Check your WAF before an attacker does

Proactive, Open source API security → API discovery, API Security Posture, Testing in CI/CD, Test Library with 1000+ Tests, Add custom tests, Sensitive data exposure

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.

API Security Vulnerability Scanner designed to help you secure your APIs.

API Pentesting Tools are specialized security tools used to test and analyze the security of Application Programming Interfaces (APIs).

Automated API security testing

Community generated list of API security tests to find OWASP top10, HackerOne top 10 vulnerabilities

Web Application Pentesting Lab with over 40 plus vulnerability, which covers all the owasp top 10 issues.

Your agentic API security engineer. Built by the community, for builders who care about security but don't have unlimited time or budget. Point it at your API docs it hunts down the deep vulnerabilities that actually get you breached.

GitHub action to run Traceable Active Security Testing in GitHub workflows

Pentest Coverage Tracker is a Burp Suite extension that helps penetration testers monitor testing coverage in real time. It logs discovered endpoints and tracks whether their parameters are actually tested in Burp Suite. This helps highlight untested attack surfaces and provides clear visibility of coverage for security teams.

ScriptOcalypse 🏴‍☠️- Nothing here… just a lot of weird ideas with a chaotic mix of lemonade, boredom, and automation that somehow work.

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.

A community-driven list of custom Escape rules. Test your API security with rules that automatically adapt for you.

Bugsmirror MASST (Mobile Application Security Suite and Tools) is a comprehensive platform for end-to-end mobile application security. It offers threat detection tools for static, runtime, dynamic API testing and red teaming; robust app shielding solution for threat mitigation; threat visibility dashboard; & AI powered insight in a single platform.

Lightweight CLI tool for scanning REST APIs for CORS issues, methods, and info leaks.

Multi-layer API Security Analyzer built with FastAPI + ML anomaly detection. Detects SQLi/XSS abuse, rate-limits IPs, validates payloads with Pydantic. Live dashboard + production logging. Deployable on Render.

A RESTful API brute-forcing tool in Go for ethical hacking practice. **Gobrute** is built for testing login passwords with multithreading, progress tracking, and customizable payloads, ideal for controlled environments like OWASP Juice Shop.

OWASP-Top-10-Security-Vulnerabilities-With-Node.js

API Security Posture Assessment Platform — OWASP API Top 10 Coverage