API Security Tools

Introducing tools useful for API vulnerability assessment, testing, and monitoring.

๐Ÿ”Ž Dynamic Application Security Testing (DAST) Tools

Tools that send requests to running APIs to detect vulnerabilities.

Burp Suite Commercial / Free Edition Available

The industry-standard tool for web application and API security testing. Proxy-based interception and scanning capabilities.

  • Intercept and modify HTTP requests/responses
  • Automated scanning (SQL Injection, XSS, etc.)
  • Intruder: Parameter fuzzing
  • Repeater: Manual request replay and verification
  • Rich extension ecosystem (BApp Store)
API Testing Tips

Import an OpenAPI/Swagger definition to automatically crawl and test all endpoints.

OWASP ZAP Free / OSS

An open-source security testing tool developed by OWASP. Easy to integrate into CI/CD pipelines.

  • Active scan / Passive scan
  • Import API definitions (OpenAPI, GraphQL)
  • CI/CD integration (GitHub Actions, Jenkins)
  • Headless execution with Docker support
  • Custom tests via scripting
BashAPI Scanning with ZAP Docker
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
  -t https://api.example.com/openapi.json \
  -f openapi \
  -r report.html

๐Ÿงช API Testing & Development Tools

Postman Free / Commercial

The go-to tool for API development and testing. Also useful for security testing.

  • Organize test cases with the Collections feature
  • Switch between staging/production with environment variables
  • Auto-acquire tokens with Pre-request Scripts
  • Automate response validation in the Tests tab
  • Run from CI/CD with Newman (CLI)
JavaScriptPostman Test Script Example
// Status code validation
pm.test("Status is 200", () => {
  pm.response.to.have.status(200);
});

// Security header validation
pm.test("Security headers present", () => {
  pm.response.to.have.header("X-Content-Type-Options");
  pm.response.to.have.header("Strict-Transport-Security");
});

// Check for sensitive data exposure
pm.test("No sensitive data exposed", () => {
  const body = pm.response.json();
  pm.expect(body).to.not.have.property("password");
  pm.expect(body).to.not.have.property("password_hash");
  pm.expect(body).to.not.have.property("secret");
});

curl + jq Free / CLI

Quick API testing from the command line. Easy to script and automate.

  • Available in any environment
  • Automate with shell scripts
  • Parse JSON responses with jq
  • Detailed HTTP header inspection
BashSecurity Header Check
# Check response headers
curl -s -D - -o /dev/null https://api.example.com/health

# Attempt access without authentication
curl -s -w "%{http_code}" https://api.example.com/api/users

# BOLA test (accessing another user's resource)
curl -s -H "Authorization: Bearer $TOKEN" \
  https://api.example.com/api/users/OTHER_USER_ID

๐Ÿ“Š Static Analysis (SAST) & Software Composition Analysis (SCA)

Semgrep Free / OSS

A pattern-based static analysis tool. Easy to create custom rules.

  • Multi-language support (JS, Python, Go, Java, etc.)
  • Built-in security rule sets
  • Easy CI/CD integration
  • Define custom rules in YAML

Snyk Free Tier Available

Dependency vulnerability scanning and code analysis.

  • Dependency scanning for npm, pip, Maven, etc.
  • Automatic detection of known CVEs
  • Auto-generate fix PRs
  • Container image scanning

npm audit / Trivy Free

Vulnerability checking for package managers and containers.

  • npm audit: Node.js packages
  • pip audit: Python packages
  • Trivy: Containers, IaC, and file systems
  • Ideal for CI/CD gating
BashDependency Vulnerability Check
# Check Node.js dependencies
npm audit --production

# Security scan with Semgrep
semgrep --config=p/security-audit ./src

# Container scan with Trivy
trivy image --severity HIGH,CRITICAL myapp:latest

๐Ÿ“ API Specification & Documentation Management

Swagger / OpenAPI Standard Specification

Define API specifications in a machine-readable format. Also used as input for security testing.

