A free CLI tool for simulating API attack patterns against your own development and staging endpoints — so you can verify your defenses are working before an attacker finds out they're not.
Built and maintained by Alfasentinel.
| Attack type | What it does | What it tests |
|---|---|---|
| Brute force / credential stuffing | Fires N login attempts against your auth endpoint | BruteForceDetector, rate limiting, lockout policies |
| BOLA / IDOR | Sequentially accesses resource IDs from an authenticated session | BOLADetector, object-level authorization checks |
| Shadow API discovery | Probes 20+ common undocumented paths | ShadowAPIDetector, route table hygiene |
| Rate spike | Fires N req/s for a defined window | RateSpikeDetector, baseline monitoring, aggregate rate limits |
pip install requests
python api_attack_simulator.py --helpOr clone:
git clone https://github.com/alfasentinel/api-attack-simulator
cd api-attack-simulator
pip install -r requirements.txt# Run all 4 attack simulations against your local API
python api_attack_simulator.py --url http://localhost:5000 --all --confirm
# Brute force only — 100 attempts, 150ms delay, distributed user agents
python api_attack_simulator.py --url http://localhost:5000 \
--attack brute \
--endpoint /api/auth/login \
--attempts 100 \
--delay 150 \
--distributed \
--confirm
# BOLA simulation — authenticated session, starting at ID 5000
python api_attack_simulator.py --url http://localhost:5000 \
--attack bola \
--endpoint /api/v1/users/{id} \
--start-id 5000 \
--auth-token YOUR_TEST_TOKEN \
--confirm
# Shadow API discovery
python api_attack_simulator.py --url http://staging.yourapp.com \
--attack shadow \
--confirm
# Rate spike — 100 req/s for 15 seconds
python api_attack_simulator.py --url http://localhost:5000 \
--attack spike \
--endpoint /api/v1/data \
--rate 100 \
--duration 15 \
--confirmEach attack prints real-time results and a summary report:
[14:23:01] [WARN] Attempt 23: RATE LIMITED (429) — basic rate limiting triggered
[14:23:01] [OK] Detection triggered at attempt 23.
═══════════════════════════════════════════════════════
SIMULATION COMPLETE — SUMMARY REPORT
═══════════════════════════════════════════════════════
BRUTE_FORCE
Total requests: 23
Status distribution: {'401': 22, '429': 1}
This tool pairs with ApiSentinel — run the simulator against your staging environment with ApiSentinel active to verify all four detectors fire as expected before you go to production.
# Test your ApiSentinel integration end-to-end
python api_attack_simulator.py --url https://staging.yourapp.com --all --confirm
# Then check your ApiSentinel dashboard — you should see 4 detection eventsThis tool is for testing your own APIs in development or staging environments only.
Using it against APIs you don't own or have explicit permission to test is illegal under computer fraud laws in most jurisdictions. The --confirm flag exists as a deliberate friction point.
PRs welcome. Useful additions:
- More shadow API wordlists
- JWT manipulation attacks
- GraphQL introspection probing
- Mass assignment testing
MIT — free to use, modify, and distribute.
Built by Alfasentinel | contact@alfasentinel.com