Skip to content

MoisesTapia/apileaks

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

APILeak v0.2.0 [Beta][DEVELOPMENT]

APILeak Logo

APILeak v0.2.0 - Enterprise API Fuzzing Tool - by Cl0wnR3v

Enterprise-grade API security testing tool with comprehensive OWASP API Security Top 10 2023 coverage.

License: MIT Python 3.11+ Tests Coverage

🚀 Quick Start

# Clone and setup
git clone https://github.com/your-org/apileak.git
cd apileak
make setup-dev

# Activate environment
source venv/bin/activate  # Linux/macOS
# venv\Scripts\activate   # Windows

# Run your first orchestrated scan (all OWASP modules)
python apileaks.py scan --target https://api.example.com

Command overview

APILeak's CLI is organized into six families:

Command Purpose
dir Directory/endpoint fuzzing and discovery (with triage)
par Parameter fuzzing — discover hidden parameters
owasp <module> Run one OWASP API Security Top 10 module in isolation
scan Orchestrated scan — runs discovery + all (or selected) OWASP modules and aggregates findings
jwt <subcommand> Manual JWT attack & utility toolkit (13 subcommands)
replay <report> Re-issue requests from a prior scan report (optionally via Burp/Caido)
wordlist <list|fetch|cache> Manage Assetnote wordlists — browse, download, and cache

Deprecation: the legacy full command (and the hidden main) still work but are deprecated aliases of scan. They emit a one-line notice to stderr and behave identically. Migrate scripts to scan. Selecting modules through full --modules bola is deprecated in favor of apileaks owasp bola.

Basic Usage Examples

# Directory fuzzing — single target
python apileaks.py dir --target https://api.example.com

# Multi-target from file
python apileaks.py dir --target-file hosts.txt --wordlist custom.txt

# Spec-aware discovery: send per-route params/body from OpenAPI spec
python apileaks.py dir --target https://api.example.com --openapi api.yaml

# Spec-only methods: only probe paths with the method declared in spec
python apileaks.py dir --target https://api.example.com --openapi api.yaml --spec-methods-only

# Use Assetnote wordlists (auto-download on first use)
python apileaks.py dir --target https://api.example.com \
                       --wordlist assetnote:apiroutes-210328:20000

# Wildcard quarantine: stop if host returns 10 consecutive hits
python apileaks.py dir --target https://api.example.com --quarantine-threshold 10

# Directory fuzzing with triage: filter by status class, save a session, export Markdown
python apileaks.py dir --target https://api.example.com \
  --status-code 2xx --save-session session.json --export md --export-file results.md

# Reload a saved session and triage interactively (opt-in prompt)
python apileaks.py dir --target https://api.example.com \
  --load-session session.json --interactive

# Parameter fuzzing
python apileaks.py par --target https://api.example.com

# List every OWASP module (key, category, one-line summary)
python apileaks.py owasp

# Run a single OWASP module in isolation (red-team focus)
python apileaks.py owasp bola --target https://api.example.com
python apileaks.py owasp auth --target https://api.example.com

# Full orchestrated scan across every registered OWASP module (blue-team / CI)
python apileaks.py scan --target https://api.example.com

# Restrict the orchestrated scan to selected modules
python apileaks.py scan --target https://api.example.com --modules bola,auth,property

# With WAF evasion
python apileaks.py scan --target https://api.example.com --user-agent-random

For comprehensive usage examples, see the Usage Examples documentation.

✨ Key Features

  • 🛡️ OWASP API Security Top 10 2023: Complete coverage of all 10 categories
  • 🎯 Advanced Fuzzing: Endpoint, parameter, and header fuzzing with intelligent discovery
  • 📋 Spec-Aware Discovery: Send per-route query params, headers, and JSON body from OpenAPI/Postman specs; optionally restrict methods to spec-declared only (--spec-methods-only)
  • 🔍 Framework Detection: Automatic identification of API frameworks (FastAPI, Express, Django, Flask, etc.)
  • 📊 Version Fuzzing: Discovery and comparison of API versions (/v1, /v2, /api/v1, etc.)
  • 🌈 Colored HTTP Output: Real-time colored status indicators for all HTTP requests
  • 🥷 WAF Evasion: Multiple user agent strategies for bypassing Web Application Firewalls
  • 🔁 Request Replay: Re-issue any request from a prior scan report, optionally through Burp/Caido (apileaks replay)
  • 📚 Assetnote Wordlists: One-command download and cache of curated API route wordlists (apileaks wordlist fetch apiroutes-210328; use assetnote: prefix in --wordlist)
  • 🎯 Multi-Target Scanning: Scan hundreds of hosts from a file in dir, par, and scan (--target-file hosts.txt --max-hosts 50)
  • 🚫 Wildcard Quarantine: Automatically stop scanning hosts that accept every path (--quarantine-threshold 10)
  • 🔍 Property-Based Testing: Comprehensive correctness validation using Hypothesis
  • 📊 Smart Analytics: Automatic severity classification and OWASP categorization
  • 📈 Real-time Reporting: Multi-format reports (XML, JSON, HTML, TXT, SARIF)
  • ⚡ High Performance: Async HTTP client with adaptive rate limiting
  • 🐳 Container Ready: Docker support for CI/CD integration
  • 🔧 Enterprise Grade: Structured logging, configuration management, and monitoring

🔍 Advanced Discovery Features

Framework Detection

APILeak automatically detects API frameworks and adapts testing strategies accordingly:

Framework Detection Method Specific Payloads Status
FastAPI Headers, OpenAPI, Error patterns Pydantic injection, Async race conditions
Express.js Headers, Error patterns, Node.js signatures Prototype pollution, Path traversal
Django Headers, Admin pages, Error patterns Template injection, CSRF bypass
Flask Headers, Werkzeug signatures, Error patterns Jinja2 injection, Debug exposure
Spring Boot Headers, Actuator endpoints, Error patterns SpEL injection, Actuator exposure
ASP.NET Headers, ViewState, Error patterns ViewState manipulation, Config exposure

API Version Discovery

Comprehensive API version mapping and security analysis:

  • Version Patterns: /v1, /v2, /api/v1, /api/v2, /version1, etc.
  • Status Detection: Active, Deprecated, Development versions
  • Endpoint Comparison: Identify differences between versions
  • Security Analysis: Find version-specific vulnerabilities
# Enable framework detection
python apileaks.py scan --target https://api.example.com --detect-framework

# Enable version fuzzing
python apileaks.py scan --target https://api.example.com --fuzz-versions

# Combined advanced discovery
python apileaks.py scan --target https://api.example.com --df --fv --framework-confidence 0.8

📖 Documentation

OWASP Modules

📊 Sample Output

==================================================
APILeak Scan Completed Successfully
==================================================
Target: https://api.example.com
🎨 Status Code Filter: [200, 401, 403]
🎭 WAF Evasion: Random User-Agent enabled
Duration: 0:02:34
Total Endpoints Tested: 1,247
📍 Endpoints Found:
  - GET https://api.example.com/admin (200)
  - POST https://api.example.com/users (201)
  - GET https://api.example.com/debug (200)
Total Findings: 8
Critical: 2 | High: 3 | Medium: 2 | Low: 1
OWASP Coverage: 70.0% (7/10 categories)

Reports generated:
  - reports/security_scan.json
  - reports/security_scan.html
  - reports/security_scan.xml
  - reports/security_scan.txt

🤝 Contributing

We welcome contributions! Please see our Contributing Guide for details.

Quick Contribution Steps

  1. Fork the repository
  2. Create a feature branch: git checkout -b feature/amazing-feature
  3. Make your changes and add tests
  4. Run tests: make test
  5. Submit a pull request

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🔒 Security

For security vulnerabilities, please see our Security Policy.

🙏 Acknowledgments

  • OWASP API Security Project for the comprehensive security framework
  • The Python security community for tools and best practices
  • All contributors who help improve APILeak

Built with ❤️ for API security professionals