30 open-source projects similar to imperva/automatic-api-attack-tool, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Automatic Api Attack Tool alternative.
RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
Astra is a security analysis system and scanner designed to identify vulnerabilities and security flaws in REST API endpoints. It functions as a security testing tool that automatically detects common API weaknesses during development and deployment cycles. The project provides a graphical interface for triggering and monitoring security scanning processes, removing the requirement for manual command line execution. This management UI allows for the oversight of scanning workflows and the retrieval of vulnerability reports. The system supports the import of collection files to map endpoints
Proactive, Open source API security → API discovery, API Security Posture, Testing in CI/CD, Test Library with 1000+ Tests, Add custom tests, Sensitive data exposure
w3af is a web penetration testing suite and security audit framework designed to identify and exploit vulnerabilities in web applications. It functions as a vulnerability scanner that crawls targets to find injection points and a fuzzer used to discover hidden endpoints and test input validation. The project distinguishes itself by providing an intercepting HTTP proxy for capturing and modifying traffic, combined with a knowledge-base driven exploitation system. It enables the execution of security exploits to gain remote shell access and supports post-exploitation activities, such as routing
fsociety is a penetration testing framework and security tool orchestrator designed to conduct full security audits. It functions as a wrapper that integrates external security binaries into a unified, menu-driven interface, providing a centralized system for command-line parameter mapping and execution. The project distinguishes itself by organizing specialized utilities into domain-specific collections for structured navigation. It automates the transition between different phases of an audit by chaining reconnaissance and exploitation tools through sequential workflow automation. The fram
SSRF (Server Side Request Forgery) testing resources
PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
p0wny@shell:~# is a very basic, single-file, PHP shell. It can be used to quickly execute commands on a server when pentesting a PHP application. Use it with caution: this script represents a security risk for the server.
Universal MCP-Server for your Databases optimized for LLMs and AI-Agents.
OSS-Fuzz is a distributed, containerized platform for continuous fuzzing and memory safety analysis. It functions as a bug hunting infrastructure that identifies security vulnerabilities and stability bugs through automated, coverage-guided fuzz testing across a scalable cluster of containers. The system provides a continuous security testing pipeline that manages the entire lifecycle of vulnerability discovery, from bootstrapping project templates and compiling targets to executing long-running batch tests. It specifically focuses on memory safety, utilizing sanitizers to detect buffer overf
Dump all available paths and/or endpoints on WADL file.
mitmproxy2swagger is a tool that transforms captured mitmproxy network traffic into structured OpenAPI schemas for reverse-engineering REST APIs. It functions as an OpenAPI schema converter and network traffic documentation utility, extracting API endpoints and data structures from captured network packets to create formal technical references. The tool enables the reconstruction of undocumented APIs by converting intercepted HTTP request and response patterns into specifications. It supports merging multiple traffic capture files into a single schema to incrementally expand an API map and ut
tplmap is a security tool designed for the detection and exploitation of server-side template injection vulnerabilities. It functions as an automated scanner to identify vulnerable template engine contexts and provides a framework for achieving remote code execution. The tool focuses on translating high-level requests into engine-specific syntax to execute operating system commands and bypass application sandboxes. It further enables remote file system access, allowing users to read, write, and transfer files between a local machine and a target server. Additional capabilities include the ab
A high performance offensive security tool for reconnaissance and vulnerability scanning
This tool is a command-line utility designed for automated web resource discovery, fuzzing, and application structure mapping. It functions as a security-focused scanner that identifies hidden files, directories, parameters, and virtual hosts by injecting payloads into HTTP requests. By systematically testing how servers handle various inputs, it assists in mapping the architecture of web applications and uncovering potential security vulnerabilities. The tool distinguishes itself through a highly concurrent engine that manages asynchronous request execution and recursive job orchestration. I
An API security tool to capture and analyze API traffic, test API endpoints, reconstruct Open API specification, and identify API security risks.
Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.
ysoserial is a security research tool and payload generator designed to identify and exploit insecure Java deserialization. It functions as a framework for creating malicious serialized objects that can trigger remote code execution on Java virtual machines. The project provides a library of known gadget chains, which are sequences of vulnerable class calls that achieve arbitrary command execution during the deserialization process. It automates the generation of these payloads by leveraging common third-party libraries. The tool covers capabilities for security penetration testing, Java app
Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem
fuzzdb is a collection of datasets designed for web application penetration testing and dynamic fuzzing. It provides a fuzzing payload dictionary, a resource discovery wordlist, and a fault injection dataset containing corrupted Unicode, null bytes, and escape codes to trigger application crashes and logic errors. The project includes a security filter bypass list featuring polyglots and encoded strings to evade web application firewalls and input validation filters. It also provides a comprehensive web application penetration testing dataset specifically for identifying flaws such as cross-s
a ruggedization framework that embodies the principle "be mean to your code"
CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.
GitTools is a collection of security utilities designed to identify, scan, and exploit exposed version control directories on web servers. The project provides tools to locate publicly accessible Git directories and extract their contents to identify information leaks. The suite includes capabilities for downloading files and folder structures from remote repositories even when directory listing is disabled. It also features a recovery system that iterates through commit objects to restore content from incomplete or corrupted version control data.
APIKit:Discovery, Scan and Audit APIs Toolkit All In One.