Enterprise-grade API security testing tool with comprehensive OWASP API Security Top 10 2023 coverage.
# Clone and setup
git clone https://github.com/your-org/apileak.git
cd apileak
make setup-dev
# Activate environment
source venv/bin/activate # Linux/macOS
# venv\Scripts\activate # Windows
# Run your first orchestrated scan (all OWASP modules)
python apileaks.py scan --target https://api.example.comAPILeak's CLI is organized into six families:
| Command | Purpose |
|---|---|
dir |
Directory/endpoint fuzzing and discovery (with triage) |
par |
Parameter fuzzing — discover hidden parameters |
owasp <module> |
Run one OWASP API Security Top 10 module in isolation |
scan |
Orchestrated scan — runs discovery + all (or selected) OWASP modules and aggregates findings |
jwt <subcommand> |
Manual JWT attack & utility toolkit (13 subcommands) |
replay <report> |
Re-issue requests from a prior scan report (optionally via Burp/Caido) |
wordlist <list|fetch|cache> |
Manage Assetnote wordlists — browse, download, and cache |
Deprecation: the legacy
fullcommand (and the hiddenmain) still work but are deprecated aliases ofscan. They emit a one-line notice to stderr and behave identically. Migrate scripts toscan. Selecting modules throughfull --modules bolais deprecated in favor ofapileaks owasp bola.
# Directory fuzzing — single target
python apileaks.py dir --target https://api.example.com
# Multi-target from file
python apileaks.py dir --target-file hosts.txt --wordlist custom.txt
# Spec-aware discovery: send per-route params/body from OpenAPI spec
python apileaks.py dir --target https://api.example.com --openapi api.yaml
# Spec-only methods: only probe paths with the method declared in spec
python apileaks.py dir --target https://api.example.com --openapi api.yaml --spec-methods-only
# Use Assetnote wordlists (auto-download on first use)
python apileaks.py dir --target https://api.example.com \
--wordlist assetnote:apiroutes-210328:20000
# Wildcard quarantine: stop if host returns 10 consecutive hits
python apileaks.py dir --target https://api.example.com --quarantine-threshold 10
# Directory fuzzing with triage: filter by status class, save a session, export Markdown
python apileaks.py dir --target https://api.example.com \
--status-code 2xx --save-session session.json --export md --export-file results.md
# Reload a saved session and triage interactively (opt-in prompt)
python apileaks.py dir --target https://api.example.com \
--load-session session.json --interactive
# Parameter fuzzing
python apileaks.py par --target https://api.example.com
# List every OWASP module (key, category, one-line summary)
python apileaks.py owasp
# Run a single OWASP module in isolation (red-team focus)
python apileaks.py owasp bola --target https://api.example.com
python apileaks.py owasp auth --target https://api.example.com
# Full orchestrated scan across every registered OWASP module (blue-team / CI)
python apileaks.py scan --target https://api.example.com
# Restrict the orchestrated scan to selected modules
python apileaks.py scan --target https://api.example.com --modules bola,auth,property
# With WAF evasion
python apileaks.py scan --target https://api.example.com --user-agent-randomFor comprehensive usage examples, see the Usage Examples documentation.
- 🛡️ OWASP API Security Top 10 2023: Complete coverage of all 10 categories
- 🎯 Advanced Fuzzing: Endpoint, parameter, and header fuzzing with intelligent discovery
- 📋 Spec-Aware Discovery: Send per-route query params, headers, and JSON body from OpenAPI/Postman specs; optionally restrict methods to spec-declared only (
--spec-methods-only) - 🔍 Framework Detection: Automatic identification of API frameworks (FastAPI, Express, Django, Flask, etc.)
- 📊 Version Fuzzing: Discovery and comparison of API versions (/v1, /v2, /api/v1, etc.)
- 🌈 Colored HTTP Output: Real-time colored status indicators for all HTTP requests
- 🥷 WAF Evasion: Multiple user agent strategies for bypassing Web Application Firewalls
- 🔁 Request Replay: Re-issue any request from a prior scan report, optionally through Burp/Caido (
apileaks replay) - 📚 Assetnote Wordlists: One-command download and cache of curated API route wordlists (
apileaks wordlist fetch apiroutes-210328; useassetnote:prefix in--wordlist) - 🎯 Multi-Target Scanning: Scan hundreds of hosts from a file in
dir,par, andscan(--target-file hosts.txt --max-hosts 50) - 🚫 Wildcard Quarantine: Automatically stop scanning hosts that accept every path (
--quarantine-threshold 10) - 🔍 Property-Based Testing: Comprehensive correctness validation using Hypothesis
- 📊 Smart Analytics: Automatic severity classification and OWASP categorization
- 📈 Real-time Reporting: Multi-format reports (XML, JSON, HTML, TXT, SARIF)
- ⚡ High Performance: Async HTTP client with adaptive rate limiting
- 🐳 Container Ready: Docker support for CI/CD integration
- 🔧 Enterprise Grade: Structured logging, configuration management, and monitoring
APILeak automatically detects API frameworks and adapts testing strategies accordingly:
| Framework | Detection Method | Specific Payloads | Status |
|---|---|---|---|
| FastAPI | Headers, OpenAPI, Error patterns | Pydantic injection, Async race conditions | ✅ |
| Express.js | Headers, Error patterns, Node.js signatures | Prototype pollution, Path traversal | ✅ |
| Django | Headers, Admin pages, Error patterns | Template injection, CSRF bypass | ✅ |
| Flask | Headers, Werkzeug signatures, Error patterns | Jinja2 injection, Debug exposure | ✅ |
| Spring Boot | Headers, Actuator endpoints, Error patterns | SpEL injection, Actuator exposure | ✅ |
| ASP.NET | Headers, ViewState, Error patterns | ViewState manipulation, Config exposure | ✅ |
Comprehensive API version mapping and security analysis:
- Version Patterns:
/v1,/v2,/api/v1,/api/v2,/version1, etc. - Status Detection: Active, Deprecated, Development versions
- Endpoint Comparison: Identify differences between versions
- Security Analysis: Find version-specific vulnerabilities
# Enable framework detection
python apileaks.py scan --target https://api.example.com --detect-framework
# Enable version fuzzing
python apileaks.py scan --target https://api.example.com --fuzz-versions
# Combined advanced discovery
python apileaks.py scan --target https://api.example.com --df --fv --framework-confidence 0.8- 📚 Complete Documentation - Full documentation index
- 🚀 Installation Guide - Setup instructions for all platforms
- ⚙️ Configuration Guide - Comprehensive configuration options
- 💻 CLI Reference - Command-line interface documentation
- 🧪 Testing Guide - Testing strategies and guidelines
- 🏗️ Architecture - System design and architecture overview
- 🛠️ Development Guide - Development setup and contribution guide
- 🌈 Colored HTTP Output - HTTP output visualization and filtering
- 🚀 CI/CD Integration - DevSecOps pipeline integration guide
- 🎯 Usage Examples - Comprehensive usage examples and scenarios
- 🥷 WAF Evasion - Web Application Firewall evasion techniques
- 🐳 Docker Usage - Container-based deployment and usage
- 🛡️ OWASP Coverage - OWASP API Security Top 10 2023 coverage
- 🛡️ OWASP Overview - Complete OWASP API Security coverage
- 🔐 BOLA Testing - Broken Object Level Authorization
- 🔑 Auth Testing - Authentication vulnerability detection
- 📋 Property Auth - Property-level authorization testing
==================================================
APILeak Scan Completed Successfully
==================================================
Target: https://api.example.com
🎨 Status Code Filter: [200, 401, 403]
🎭 WAF Evasion: Random User-Agent enabled
Duration: 0:02:34
Total Endpoints Tested: 1,247
📍 Endpoints Found:
- GET https://api.example.com/admin (200)
- POST https://api.example.com/users (201)
- GET https://api.example.com/debug (200)
Total Findings: 8
Critical: 2 | High: 3 | Medium: 2 | Low: 1
OWASP Coverage: 70.0% (7/10 categories)
Reports generated:
- reports/security_scan.json
- reports/security_scan.html
- reports/security_scan.xml
- reports/security_scan.txt
We welcome contributions! Please see our Contributing Guide for details.
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Make your changes and add tests
- Run tests:
make test - Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
For security vulnerabilities, please see our Security Policy.
- OWASP API Security Project for the comprehensive security framework
- The Python security community for tools and best practices
- All contributors who help improve APILeak
Built with ❤️ for API security professionals