  • Comprehensive definition of endpoints, parameters, and responses
  • Explicit security schemes (OAuth, API Key, etc.)
  • Import into ZAP/Burp to automate testing
  • Interactive documentation generation with Swagger UI

Spectral Free / OSS

A linter tool for OpenAPI specifications. Checks compliance with security best practices.

  • Check for the presence of security scheme definitions
  • Detect unauthenticated endpoints
  • Enforce internal policies with custom rules
  • Quality gate for API specs in CI/CD

๐Ÿ“ก Monitoring & Logging Tools

API Gateway

Kong, AWS API Gateway, Apigee, and others.

  • Centralized authentication and authorization
  • Rate limiting enforcement
  • Request log aggregation
  • Anomaly detection alerts

WAF

AWS WAF, Cloudflare, ModSecurity, and others.

  • Block attack patterns such as SQLi/XSS
  • GeoIP-based access control
  • Bot mitigation
  • Custom rule definitions

SIEM / Log Analysis

ELK Stack, Splunk, Datadog, and others.

  • API log aggregation and visualization
  • Anomalous pattern detection
  • Incident response support
  • Compliance auditing

๐Ÿค– AI Security Testing Tools

Specialized tools for testing and securing LLMs, AI agents, and ML pipelines.

Garak Free / OSS

LLM vulnerability scanner that probes for prompt injection, data leakage, hallucination, and other LLM-specific weaknesses.

  • Automated prompt injection and jailbreak testing
  • Data leakage and memorization detection
  • Plugin-based architecture for custom probes
  • Supports OpenAI, Hugging Face, and local models
BashLLM Vulnerability Scan with Garak
# Install garak
pip install garak

# Run prompt injection probes against an OpenAI model
garak --model_type openai --model_name gpt-4 \
  --probes promptinject

# Run all probes and generate report
garak --model_type openai --model_name gpt-4 \
  --probes all --report_prefix my_audit
OWASP Reference

Addresses: LLM01: Prompt Injection, LLM06: Excessive Agency

Rebuff Free / OSS

Prompt injection detection framework with multi-layer defense: heuristics, LLM-based analysis, and vector similarity.

  • Multi-layered detection (heuristic + AI + vector DB)
  • Canary token injection for leak detection
  • Easy integration as middleware
  • Configurable sensitivity thresholds
OWASP Reference

Addresses: LLM01: Prompt Injection

NeMo Guardrails Free / OSS (NVIDIA)

Runtime guardrails framework for LLM applications. Define conversation boundaries using Colang rules.

  • Topic boundary enforcement (prevent off-topic responses)
  • Fact-checking and hallucination reduction rails
  • Sensitive data detection and PII redaction
  • Moderation and toxicity filtering
OWASP Reference

Addresses: LLM02: Insecure Output Handling, ASI07: Inadequate Guardrails

PyRIT Free / OSS (Microsoft)

Python Risk Identification Tool for generative AI. Automates red-teaming with multi-turn attack strategies.

  • Automated multi-turn red-teaming conversations
  • Attack strategy orchestration (crescendo, PAIR, etc.)
  • Scoring engine for response evaluation
  • Supports Azure OpenAI, Hugging Face, and local models
OWASP Reference

Addresses: LLM01: Prompt Injection, LLM07: Insecure Plugin Design

๐Ÿ—บ Tool Selection Guide

PurposeRecommended ToolTiming
API specification security checkSpectralDesign / specification phase
Code security analysisSemgrepDevelopment / PR
Dependency vulnerability checkSnyk / npm auditBuild time / Periodic
Manual security testingBurp Suite / PostmanTesting / QA phase
Automated scanning (CI/CD)OWASP ZAPPre-deployment
Production environment protectionWAF + API GatewayIn operation
Log monitoring and anomaly detectionSIEM (ELK / Datadog)In operation / Continuous
LLM vulnerability scanningGarak / PyRITPre-deployment / Periodic
Prompt injection detectionRebuffRuntime / Integration
LLM runtime guardrailsNeMo GuardrailsRuntime / Continuous
AI red-teaming automationPyRITTesting / QA phase
AI model supply chain verificationSemgrep / ModelScanBuild time / Pre-deployment