Tools & Resources

API Pentesting Tools

A curated list of tools specifically designed for API reconnaissance, analysis, and exploitation.

Postman

Client / Testing
Docs

The most popular API client. Essential for manual testing, organizing collections, and automating requests.

Installation

bash 
brew install --cask postman

Burp Suite

Proxy / Scanner
Docs

The industry standard web proxy. Use it to intercept, modify, and scan API traffic.

Installation

bash 
# Download from website

Kiterunner

Reconnaissance
Docs

A high-performance API content discovery tool. Excellent for finding hidden endpoints.

Installation

bash 
brew install kiterunner

Arjun

Reconnaissance
Docs

HTTP parameter discovery suite. Finds hidden query parameters in API endpoints.

Installation

bash 
pip3 install arjun

ffuf

Fuzzing
Docs

Fast web fuzzer written in Go. Great for directory and endpoint discovery.

Installation

bash 
go install github.com/ffuf/ffuf@latest

jwt_tool

Authentication
Docs

A toolkit for testing, tweaking, and cracking JSON Web Tokens (JWTs).

Installation

bash 
git clone https://github.com/ticarpi/jwt_tool

SQLMap

Exploitation
Docs

Automatic SQL injection and database takeover tool. Works well on API endpoints.

Installation

bash 
brew install sqlmap

InQL

GraphQL
Docs

A Burp Suite extension for GraphQL security testing. Introspection, scanner, and more.

Installation

bash 
# Install via Burp BApp Store

grpcurl

gRPC
Docs

Like curl, but for gRPC. Interact with gRPC servers from the command line.

Installation

bash 
brew install grpcurl

Amass

Reconnaissance
Docs

In-depth attack surface mapping and asset discovery.

Installation

bash 
brew install amass

Related Topics

← Back to API Pentesting

Overview of API security testing

API Reconnaissance

Discovery techniques

GraphQL Testing

GraphQL-specific tools in action

Burp Suite Cheatsheet

Essential proxy tool