Skip to content

NeiveZ/API-Security-Testing-Toolkit

Repository files navigation

APIX

API Security Testing Toolkit — endpoint fuzzing, method checks, authentication probes, and JSON-aware reporting.

Python Category Status License


Overview

APIX helps test APIs during authorized assessments.

It focuses on discovery and validation rather than exploitation. The direct CLI interface replaces old interactive flows and provides consistent output for reports.


Features

  • Endpoint fuzzing.
  • HTTP method testing.
  • Authentication header checks.
  • JWT metadata inspection.
  • CORS checks.
  • JSON response analysis.
  • Rate-limit observations.
  • Clean console output.
  • JSON/TXT report support.

Installation

git clone https://github.com/NeiveZ/API-Security-Testing-Toolkit.git
cd API-Security-Testing-Toolkit
chmod +x apix.sh
./apix.sh --install

Validate:

./apix.sh --check

Run tests if available:

python3 -m pytest -q

Usage

./apix.sh <command> [options]

Help:

./apix.sh --help

Commands

Endpoint fuzzing

./apix.sh fuzz -u https://api.example.com -w wordlists/api.txt

With methods:

./apix.sh fuzz -u https://api.example.com -w wordlists/api.txt --methods GET,POST,PUT,DELETE

Authentication check

./apix.sh auth -u https://api.example.com/me --token "$TOKEN"

CORS check

./apix.sh cors -u https://api.example.com

JWT inspection

./apix.sh jwt --token "$JWT"

Full API review

./apix.sh full -u https://api.example.com -w wordlists/api.txt --json --txt --out reports/api_review

Recommended Procedure

  1. Identify base URL:
./apix.sh probe -u https://api.example.com
  1. Fuzz endpoints:
./apix.sh fuzz -u https://api.example.com -w wordlists/api.txt
  1. Test methods on discovered endpoints:
./apix.sh methods -u https://api.example.com/users
  1. Test authentication behavior:
./apix.sh auth -u https://api.example.com/me --token "$TOKEN"
  1. Save evidence:
./apix.sh full -u https://api.example.com -w wordlists/api.txt --json --txt --out reports/apix

Output Example

APIX Assessment Summary

Target       https://api.example.com
Command      fuzz
Endpoints    128
Findings     6

Severity     Endpoint              Check             Detail
INFO         /health               Status            200 OK
LOW          /debug                Exposure          Endpoint exists
MEDIUM       /admin                Auth              401 without token

Reports

--json
--txt
--out <path_without_extension>

Example:

./apix.sh full -u https://api.example.com --json --txt --out reports/api

Troubleshooting

SSL issues

./apix.sh probe -u https://api.example.com --insecure

Timeout

./apix.sh fuzz -u https://api.example.com -T 15

Rate limits

Use delay:

./apix.sh fuzz -u https://api.example.com --delay 250

Ethics

Use only against APIs you own or are authorized to test.


License

MIT License.

About

Endpoint fuzzing, method checks, authentication probes, and JSON-aware reporting.

Topics

Resources

License

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors