API Security Testing Toolkit — endpoint fuzzing, method checks, authentication probes, and JSON-aware reporting.
APIX helps test APIs during authorized assessments.
It focuses on discovery and validation rather than exploitation. The direct CLI interface replaces old interactive flows and provides consistent output for reports.
- Endpoint fuzzing.
- HTTP method testing.
- Authentication header checks.
- JWT metadata inspection.
- CORS checks.
- JSON response analysis.
- Rate-limit observations.
- Clean console output.
- JSON/TXT report support.
git clone https://github.com/NeiveZ/API-Security-Testing-Toolkit.git
cd API-Security-Testing-Toolkit
chmod +x apix.sh
./apix.sh --installValidate:
./apix.sh --checkRun tests if available:
python3 -m pytest -q./apix.sh <command> [options]Help:
./apix.sh --help./apix.sh fuzz -u https://api.example.com -w wordlists/api.txtWith methods:
./apix.sh fuzz -u https://api.example.com -w wordlists/api.txt --methods GET,POST,PUT,DELETE./apix.sh auth -u https://api.example.com/me --token "$TOKEN"./apix.sh cors -u https://api.example.com./apix.sh jwt --token "$JWT"./apix.sh full -u https://api.example.com -w wordlists/api.txt --json --txt --out reports/api_review- Identify base URL:
./apix.sh probe -u https://api.example.com- Fuzz endpoints:
./apix.sh fuzz -u https://api.example.com -w wordlists/api.txt- Test methods on discovered endpoints:
./apix.sh methods -u https://api.example.com/users- Test authentication behavior:
./apix.sh auth -u https://api.example.com/me --token "$TOKEN"- Save evidence:
./apix.sh full -u https://api.example.com -w wordlists/api.txt --json --txt --out reports/apixAPIX Assessment Summary
Target https://api.example.com
Command fuzz
Endpoints 128
Findings 6
Severity Endpoint Check Detail
INFO /health Status 200 OK
LOW /debug Exposure Endpoint exists
MEDIUM /admin Auth 401 without token
--json
--txt
--out <path_without_extension>Example:
./apix.sh full -u https://api.example.com --json --txt --out reports/api./apix.sh probe -u https://api.example.com --insecure./apix.sh fuzz -u https://api.example.com -T 15Use delay:
./apix.sh fuzz -u https://api.example.com --delay 250Use only against APIs you own or are authorized to test.
MIT License.