diff --git a/document/4-Web_Application_Security_Testing/12-API_Testing/00-API_Testing_Overview.md b/document/4-Web_Application_Security_Testing/12-API_Testing/00-API_Testing_Overview.md
index 6501fc88b2..b7ef9f7509 100644
--- a/document/4-Web_Application_Security_Testing/12-API_Testing/00-API_Testing_Overview.md
+++ b/document/4-Web_Application_Security_Testing/12-API_Testing/00-API_Testing_Overview.md
@@ -102,3 +102,10 @@ Application APIs that conform to REST principles use the response status code of
 | 404           | Not Found             | Resource doesn't exist or incorrect based on the request                                               |
 | 405           | Method Not Allowed    | Invalid method or unknown method used                                                                  |
 | 500           | Internal Server Error | Server failed to process request due to an internal error                                              |
+
+## References
+
+1. [OWASP REST Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html)
+2. [OWASP REST Assessment Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Assessment_Cheat_Sheet.html)
+3. [OWASP API Security Project](https://owasp.org/www-project-api-security/)
+4. [OWASP API Security Tools](https://owasp.org/www-community/api_security_tools)