A powerful security testing platform designed for penetration testers, security professionals, and developers to identify and assess vulnerabilities in API endpoints through comprehensive security testing.
API-Tester is a security assessment platform that streamlines API security testing workflow. It leverages Swagger/OpenAPI documentation to import API endpoints and applies targeted security rules to identify potential vulnerabilities. The platform supports various security test cases including SQL injection, NoSQL injection, rate limiting bypass attempts, and more. With detailed reporting and historical tracking, it helps teams maintain robust API security across their applications.
- Seamless integration with any Swagger/OpenAPI specification URL
- Intelligent endpoint analysis and security testing
- Support for multiple API versions and endpoints
- Customizable request parameters for thorough testing
-
SQL Injection Testing (RULE-1)
- Multiple SQL injection patterns
- Error-based detection
- Union-based injection attempts
- Authentication bypass attempts
-
NoSQL Injection Testing (RULE-2)
- MongoDB operator injection
- Null byte injection
- Boolean-based attacks
- Authentication bypass using NoSQL operators
-
Rate Limiting Tests (RULE-3)
- Concurrent request flooding
- Rate limit bypass detection
- Header manipulation tests
- Response time analysis
-
Basic Availability Testing (RULE-4)
- Endpoint accessibility verification
- Response code validation
- Basic health checks
- Real-time test execution and monitoring
- Detailed vulnerability reports
- Historical scan results tracking
- Request/Response analysis
- Customizable test parameters
- Backend: Node.js, Express.js
- Frontend: React, TypeScript, Vite
- Database: MongoDB
- Documentation: Swagger/OpenAPI
- Testing Framework: Custom rule-based testing engine
- Node.js (v14 or higher)
- MongoDB
- npm or yarn
# Clone the repository
git clone <repository-url>
cd API-Tester
# Install dependencies
npm install
# Install frontend dependencies
cd frontend && npm install
# Create environment file
cp .env.example .env
# Start the application
npm run dev# Import Swagger documentation
POST /api/fetch
{
"url": "https://your-api.com/swagger.json"
}# Start a new scan
POST /api/scans
{
"ruleId": "RULE-1", // SQL Injection Test
"apiInfoId": "your-api-id"
}- Access the dashboard at
http://localhost:3000 - View detailed scan reports
- Analyze individual endpoint results
POST /api/fetch- Import Swagger documentationGET /api/requests- List all API endpointsPOST /api/scans- Start new security scanGET /api/processed-requests- View test results
GET /api/rules- List available security rulesGET /api/rules/:id- Get a custom rule
Contributions are welcome! Please read our Contributing Guide for details on our code of conduct and the process for submitting pull requests.
This project is licensed under the MIT License - see the LICENSE file for details.
For security issues, please email snapsec@gmail.com or create a security advisory issue. Contributions are welcome. Please feel free to submit a Pull Request.
This project is licensed under the MIT License.