Setting up an API pentesting environment

Your vote is:
4.92 of 93 votes

This is my go-to reference documentation for setting up a fresh dedicated API pentesting environment within Kali.

Setting up Burp

  1. Download Jython

    Head over to and download the latest Jython standalone installer.

  2. Set the Python Environment path

    Set the downloaded Jython installer as the Python Environment path.

    Burp Python Environment path

  3. Install the Autorize extension

    Within Burp, navigate to Extender > BApp Store > search for Autorize and install the extension.

Install FoxyProxy

With Firefox open, press Ctrl + Shift + A to open the add-ons menu.

  1. Search for FoxyProxy Standard

    FoxyProxy Search

  2. Add FoxyProxy to Firefox

    FoxyProxy Install

  3. Navigate to FoxyProxy options

    FoxyProxy Options

  4. Add Burp to FoxyProxy

    FoxyProxy Add Burp

  5. Add Postman to FoxyProxy

    FoxyProxy Add Burp

Configure Burp Suite Certificate

  1. Start Burp
  2. With Burp Suite enabled in FoxyProxy, navigate to http://burpsuite and click the CA Certificate to download the certificate.
  3. In Firefox, open Preferences and use the search bar to look for certificates. Import the downloaded certificate.

    Firefox Import Burp CA

  4. In Chrome, open Settings > Privacy and security > Certificates managed by Chrome and import the downloaded certificate (may need to change the file type options to 'All Files').

    Chrome Import Burp CA


  1. Download Postman

    sudo wget -O postman-linux-x64.tar.gz

  2. Extract and install Postman

    sudo tar -xvzf postman-linux-x64.tar.gz

  3. Link the postman command

    sudo ln -s ~/Postman/Postman /usr/bin/postman


  1. Install mitmproxy2swagger

    sudo pip3 install mitmproxy2swagger


  1. Install Git

    sudo apt install git


  1. Install Docker

    sudo apt install docker-compose
    sudo apt install


  1. Install Golang

    sudo apt install golang-go

At this point a restart may be required.

JWT Tool

  1. Pull down the JWT Tool repo

    sudo git clone

  2. Install JWT Tool

    cd jwt_tool
    python3 -m pip install termcolor cprint pycryptodomex requests
    sudo chmod +x
    sudo ln -s ~/jwt_tool/ /usr/bin/jwt_tool


  1. Pull down the Kiterunner repo

    sudo git clone

  2. Install Kiterunner

    cd kiterunner
    sudo make build
    cd dist
    sudo ln -s ~/kiterunner/dist/kr /usr/bin/kr


  1. Pull down the Arjun repo

    sudo git clone

  2. Install Arjun

    cd Arjun
    sudo python3 install


  1. Install ZAProxy

    sudo apt install zaproxy

  2. Update OpenAPI add-on

    ZAProxy Update OpenAPI


Jacob Riggs

Jacob Riggs is a senior cyber security professional based in the UK with over a decade of experience working to improve the cyber security of various private, public, and third sector organisations. His contributions focus on expanding encryption tools, promoting crypto-anarchist philosophy, and pioneering projects centred on leveraging cryptography to protect the privacy and political freedoms of others.

E3FE 4B44 56F5 69BE 76C1 E169 E3C7 0A52 9AEF DB6F

Subscribe to my Blog

I agree with the Privacy Policy terms.