tips tools reconnaissance

SecurityTrails Blog · Jul 02 · SecurityTrails team

Top 12 Cyber Security APIs

Reading time: 12 minutes

Application Programming Interfaces (known as API), are the standard method of integrating, improving and sharing data over online services.

In the ’90s, if you wanted to integrate new features into your web application, you had to build the entire code by yourself or download data from 3rd party services, parse it by yourself, and then figure out how to integrate it with your application modules. It was a slow, rudimentary and non-scalable process.

But since 2000, when Salesforce and Ebay launched the first APIs in history, API services have evolved—and changed how the internet works in ways we could never have imagined.

Now, APIs are available for anything you can think of, including setting up e-commerce websites, payment wallets, digital coins, interacting with social networks and email services. There are also red team and blue team APIs that boost the current infosec and cybersecurity market.

That’s why today we’re sharing what we think are the top essential infosec and cyber security API services available.

What are Security APIs useful for?

In what scenarios do cybersecurity APIs really come in handy? Let’s find out.

  • Detecting and cleaning malware/viruses. A lot of malware API services are useful for detecting malicious files and code injections in your web apps. You’ll be alerted quickly when a new app is infected with 3rd party illegal code.
  • Exploring the reputation of any website. This type of security API is useful for detecting phishing domains, or pages that are related to uncommon downloads, infected networks, etc.
  • Exploring your attack surface area. Some cybersecurity APIs offer the possibility to explore and audit your DNS records, IP addresses and domain names, letting you find any abnormal changes to your DNS infrastructure to prevent harmful activities like domain hijacking, and also to find stale DNS records, review SSL certificate information and more.
  • Cyber fraud Investigation. If you work for a public or private security agency, using security APIs will enable you to research for fraudulent activity, and track down the culprits behind it.
  • Brand monitoring. Is someone using your name illegally? Find and report illegal usage of any brand name or trademark registered by your company within seconds.
  • Copyright violation research. Find and research 3rd party websites using your copyrighted materials; locate IP addresses, records, domain names and use web hosting checker features to find the real people behind the operation.
  • Bug and data bounty programs. Ethical hackers participate in bug and data bounty programs to show their skills while earning money with their hacking knowledge. Security APIs are the perfect tool for these white hat hackers seeking valuable reconnaissance information about their targets.

Now that you know what Security APIs are useful for, let’s explore the top most popular cybersecurity APIs in the field.

Some of the following security APIs are OSINT APIs most likely used by red teams, while others are useful for blue teams working to protect against network threats.

This list is based on our experience, and not intended to be definitive. If you find that some popular APIs are missing, please let us know and we’ll gladly expand the article with more useful API reviews.

Google Safe Browsing API

Safe Browsing is a highly-regarded cybersecurity service from Google that helps protect users from browsing phishing domains, deceptive sites and malware/virus-infected web pages.

By using the Safe Browsing API you can automatically check pages against the Safe Browsing database, letting you detect the type of threat affecting a web page. This is helpful for warning users before they jump on to any harmful website, and to prevent the sharing of infected links within your own organization.

Features include:

  • Lookup API: Useful for quickly checking the status of any URL
  • Update API: Enables client apps to download Safe Browsing lists for local client-side URL checks
  • Caching: A useful mechanism for avoiding unnecessary queries and speeding up your final response to client application requests
  • Compression: Enables you to save bandwidth while performing queries against the SafeBrowsing API
  • Local databases: Lets you download and use local URL databases in initial tests
  • Metadata: Useful in distinguishing between threat types and allows you to set up various types of informative warnings whenever a malicious URL is detected

PhishTank API

PhishTank is a valuable resource for keeping safe from phishing campaigns. It offers two types of integrations for developers:

  • Downloadable databases
  • Live API requests

Downloadable databases are the best choice if you’re planning to perform a lot of lookups. They’re available in several formats and updated on a hourly basis.

If you’ll only be performing a few lookups each day, then the PhishTank API feature is the one for you. This API accepts HTTP POST requests and returns the result with the URL status in the PhishTank database.

Combining PhishTank with other DNS-based techniques to find phishing domains is one of the most efficient ways to investigate and prevent this type of cybercrime.

VirusTotal API

VirusTotal is one of the most famous online virus/malware scanners in use. With it, you can upload and scan files on the fly, or scan by URL. They also have a fantastic API service, which enables you with the same functionality from your own apps.

The VirusTotal API lets you upload and scan files or URLs, check scan results, and create useful, relevant comments. The only requirement for access to this API is to get a valid VirusTotal Community account. From that point on, the only thing left is to get your API key, the one you will use to connect to this API.

There are two different types of API access: public API and private API. The public variety is the standard choice for most users, while private API access is dedicated to premium VirusTotal customers only.

The public API has a few limits and conditions:

  • Rate is limited to 4 requests per minute
  • It can’t be used in commercial services or products
  • Shows partial results for threat data
  • Doesn’t offer any SLA or uptime guarantee

Quttera API

Quttera is one of the most respected online malware scanners around. It offers a fast and simple way to find out if your website is infected with random viruses or malware.

Using their API enables you to integrate their powerful malware scanning and monitoring capabilities into your application layer.

Main features include:

  • Proactive monitoring and scanning
  • Ability to check for other sites URL in the Quttera database
  • Full-in-depth scan results
  • Built-in Multithreading for faster scan speed
  • Integrations: REST API returning JSON, XML and YAML based-responses
  • Run and hosted in the Cloud

Sucuri API

There is no doubt that Sucuri is one of the most celebrated anti-malware companies in the world. Since their launch date, they’ve improved and scaled their company like no other, so much so that it was purchased a few years ago by GoDaddy.

Their free website malware scan service has saved developers and system administrators many hours of hard work reviewing lines of code.

In the same way they offer web-based scans, they also offer their commercial API service, which allows the opportunity to scan any website and explore the results.

Main features of the Sucuri API:

  • Easy request model, based on this URL https://[monitor domain]/scan-api.php?k=[your key]
  • Detects malware in seconds
  • Able check for malware blacklists
  • Finds and reports outdated software (core apps, plugins, themes, etc)
  • Informational security warnings about your HTTP server.
  • API Results format: Warning, Error, Info and Notice.

GreyNoise API

A few weeks ago we published a candid and informative interview with Andrew Morris, the mind behind GreyNoise Intelligence. Today we’re excited to tell you more about the company’s objective.

GreyNoise is utilized by security researchers as well as private and public agencies to analyze security-related data from the Internet. The system, developed by Morris himself, specializes in collecting and analyzing data from several Internet-wide scanners, such as Shodan.io, and their own network scanners placed above several data centers in the world.

Right now they’re offering free access to their Alpha API version, a great chance for you to test the real power of GreyNoise.

To access the API from your apps, use either of these URLs:

  • https://api.greynoise.io/
  • http://api.greynoise.io:8888/

Supported API endpoints:

  • GET /v1/query/list: used to list all tags
  • POST /v1/query/tag: used to query all IPs that have a given tag
  • POST /v1/query/ip: used to query all tags associated with a given IP

URLScan API

We’ve written about URLScan before, back when we did our first review about their fantastic OSINT features. Another great thing about them is their support for API calls from your applications, so you can jump right on into the cool capabilities this service offers.

The basic functions of the URLScan API can help you submit URLs, perform a scan and retrieve the results once the process is finished.

You can also perform historical searches over existing domain scans, perform IP lookups, retrieve hashes and ASN results, and more. Beyond that, it’s up to you to decide whether you want to show the results on the URLScan front page or not.

Another great feature about this API is that the historical search and retrieve process for existing results can be performed without user registration. In other words, it’s 100% anonymous.

Cloudflare API

Keeping in mind the huge impact Cloudflare has made in the cybersecurity industry, it’s impossible to create a list of cybersecurity API’s without mentioning theirs. As you may know, Cloudflare is a proxy-based service that lets you boost the web performance and app security of your company by simply changing the Name Servers of your domains.

Cloudflare security services focus on high-end powerful DNS and web application firewalls (WAF), domain and DNS security, SSL encryption, VPN and effective anti-DDOS solutions.

When it comes to API access, they offer the following features and capabilities:

  • Manage user accounts, members, roles, and subscriptions
  • Adjust account security level
  • DNS firewall management
  • SSL management
  • Rate limit configuration
  • WAF rule configuration
  • Set custom filters
  • Tweak AntiDDoS settings

Shodan API

Shodan is one of the world’s most popular Internet search engines—but we’re not talking about search engines like Google or Bing. Shodan focuses on crawling all types of systems connected to the Internet (webcams, routers, servers, intelligent homes and devices, power plants, etc).

