Skip to content

Latest commit

 

History

History
211 lines (139 loc) · 3.37 KB

File metadata and controls

211 lines (139 loc) · 3.37 KB

APIX

API Security Testing Toolkit — endpoint fuzzing, method checks, authentication probes, and JSON-aware reporting.

Python Category Status License


Overview

APIX helps test APIs during authorized assessments.

It focuses on discovery and validation rather than exploitation. The direct CLI interface replaces old interactive flows and provides consistent output for reports.


Features

  • Endpoint fuzzing.
  • HTTP method testing.
  • Authentication header checks.
  • JWT metadata inspection.
  • CORS checks.
  • JSON response analysis.
  • Rate-limit observations.
  • Clean console output.
  • JSON/TXT report support.

Installation

git clone https://github.com/NeiveZ/API-Security-Testing-Toolkit.git
cd API-Security-Testing-Toolkit
chmod +x apix.sh
./apix.sh --install

Validate:

./apix.sh --check

Run tests if available:

python3 -m pytest -q

Usage

./apix.sh <command> [options]

Help:

./apix.sh --help

Commands

Endpoint fuzzing

./apix.sh fuzz -u https://api.example.com -w wordlists/api.txt

With methods:

./apix.sh fuzz -u https://api.example.com -w wordlists/api.txt --methods GET,POST,PUT,DELETE

Authentication check

./apix.sh auth -u https://api.example.com/me --token "$TOKEN"

CORS check

./apix.sh cors -u https://api.example.com

JWT inspection

./apix.sh jwt --token "$JWT"

Full API review

./apix.sh full -u https://api.example.com -w wordlists/api.txt --json --txt --out reports/api_review

Recommended Procedure

  1. Identify base URL:
./apix.sh probe -u https://api.example.com
  1. Fuzz endpoints:
./apix.sh fuzz -u https://api.example.com -w wordlists/api.txt
  1. Test methods on discovered endpoints:
./apix.sh methods -u https://api.example.com/users
  1. Test authentication behavior:
./apix.sh auth -u https://api.example.com/me --token "$TOKEN"
  1. Save evidence:
./apix.sh full -u https://api.example.com -w wordlists/api.txt --json --txt --out reports/apix

Output Example

APIX Assessment Summary

Target       https://api.example.com
Command      fuzz
Endpoints    128
Findings     6

Severity     Endpoint              Check             Detail
INFO         /health               Status            200 OK
LOW          /debug                Exposure          Endpoint exists
MEDIUM       /admin                Auth              401 without token

Reports

--json
--txt
--out <path_without_extension>

Example:

./apix.sh full -u https://api.example.com --json --txt --out reports/api

Troubleshooting

SSL issues

./apix.sh probe -u https://api.example.com --insecure

Timeout

./apix.sh fuzz -u https://api.example.com -T 15

Rate limits

Use delay:

./apix.sh fuzz -u https://api.example.com --delay 250

Ethics

Use only against APIs you own or are authorized to test.


License

MIT License.