OpenAPI schemas. Full-featured API for integrations with CI/CD

Purpleteam from Purpleteam

License | Platform | API Posture | API Runtime | API Testing
Note: Dual licensed under non-OSI approved licenses details here

Pynt from Pynt

License | Platform | API Posture | API Runtime | API Testing
Note: Automated API security testing and discovery

Rapid7 InsightAppSec from Rapid7 InsightAppSec

License | Platform | API Posture | API Runtime | API Testing

rest-assured from rest-assured

License | Platform | API Posture | API Runtime | API Testing
Note: For the Java programming language

Resurface from Resurface

License | Platform | API Posture | API Runtime | API Testing
License | Platform | API Posture | API Runtime | API Testing automated discovery, runtime protection, remediation insights in pre-prod and from runtime learnings

SoapUI from SMARTBEAR

License | Platform | API Posture | API Runtime | API Testing

StackHawk from StackHawk

License | Platform | API Posture | API Runtime | API Testing

Threatspy from Secure Blink

License | Platform | API Posture | API Runtime | API Testing

Traceable AI from Traceable AI

License | Platform | API Posture | API Runtime | API Testing
Discovery, posture management, testing, protection, threat and incident analysis, fraud prevention.
Deploy out-of-band mirroring, ebpf, edge, or in-app

Wallarm from Wallarm

License | Platform | API Posture | API Runtime | API Testing

WebInspect from Fortify

License | Platform | API Posture | API Runtime | API Testing
Note: Supports SOAP, REST, Swagger/OpenAPI and Postman

Wfuzz from xmendez

License | Platform | API Posture | API Runtime | API Testing
Note: General http/web fuzzer which can also fuzz http-based APIs

Zed Attack Proxy (ZAP) from Open Source supported by Checkmarx

License | Platform | API Posture | API Runtime | API Testing
Note: See ZAP FAQ for testing APIs

SecOps Solution from SecOps Solution

License | Platform | API Posture | API Runtime | API Testing

Equixly from Equixly

License | Platform | API Posture | API Runtime | API Testing
Note: AI-powered API Security Testing

Intruder from Intruder

License | Platform | API Posture | API Runtime | API Testing
Note: Upload your OpenAPI/Swagger API schema to get complete coverage of your API endpoints

VulnAPI from CerberAuth

License | Platform | API Posture | API Runtime | API Testing
Note: Use Curl-like command or OpenAPI contract to perform API scan. An existing Github Action can perform a scan automatically before deployment.

ZeroThreat from ZeroThreat

License | Platform | API Posture | API Runtime | API Testing


Adding Tools

To add items, please add a stanza to the yaml file here or email me at matt.tesauro AT owasp.org