Metadata-Version: 2.4
Name: apistrike
Version: 3.0.0
Summary: Stress test any API with 500+ attack vectors in seconds. CLI + Web.
Author: APIStrike
License: MIT
Project-URL: Homepage, https://github.com/apistrike/apistrike
Project-URL: Documentation, https://github.com/apistrike/apistrike#readme
Project-URL: Issues, https://github.com/apistrike/apistrike/issues
Keywords: api,security,testing,pentest,fuzzing,cli
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Testing
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: httpx>=0.27
Requires-Dist: pydantic>=2.0
Provides-Extra: web
Requires-Dist: fastapi>=0.110; extra == "web"
Requires-Dist: uvicorn[standard]>=0.29; extra == "web"
Dynamic: license-file

# APIStrike

Stress test your API with 500+ attack vectors in seconds.

One command. 7 attack suites. 30+ CWE categories. Zero config.

```
$ apistrike https://api.example.com/analyze

   ___   ___  ___  ___  __       _ __
  / _ | / _ \/  _// __// /_ ____(_) /__ ___
 / __ |/ ___// / _\ \ / __// __/ /  '_// -_)
/_/ |_/_/  /___//___/ \__//_/ /_/_/\_\ \__/

  Score: 84/100   Grade: B   Mode: full
  Tests: 583   Crashes: 0   Warnings: 47   Passed: 536
```

---

## Install

```bash
pip install apistrike
```

## Usage

```bash
# Full scan (7 suites, 583 vectors)
apistrike https://api.example.com/endpoint

# Quick scan (5 suites, ~140 vectors)
apistrike https://api.example.com/endpoint --mode quick

# Custom method + headers
apistrike https://api.example.com/users -m GET -H '{"Authorization":"Bearer tok123"}'

# Save JSON report
apistrike https://api.example.com/endpoint -o report.json

# CI-friendly badge output
apistrike https://api.example.com/endpoint --badge

# Pipe JSON to other tools
apistrike https://api.example.com/endpoint --json | jq '.score'

# Filter by severity
apistrike https://api.example.com/endpoint --severity critical,high
```

## CI/CD Integration

APIStrike returns meaningful exit codes:

| Exit Code | Meaning |
|-----------|---------|
| `0` | Clean — no critical or high findings |
| `1` | High-severity findings detected |
| `2` | Critical-severity findings detected |

### GitHub Actions

```yaml
- name: API Security Check
  run: |
    pip install apistrike
    apistrike https://api.staging.example.com/endpoint --mode quick --badge
```

### GitLab CI

```yaml
security_scan:
  script:
    - pip install apistrike
    - apistrike $API_URL --mode quick --json > apistrike-report.json
  artifacts:
    paths:
      - apistrike-report.json
```

## What It Tests

| Suite | Vectors | What it does |
|-------|---------|--------------|
| Adversarial | 180+ | SQLi, XSS, command injection, SSTI, NoSQLi, XXE, LDAP, path traversal |
| Protocol | 60+ | Wrong content-types, invalid JSON, method abuse, HTTP smuggling |
| Load | 50+ | Concurrent flood, rapid-fire sequentials, connection exhaustion |
| Edge Cases | 80+ | Null bytes, deep nesting, huge payloads, boundary values, unicode |
| Consistency | 40+ | Idempotency, state corruption, race conditions |
| Reflection | 30+ | XSS reflection in body/headers/cookies, injection echo detection |
| Info Leak | 140+ | Sensitive paths (.env, .git), header leaks, error verbosity, CORS |

**30+ CWE categories** covered including CWE-89, CWE-79, CWE-78, CWE-918, CWE-200, CWE-400, CWE-352.

## Output Modes

```bash
# Default — colored terminal report with full breakdown
apistrike https://example.com/api

# --badge — clean one-liner for screenshots & CI logs
apistrike https://example.com/api --badge
# → APIStrike Score: A (97) | Crashes: 0 | Critical: 0 | High: 2

# --quiet — minimal machine-parseable line
apistrike https://example.com/api --quiet

# --json — full structured report to stdout
apistrike https://example.com/api --json

# --verbose — show every test including passes
apistrike https://example.com/api --verbose
```

## Scoring

Starts at 100. Deductions per finding:

| Finding | Points |
|---------|--------|
| Crash (5xx) | −20 |
| Failure | −10 |
| Warning | −5 |

| Grade | Score |
|-------|-------|
| A | 90–100 |
| B | 75–89 |
| C | 60–74 |
| D | 40–59 |
| F | 0–39 |

## Web UI

APIStrike also ships with a web interface:

```bash
pip install apistrike[web]
python run.py
# → http://127.0.0.1:8000
```

## Rate Limits & Safety

Built-in protections to prevent abuse:

- **SSRF protection** — private/internal IPs are blocked
- **Request timeout** — 10s per individual test request
- **Scan timeout** — 5 minute maximum per full scan
- **Connection cap** — 150 max concurrent connections per scan
- **Web API rate limit** — 10 scans/minute per IP (web mode)

## License

MIT
