API_Pentest

Demo URL (GitHub Pages): https://imharshitaa.github.io/API_Pentest/demo/

API security testing toolkit with category-based scripts:

• *_discovery.py
• *_test.py
• *_exploit.py

Use only on APIs you own or are explicitly authorized to test.

Quick Use (3 steps)

1. Load shell wrappers:

source /Users/harshitaaa/Projects/API_Pentest/shell/api_pentest.sh

or for fish:

source /Users/harshitaaa/Projects/API_Pentest/shell/api_pentest.fish

2. Run commands:

discover <test_case> <api_url>
test <test_case> <api_url>
exploit <test_case> <api_url>

3. Example:

discover sqli http://crapi.apisec.ai/identity/api/
test nosqli http://vampi.vulnweb.com/users/v1/
exploit xxe https://juice-shop.herokuapp.com/rest/

1) Setup (one time)

git clone <your-repo-url>
cd API_Pentest
python3 -m venv .venv
source .venv/bin/activate
python -m pip install requests

For fish shell:

python3 -m venv .venv
source .venv/bin/activate.fish
python -m pip install requests

2) Load shell commands

For bash/zsh:

source /Users/harshitaaa/Projects/API_Pentest/shell/api_pentest.sh

For fish:

source /Users/harshitaaa/Projects/API_Pentest/shell/api_pentest.fish

Notes:

• These wrappers support discover, test, and exploit in this format: <function> <test_case> <api_url>.
• In fish, test is a reserved keyword. The fish loader defines api_test and adds an interactive abbreviation so typing test ... expands to api_test ....
• To auto-load on shell startup, add the source .../shell/api_pentest.<sh|fish> line to your shell config (~/.zshrc, ~/.bashrc, or ~/.config/fish/config.fish).

3) Run commands directly

Format:

discover <test_case> <api>
test <test_case> <api>
exploit <test_case> <api>

Examples:

discover sqli https://api.dev.levo.ai
test sqli https://api.dev.levo.ai
exploit sqli https://api.dev.levo.ai

discover nosqli https://api.dev.levo.ai
test xxe https://api.dev.levo.ai

4) Authentication behavior

• All *_test.py scripts now ask for base URL and optional token.
• If you press Enter for token and API returns 401/403, script asks token again.
• Token format expected: raw token value. Script adds Bearer automatically.

5) Available test cases

• bola
• bfla
• bua
• businesslogic
• cors
• graphql
• informationdisclosure or infodisclosure
• deserialization or insecuredeserialization
• inventory or inventorymanagement
• jwt
• massassignment
• ratelimit
• misconfig or securitymisconfig
• sqli
• nosqli
• ssrf
• unsafeconsumption
• xxe
• pathtraversal
• commandinjection or cmdi

6) Notes

• Start with discover, then test, then exploit.
• Use exploit scripts only in isolated labs or authorized targets.
• If needed, deactivate env with deactivate.

7) GitHub Pages Demo

A project-specific demo page is included at:

• /Users/harshitaaa/Projects/API_Pentest/demo/index.html
• /Users/harshitaaa/Projects/API_Pentest/demo/terminal-config.json

It provides:

• sample API targets
• command simulator using your format:
  • discover <test_case> <api>
  • test <test_case> <api>
  • exploit <test_case> <api>
• generated local command output like:
  • API_BASE_URL=\"<api>\" python SQLi/sqli_test.py

Deploy on GitHub Pages

1. Push this repo to GitHub.
2. Open repository Settings -> Pages.
3. Under Build and deployment, set:
   • Source: Deploy from a branch
   • Branch: main
   • Folder: /demo
4. Save. GitHub will publish your demo URL.

Update sample APIs

Edit /Users/harshitaaa/Projects/API_Pentest/demo/terminal-config.json:

• sampleApis for the API targets shown on the page
• cases for command-to-script mapping