MindAPI announcement and call for collaboration

87 views
Skip to first unread message

david...@gmail.com

unread,
Mar 30, 2021, 6:34:36 AMMar 30
to API Security Project
Hi all,

I want to share with you guys my latest open-source project - MindAPI.

MindAPI its a mindmap that could help developers, pentesters, researchers and even bug bounty hunters to approach an API target. You don't need to install anything. It runs online using markmap and its hosted on Github pages - https://dsopas.github.io/MindAPI/play/
There you have links to open-source tools for specific tests, ways to assess particular API architectures, pinpoint documentation and many more.

You can contribute to the mindmap and to the references page (where you have a list of useful resources):

What say you? :)

Cheers!

Owen Rubel

unread,
Mar 30, 2021, 11:47:45 AMMar 30
to david...@gmail.com, API Security Project
This is nice but my one criticism when going over it is that alot of it is just a list of 3rd party tools; it would be helpful to SEPARATE LINKS / API testing / call flow.

For a good video on call flow see this: https://youtu.be/sH68MnmnblE

--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/777483f8-f11f-4545-858c-9be8327db776n%40owasp.org.

David Sopas

unread,
Mar 30, 2021, 12:14:46 PMMar 30
to Owen Rubel, API Security Project
Hi Owen,

Thanks for the feedback. The main objective is not creating something that you describe in that video. The plan is to have a more hands-on approach methodology.
Eg: Test for race conditions -> here is the open-source tool to do it.


Owen Rubel

unread,
Mar 30, 2021, 1:20:45 PMMar 30
to David Sopas, API Security Project
Right, there are alot of people pushing tooling. My fear is that as we push more and more tooling, people seem to be becoming more and more ignorant of how API's actually WORK.

And as a result, inefficient and incapabl;e of building and implementing secure and scalable API's.

90% of API developers cannot explain the API call flow, don't understand why we need to implement the OWASP API top10 (or where it should be implemented in the call flow and why) and it gets worse and worse as people just want to answer these questions with tooling rather than actually understanding.

Not that tools are bad... but yes, most API tools out there are bad as they are being improperly used, do not supply security/scale/functionality, and their concern is making money... not communication/engineering/securing your backend.

Paulo Silva

unread,
Mar 30, 2021, 2:38:41 PMMar 30
to Owen Rubel, David Sopas, API Security Project
In this case MindAPI is more in the offensive side and tooling is an important part of it.

I agree that on the development side, understanding how APIs work is crucial. Throwing security tools/solutions in front of APIs won't make them secure but less exposed. We've experienced it in the past with Web Applications and the advent of WAFs.

APIs are challenging for both developers and pentesters. Sharing is caring: let's keep doing our best to spread the word. 

Cheers,

David Sopas

unread,
Mar 30, 2021, 3:38:08 PMMar 30
to Owen Rubel, API Security Project
Yep agree. Many dont know how actually APIs work. Here is my suggestion - Why don't you work on a API flow solution?  I'm happy to put it on the references section on MindAPI. 

Like I wrote before MindAPI has a different target and purpose. 

Thanks.

Cheers 

Adam Fisher

unread,
Mar 30, 2021, 4:38:02 PMMar 30
to david...@gmail.com, API Security Project
I think this is very helpful.  My experience right now is that most don't know how to test API's and thus they still are not making it into audits and pentest plans.

This is a great start for any Pentester to focus on API testing.

Kind regards,

Adam





Adam Fisher
Principal Security Engineer
CISSP, CCSP, AWS Solutions Architect
MCA - Azure



--

David Sopas

unread,
Mar 30, 2021, 4:51:31 PMMar 30
to Adam Fisher, API Security Project
Thanks Adam.
Feel free to contribute 😀

Cheers 

Owen Rubel

unread,
Mar 30, 2021, 5:39:05 PMMar 30
to Adam Fisher, david...@gmail.com, API Security Project
I should also reply that one should do smoke tests too as part of the devops and build process.

Reply all
Reply to author
Forward
0 new messages