A comprehensive API penetration testing lab designed to help security professionals test API endpoints for common vulnerabilities including XSS and SQL injection.
- Dynamic Endpoint Testing: Configure multiple API endpoints via JSON configuration file
- Authentication Support: Supports Authorization headers (Bearer tokens, API keys)
- Multiple Vulnerability Tests:
- Reflected XSS detection
- SQL Injection detection
- Detailed Reporting: Generates comprehensive JSON reports with timestamps
- Flexible Configuration: Easily customize test parameters and endpoints
Before setting up the project, ensure you have the following installed:
- Python 3.7 or higher
- pip (Python package installer)
- Git
You can clone this repository using HTTPS or SSH:
Using HTTPS:
git clone https://github.com/Shanmukhasrisai/API-Penetration-Testing-Lab.gitUsing SSH:
git clone git@github.com:Shanmukhasrisai/API-Penetration-Testing-Lab.gitUsing GitHub CLI:
gh repo clone Shanmukhasrisai/API-Penetration-Testing-Labcd API-Penetration-Testing-LabCreating a virtual environment helps isolate project dependencies:
On Windows:
python -m venv venv
venv\Scripts\activateOn macOS/Linux:
python3 -m venv venv
source venv/bin/activatepip install -r requirements.txtThe required dependencies include:
- Flask (for potential web interface)
- requests (for HTTP requests)
- colorama (for colored terminal output)
To run a penetration test on configured API endpoints:
python api.py --config endpoints.jsonTo test endpoints that require authentication:
python api.py --config endpoints.json --auth "Bearer YOUR_TOKEN_HERE"or with an API key:
python api.py --config endpoints.json --auth "APIKey YOUR_KEY_HERE"To save the test results to a JSON file:
python api.py --config endpoints.json --output results.jsonCreate a JSON configuration file (e.g., endpoints.json) with the following structure:
{
"endpoints": [
{
"url": "https://example.com/api/search",
"method": "GET",
"params": ["q", "filter"]
},
{
"url": "https://example.com/api/users",
"method": "POST",
"params": ["username", "email"]
}
]
}--config: (Required) Path to JSON configuration file with API endpoints--auth: Authorization header value (e.g., 'Bearer ' or 'APIKey ')--output: Path to save JSON report file
The tool tests for reflected cross-site scripting by injecting various XSS payloads and checking if they're reflected in the response.
The tool tests for SQL injection vulnerabilities by injecting SQL-specific payloads and checking for database error messages in responses.
The tool generates detailed JSON reports with the following structure:
{
"url": "https://example.com/api/endpoint",
"method": "GET",
"vulnerabilities": {
"reflected_xss": ["param1"],
"sql_injection": ["param2"]
}
}- Permission Errors: Try running commands with
sudo(Linux/macOS) or as Administrator (Windows) - Module Not Found: Ensure you've activated the virtual environment and installed dependencies
- Dependency Installation Fails: Try upgrading pip first:
pip install --upgrade pip - Virtual Environment Issues: Make sure you've activated the virtual environment before installing dependencies
- Connection Errors: Verify that target URLs are accessible and properly formatted
- This tool is designed for educational purposes only
- Only use this tool on systems you own or have explicit written permission to test
- Unauthorized penetration testing is illegal and unethical
- Always follow responsible disclosure practices
- Respect the privacy and security of others
- Always obtain proper authorization before conducting penetration tests
- Document all testing activities
- Follow your organization's security policies
- Report vulnerabilities responsibly
- Do not use this tool in production environments without proper safeguards
For a comprehensive list of improvements and enhancements made to this repository, see IMPROVEMENTS.md.
Contributions are welcome! Please feel free to submit issues or pull requests to improve this tool.
Review the LICENSE file for usage terms and conditions.
This tool is provided for educational and authorized testing purposes only. The authors are not responsible for any misuse or damage caused by this tool. Always ensure you have explicit permission before testing any systems you do not own.