# Tools & Resources ## **Hadcking Tools:** 1. [Arjun](https://github.com/s0md3v/Arjun) `Arjun helps find query parameters for URL endpoints.` 2. [burpsuit ](https://portswigger.net/burp) 3. [EthicalCheck](https://www.ethicalcheck.dev/) `EthicalCheck performs automated, instantaneous API security scans covering the OWASP API Top 10.` 4. [dnsdumpster](https://dnsdumpster.com/) `DNSdumpster is a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.` 5. [gobuster](https://github.com/OJ/gobuster) `used to brute-force URIs (directories and files) in web sites, DNS subdomains, Virtual Host names on target web servers, Open Amazon S3 buckets.` 6. [jwt\_tool](https://github.com/ticarpi/jwt_tool) `JWT_Tool is a toolkit for testing, tweaking and cracking JSON Web Tokens.` 7. [kiterunner](https://github.com/assetnote/kiterunner) `Kiterunner is a tool that performs traditional content discovery, and also bruteforces routes/endpoints in modern applications.` 8. [trufflehog](https://github.com/trufflesecurity/trufflehog) `TruffleHog helps discover exposed secrets.` 9. [wfuzz](https://www.kali.org/tools/wfuzz) `Wfuzz is a tool designed for bruteforcing Web Applications. It can be used to find resources not linked directories, servlets, scripts, etc., bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing, etc.` 10. [mitmproxy](https://mitmproxy.org/) `mitmproxy is a free and open source interactive HTTPS proxy.` 11. [mitmproxy2swagger](https://github.com/alufers/mitmproxy2swagger) `Converts mitmproxy captures to OpenAPI 3.0 specifications. Automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.` 12. nmap 13. sqlmap 14. Zap ## Burp Extension: 1. **AUTORIZE** `Autorize is an extension that helps automate authorization testing,particularly for BOLA vulnerabilities` 2. **GRAPHQL RAIDER** `GraphQL Raider is an extension that will aid us in our attacks against GraphQL APIs` 3. **IP ROTATE** `IP Rotate allows you to alter the IP address you are attacking from to indicate different cloud hosts in different regions` 4. **BYPASS WAF** The `WAF Bypass extension adds some basic headers to your requests in orde to bypass some web application firewalls (WAFs) Some WAFs can be tricked by the inclusion of certain IP headers in the request WAF Bypass saves you from manually adding headers such as X-Originating-IP, X-Forwarded-For , X-Remote-IP, and X-Remote-Addr.` ### API Research Sites [APIs Guru](https://apis.guru/) Our goal is to create a machine-readable Wikipedia for Web APIs in the OpenAPI Specification format. [Github](https://github.com/) Try using parameters such as: * filename:swagger.json * extension:.json [Google](https://www.google.com/) Google: try advanced searches to discover API information, for example: * inurl:"/wp-json/wp/v2/users" - Finds all publicly available WordPress API user directories. * intitle:"index.of" intext:"api.txt" - Finds publicly available API key files. * inurl:"/api/v1" intext:"index of /" - Finds potentially interesting API directories. * ext:php inurl:"api.php?action=" - Finds all sites with a XenAPI SQL injection vulnerability. * intitle:"index of" api\_key OR "api key" OR apiKey -pool - This lists potentially exposed API keys. [Postman Explore](https://www.postman.com/explore/apis) Browse the largest network of APIs, workspaces, and collections by developers across the planet. [ProgrammableWeb](https://www.programmableweb.com/apis/directory) ProgrammableWeb is the go-to source for API-related information. To learn about APIs, you can use its API University. [Public APIs Github Project](https://github.com/public-apis/public-apis) A collective list of free APIs. [RapidAPI Hub](https://rapidapi.com/search) Browse the best premium and free APIs on the world's largest API Hub. [Shodan](https://www.shodan.io/) Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters. You can use Shodan to discover external-facing APIs and get information about your target’s open ports. [Wayback Machine](https://archive.org/) The Wayback Machine is a digital archive of the World Wide Web. This site allows you to check out historical changes to your target and potentially previously published APIs/endpoints. ### Password Lists [Common User Password Profiler](https://github.com/Mebus/cupp) The aim of the CUPP is to generate common passwords based on the input that you will give for your target. [Mentalist](https://github.com/sc0tfree/mentalist) Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper. [Rockyou.txt](https://www.apisecuniversity.com/api-tools-and-resources?_gl=1*tjbh1m*_ga*MTI4MDE3NzMwMS4xNjk5MzczMTM3*_ga_5BW457TWST*MTcwMTE4NDg4MC4xMS4xLjE3MDExODczMTEuMC4wLjA.#) Rockyou.txt is a common password list that is included in Kali Linux. This file is located here: /usr/share/wordlists/rockyou.txt.gz ### Vulnerable APIs [DVWS-node](https://github.com/snoopysecurity/dvws-node) Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities. [OWASP DevSlop Pixi](https://github.com/DevSlop/Pixi) Pixi is a MongoDB, Express.js, Angular, Node (MEAN) stack web applica­tion that was designed with deliberately vulnerable APIs. [OWASP Juice Shop](https://github.com/juice-shop/juice-shop%C2%A0) Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications. [REST API Goat](https://github.com/optiv/rest-api-goat) This is a "Goat" project so you can get familiar with REST API testing. There is an included Postman project so you can see how everything is meant to be called. [VAmPI](https://github.com/erev0s/VAmPI) VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. [Websheep](https://github.com/marmicode/websheep) Websheep is an app based on a willingly vulnerable ReSTful APIs. [crAPI](https://github.com/OWASP/crAPI) completely ridiculous API (crAPI) will help you to understand the ten most critical API security risks. crAPI is vulnerable by design, but each of the vulnerabilities can still be found in the wild. It’s a good target while learning [vAPI](https://github.com/roottusk/vapi) vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shahidulandshamim.gitbook.io/web-application/api-testing/tools-and-resources.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.