This search engine for Internet-connected devices lets you analyze and get valuable intelligence data to create digital maps, retrieve useful OSINT data, and even to create marketing plans by watching how these devices are used.

For security researchers, Shodan has become one of the most useful tools in existence. If you’re a developer wondering how you can integrate their services in your apps, take advantage of the great documentation and efficient libraries that make it easy to access the Shodan API using the most popular programming languages.

Main API features include:

  • Support for Python, Ruby, PHP, C#, Go, Haskell, Java, Node.js, Perl, PowerShell, Rust
  • REST API: useful for quick lookups, query information and for searching Shodan
  • Streaming API: API is an HTTP-based service used to watch real-time data feeds collection
  • Shodan Search Methods, On-Demand Scanning, Network Alerts
  • Shodan Directory Methods

Metasploit API

Some time ago, when we wrote about the era’s most popular ethical hacking tools, we mentioned Metasploit as a top choice for discovering network hosts, evading detection systems and executing remote attacks over software vulnerabilities.

Metasploit offers API access for all their editions, including the community free edition. Apart from the standard API, by using the Pro version of Metasploit, you can access extra API features like managing automated exploitation and reporting.

Metasploit Standard API features include:

  • Authentication The auth API is used by sec researchers to log and manage authentication tokens.
  • Core: the core API is the best way to manage global variables in the framework object, save configurations, reload modules, etc.
  • Console: This API lets you allocate and work with the Metasploit Framework Console, allowing you to send commands, read output results and more.
  • Jobs. The jobs API is useful for listing jobs, getting information about current jobs, or killing some of them if necessary.
  • Plugins. Used to list, load and unload plugins.
  • Sessions: The Sessions API is useful for opening sessions, terminating sessions, and for interacting with exploited systems.

AlienVault API

AlienVault is one of the top most relied-upon threat intelligence companies used by security researchers today. Their API service offers direct access to all essential threat intelligence from their OTX, so you can integrate all their features in your online applications.

The AlienVault OTX API is part of the AlienVault project, and enables you to detect threats targeting your environment with updated daily threat indicators.

Here are some of their main features:

  • Support for Direct Connect Agents
  • DirectConnect SDKs (Java, Python, Go
  • Support for old-fashioned HTTP API requests (e.g using curl)
  • Accesses more than 19 million threat indicators
  • Easily identifies compromised endpoints
  • Thousand of live API usage examples

SecurityTrails Data Security API

The SecurityTrails API offers security data for researchers and companies in a fast and easy way. Our API is focused on bringing to light the latest current and past data about domain services, DNS servers, DNS records, IP addresses, open ports and SSL certificates.

Main features:

  • DNS History: Pull current and past DNS records from our passive database.
  • Discover Subdomains: Find subdomains easily, within seconds.
  • WHOIS History: We hold up to 3 billion current/historical WHOIS data and WHOIS changes.
  • Associated Domains: With only a couple of clicks, discover all the associated domains behind the person or company you are investigating.
  • IP Subnet Information: Find full IP subnet information, and discover what sites are hosted behind each IP range.
  • PTR Search (stats): Find PTR records behind IP addresses easily.
  • Fully documented API: Complete an overview of our features, limits, quotas, authentication and much more.
  • Wrappers and SDKs: Available for Python, Node.js, Ruby, R programming language.

In addition, we offer ready-to-use integration with top cybersecurity tools including Spiderfoot, Splunk, Phantom, AMASS and Intrigue.io, as well as technical reference of our API for languages such as Node.js, Ruby, Javascript and Python.

Summary

Infosec and Cyber security APIs are an open door that allow you to add new features to your own software programs, extending their capabilities by letting you interact with a wide range of functions and data.

Now you know there are numerous popular cybersec APIs that can be utilized for almost any of your needs—from virus and malware scanning and enabling safe browsing verification to OSINT threat-intelligence research about any target.


Have you tested our free Security API service? If not, sign up today and begin integrating our powerful passive DNS, domain, IP, SSL and open ports discovery service.

Do you want to take your OSINT research to the next level? Take an empowering look at SurfaceBrowser™, our versatile infosec enterprise platform. Book a demo with our sales team today!