A curated collection of 60+ open-source tools for API security testing, penetration testing, and vulnerability research. Organized by API type and functionality.
| Tool | Description | GitHub |
|---|---|---|
| Akto | API discovery & business logic testing | akto-api-security/akto |
| APIClarity | OpenAPI spec reconstruction | openclarity/apiclarity |
| APICheck | DevSecOps toolset for REST APIs | BBVA/apicheck |
| Astra | Automated REST API security testing | flipkart-incubator/astra |
| CATS | REST API fuzzer for OpenAPI | Endava/cats |
| Cherrybomb | API spec validator | blst-security/cherrybomb |
| ffuf | Fast web fuzzer (Go) | ffuf/ffuf |
| kiterunner | Contextual content discovery | assetnote/kiterunner |
| RESTler | Stateful REST API fuzzer | microsoft/restler-fuzzer |
| mitmproxy2swagger | API reverse-engineering | alufers/mitmproxy2swagger |
| Tool | Description | GitHub |
|---|---|---|
| InQL | Burp Suite GraphQL extension | doyensec/inql |
| GraphQLmap | GraphQL pentesting engine | swisskyrepo/GraphQLmap |
| graphql-cop | GraphQL security auditor | dolevf/graphql-cop |
| clairvoyance | Schema extraction tool | nikitastupin/clairvoyance |
| graphw00f | GraphQL fingerprinting | dolevf/graphw00f |
| Tool | Description | GitHub |
|---|---|---|
| Wsdler | WSDL parser for Burp | portswigger/wsdler |
| SoapUI | API functional testing | SmartBear/soapui |
| Tool | Description | GitHub |
|---|---|---|
| ZAP | OWASP API scanner | zaproxy/zaproxy |
| Metlo | API security platform | metlo-labs/metlo |
| apisec | Multi-API security scanner | vkvbit/apisec |
| Step CI | API QA framework | stepci/stepci |
| Tool | Description | GitHub |
|---|---|---|
| gau | URL discovery tool | lc/gau |
| gitGraber | GitHub secrets monitor | hisxo/gitGraber |
| Shhgit | Sensitive file finder | eth0izzle/shhgit |
| Masscan | High-speed port scanner | robertdavidgraham/masscan |
| Tool | Description | GitHub |
|---|---|---|
| reNgine | Automated recon framework | yogeshojha/rengine |
| HackerOne Tools | HackerOne API utilities | Hacker0x01/hackerone-tools |
| Tool | Description | GitHub |
|---|---|---|
| APIFuzzer | OpenAPI/Swagger fuzzer | localstack/apifuzzer |
| fuzz-lightyear | Stateful Swagger fuzzer | Yelp/fuzz-lightyear |
| fuzzapi | REST API fuzzing engine | fuzzapi/fuzzapi |
| TnT-Fuzzer | Swagger schema fuzzer | Teebytes/TnT-Fuzzer |
| WuppieFuzz | Coverage-guided API fuzzer | PortSwigger/wuppiefuzz |
| Tool | Description | GitHub |
|---|---|---|
| wadl-dumper | WADL endpoint extractor | pentestmonkey/wadl-dumper |
| noir | Attack surface detector | noir-crs/noir |
| Commit-stream | GitHub commit analyzer | commit-stream/commit-stream |
| unfurl | URL component analyzer | tomnomnom/unfurl |
| Tool | Description | GitHub |
|---|---|---|
| graphql-armor | GraphQL security layer | escape-technologies/graphql-armor |
| Gosec | Go code security scanner | securego/gosec |
| dredd | API contract testing | apiaryio/dredd |
| Tool | Description | GitHub |
|---|---|---|
| BatchQL | GraphQL batch attack tool | assetnote/batchql |
| graphql-path-enum | Schema path analyzer | dolevf/graphql-path-enum |
| graphql-threat-matrix | Attack framework | nettitude/graphql-threat-matrix |
| goctopus | GraphQL discovery toolkit | bregydoc/goctopus |
| Tool | Description | GitHub |
|---|---|---|
| Swagger-EZ | OpenAPI pentesting suite | swagger-ez/swagger-ez |
| OFFAT | OWASP API assessment tool | offat/offat |
| REST-Attacker | REST security framework | saschahlusiak/REST-Attacker |
| Tool | Description | GitHub |
|---|---|---|
| Optic | OpenAPI spec maintainer | opticdev/optic |
| graphql-playground | GraphQL IDE | graphql/graphql-playground |
#Disclaimer Legal Notice: These tools are for authorized security testing only. Always obtain proper permissions before testing any system.
Author: OMIXEC