Initial Setup

This API Hacking System blog post is specially made for Kali Linux


sudo apt update -y && sudo apt upgrade -y && sudo apt dist-upgrade -y && sudo apt autoremove -y

Git, Go & Python

sudo apt install git -y
sudo apt install golang -y
sudo apt install python3 -y


Google Chrome

sudo wget
sudo apt install ./google-chrome-stable_current_amd64.deb

Mozilla Firefox

  • Preinstalled with Kali

Proxy Tools

Burp Suite Community Edition

  • Preinstalled with Kali
  • Add the Burp Suite Certificate
  • Download Jython and add the .jar file to the Extender Options


FoxyProxy is an advanced proxy management tool that completely replaces Firefox’s limited proxying capabilities

For Chrome: Download | For Firefox: Download

  • Setup Proxy for Burp & Postman


Automagically reverse-engineer REST APIs via capturing traffic

sudo pip3 install mitmproxy2swagger
  • Add the MITMweb Certificate


An API platform for building and using APIs

sudo wget -O postman-linux-x64.tar.gz
sudo tar -xvzf postman-linux-x64.tar.gz -C /opt
sudo ln -s /opt/Postman/Postman /usr/bin/postman
  • Configure Postman to Burp Suite

Zed Attack Proxy

OWASP ZAP is an open-source web application security scanner

sudo apt install zaproxy -y



In-depth Attack Surface Mapping and Asset Discovery

  • Preinstalled with Kali
mkdir $HOME/.config/amass
curl >$HOME/.config/amass/config.ini


HTTP Parameter Discovery Suite

sudo apt install arjun -y

JSON Web Token Toolkit

A toolkit for testing, tweaking and cracking JSON Web Tokens

cd /opt/
sudo git clone
cd jwt_tool
python3 -m pip install termcolor cprint pycryptodomex requests
sudo chmod +x
sudo ln -s /opt/jwt_tool/ /usr/bin/jwt_tool


Contextual Content Discovery Tool

cd /opt/
sudo git clone
cd kiterunner
sudo make build
sudo ln -s $(pwd)/dist/kr /usr/local/bin/kr


  • Preinstalled with Kali


  • Preinstalled with Kali



You can download all of the wordlists at once, using the following command:

wget -r --no-parent -R "index.html*" -nH



SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.

sudo apt install seclists -y


The wordlists from kali-defaults

sudo apt install wordlists -y

You can find it here: /usr/share/wordlists/

root@kali:~# wordlists -h

> wordlists ~ Contains the rockyou wordlist

|-- amass -> /usr/share/amass/wordlists
|-- brutespray -> /usr/share/brutespray/wordlist
|-- dirb -> /usr/share/dirb/wordlists
|-- dirbuster -> /usr/share/dirbuster/wordlists
|-- dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
|-- fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
|-- fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
|-- john.lst -> /usr/share/john/password.lst
|-- legion -> /usr/share/legion/wordlists
|-- metasploit -> /usr/share/metasploit-framework/data/wordlists
|-- nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
|-- rockyou.txt.gz
|-- seclists -> /usr/share/seclists
|-- sqlmap.txt -> /usr/share/sqlmap/data/txt/wordlist.txt
|-- wfuzz -> /usr/share/wfuzz/wordlist
└── wifite.txt -> /usr/share/dict/wordlist-probable.txt