Hydra can be used to attack API endpoints that accept JSON (though apparently there can be some problems with the headers that are passed along):
hydra -vV -f -l $USERNAME -P $PASSWORDLIST \
$HOST http-post-form \
$ENDPOINT:"$TEMPLATE":F="$INVALID":H="Content-Type\: application/json"The $TEMPLATE is basically the JSON request body with the special placeholders ^USER^ and ^PASS^ (colons escaped). $INVALID is a string that will appear for login failures (note that this string cannot contain a colon, but fortunately is a substring match). The H parameter at the end allows us to override specific headers (necessary because otherwise Hydra sends Content-Type: application/x-www-form-urlencoded).