Introducing hAPI: A Python-Based CLI Tool for API Security Testing

By /

Listen to this Post

hAPI (hackAPI) is a Python-based CLI tool designed for offensive security professionals, security analysts, software engineers, and system administrators. It automates security checks for RESTful APIs, helping to identify common misconfigurations before attackers can exploit them.

Key Features of hAPI (Beta Release)

  • HTTP Verb Tampering Detection
  • Lack of Rate Limiting Detection
  • Insecure Cross-Origin Resource Sharing (CORS) Detection
  • Common HTTP Security Headers Misconfigurations
  • Usage of HTTP Basic Authentication Detection

hAPI generates detailed reports in HTML or JSON format, providing actionable insights into your API’s security posture. Currently, it requires an OpenAPI/Swagger schema to function, but future updates aim to make it more flexible.

Example Commands and Usage

1. Install hAPI:

pip install hapi-tool

2. Run hAPI with an OpenAPI/Swagger Schema:

hapi --schema openapi_schema.json --output report.html

3. Check for HTTP Verb Tampering:

hapi --schema openapi_schema.json --test verb-tampering

4. Generate JSON Report:

hapi --schema openapi_schema.json --output report.json --format json

5. Check for Missing Security Headers:

hapi --schema openapi_schema.json --test security-headers

Future Updates

  • Support for non-Swagger/OpenAPI schemas.
  • Additional tests for advanced API vulnerabilities.
  • Integration with CI/CD pipelines for automated security checks.

What Undercode Say

hAPI is a powerful tool for identifying API misconfigurations, making it a must-have for security professionals. Its ability to automate security checks and generate detailed reports saves time and ensures a robust security posture. Here are some additional commands and tools to complement hAPI:

1. Nmap for API Port Scanning:

nmap -p 80,443,8080 target_api.com

2. OWASP ZAP for API Security Testing:

zap-cli quick-scan --spider -r http://target_api.com

3. Curl for Manual API Testing:

curl -X GET http://target_api.com/api/v1/resource

4. Linux Command to Monitor API Logs:

tail -f /var/log/api_access.log

5. Windows Command to Check API Connectivity:

ping target_api.com

6. Python Script to Test Rate Limiting:

import requests
for i in range(100):
response = requests.get("http://target_api.com/api/v1/resource")
print(f"Request {i+1}: {response.status_code}")

7. Linux Command to Check Open Ports:

netstat -tuln | grep :80

8. Windows Command to List Active Connections:

netstat -an | find "ESTABLISHED"

9. Linux Command to Check HTTP Headers:

curl -I http://target_api.com

10. Windows Command to Test SSL/TLS Configuration:

openssl s_client -connect target_api.com:443

hAPI is a step forward in API security, and its continuous development will make it an indispensable tool for securing modern web applications. For more information, visit the official hAPI GitHub repository.

References:

initially reported by: https://www.linkedin.com/posts/lyuben-petrov-b287bb236_apisecurity-cybersecurity-pentesting-activity-7300079975049650176-HqiL – Hackers Feeds
Extra Hub:
Undercode AIFeatured Image

Related Posts: