API Pentesting Tools
A curated list of tools specifically designed for API reconnaissance, analysis, and exploitation.
Postman
Client / TestingThe most popular API client. Essential for manual testing, organizing collections, and automating requests.
Installation
brew install --cask postmanbrew install --cask postmanBurp Suite
Proxy / ScannerThe industry standard web proxy. Use it to intercept, modify, and scan API traffic.
Installation
# Download from website# Download from websiteKiterunner
ReconnaissanceA high-performance API content discovery tool. Excellent for finding hidden endpoints.
Installation
brew install kiterunnerbrew install kiterunnerArjun
ReconnaissanceHTTP parameter discovery suite. Finds hidden query parameters in API endpoints.
Installation
pip3 install arjunpip3 install arjunffuf
FuzzingFast web fuzzer written in Go. Great for directory and endpoint discovery.
Installation
go install github.com/ffuf/ffuf@latestgo install github.com/ffuf/ffuf@latestjwt_tool
AuthenticationA toolkit for testing, tweaking, and cracking JSON Web Tokens (JWTs).
Installation
git clone https://github.com/ticarpi/jwt_toolgit clone https://github.com/ticarpi/jwt_toolSQLMap
ExploitationAutomatic SQL injection and database takeover tool. Works well on API endpoints.
Installation
brew install sqlmapbrew install sqlmapInQL
GraphQLA Burp Suite extension for GraphQL security testing. Introspection, scanner, and more.
Installation
# Install via Burp BApp Store# Install via Burp BApp Storegrpcurl
gRPCLike curl, but for gRPC. Interact with gRPC servers from the command line.
Installation
brew install grpcurlbrew install grpcurlAmass
ReconnaissanceIn-depth attack surface mapping and asset discovery.
Installation
brew install amassbrew install amassNuclei
ScanningFast, template-based vulnerability scanner. Has hundreds of API-specific templates for common misconfigurations and CVEs.
Installation
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latestgo install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latestCaido
Proxy / TestingModern web security proxy — a lightweight Burp Suite alternative with a clean UI, built-in replay, and HTTPQL query language.
Installation
# Download from caido.io# Download from caido.iographql-cop
GraphQLSecurity auditing tool for GraphQL. Checks introspection, batching, field suggestions, persisted queries, and DoS vectors.
Installation
pip3 install graphql-coppip3 install graphql-copmitmproxy
Proxy / ScriptingInteractive TLS-capable intercepting proxy. Scriptable in Python. Excellent for automated API traffic manipulation and gRPC interception.
Installation
brew install mitmproxybrew install mitmproxyHTTPie
Client / TestingUser-friendly HTTP client for the terminal. Great for quick manual API testing with readable output and session support.
Installation
brew install httpiebrew install httpieAPI Pentesting Quick Reference
Hackers Manifest - hackersmanifest.com
Reconnaissance
ffuf -u https://target.com/FUZZ -w api-endpoints.txt kr scan https://target.com -w routes-large.kite arjun -u https://target.com/api/users -m GET curl -s https://target.com/swagger.json | jq .
JWT Attacks (jwt_tool)
python3 jwt_tool.py JWT -X a # none alg python3 jwt_tool.py JWT -C -d rockyou # brute python3 jwt_tool.py JWT -X k -pk pub.pem # confusion hashcat -m 16500 jwt.txt rockyou.txt # hashcat
BOLA / BFLA Testing
# Swap object IDs between two accounts GET /api/users/VICTIM_ID (with attacker token) GET /api/admin/users (non-admin token) PUT /api/users/1 -d role=admin DELETE /api/users/OTHER_ID
Rate Limit Bypass Headers
X-Forwarded-For: 127.0.0.1 X-Real-IP: 10.0.0.1 CF-Connecting-IP: 1.2.3.4 True-Client-IP: 1.2.3.5 X-Originating-IP: 192.168.1.1
GraphQL
graphql-cop -t https://api.target.com/graphql
python3 -m clairvoyance URL -o schema.json
{"query":"{ __schema{types{name}} }"} # introspect
[{"query":"..."},{"query":"..."}] # batch gRPC
grpcurl -plaintext HOST:PORT list
grpcurl -plaintext HOST:PORT describe SVC
grpcurl -plaintext -d '{"id":1}' HOST SVC/Method
grpcui -plaintext HOST:PORT # web UI
protoc --decode_raw < captured.bin Generated from Hackers Manifest | For authorized security testing only | hackersmanifest.com