Rest API
REST API Pentesting Resources
An application programming interface (API) is a way for two or more computer programs or components to communicate with each other.
Tools and Wordlist
| Tools | URL | Word List | URL |
|---|---|---|---|
| Burp Suite Pro | Download | Assetnote | Wordlist |
| Postman | Download | SecLists | GitHub |
| Kiterunner | GitHub | ||
| Dirb | Kali Tools | ||
| Gobuster | Kali Tools |
API Pentesting Resources
GitHub Repositories for API Pentesting
| Credit | URL |
|---|---|
| arainho | https://github.com/arainho/awesome-api-security |
| m14r41 | https://github.com/m14r41/PentestingEverything/tree/main/API%20Pentesting |
API Security Checklists
| Credit | URL |
|---|---|
| Shieldfy | https://github.com/shieldfy/API-Security-Checklist |
| APISec.ai Blog | https://www.apisec.ai/blog/api-security-checklist |
| Astra Blog | https://www.getastra.com/blog/api-security/api-security-checklist/ |
| Salt Security Blog | https://salt.security/blog/api-security-checklist |
| Indusface Blog | https://www.indusface.com/blog/api-penetration-testing-checklist/ |
API Course Free
| Credit | URL |
|---|---|
| APISec University | https://www.apisecuniversity.com/courses/api-penetration-testing |
Vulnerable APIs
| Credit | URL |
|---|---|
| OWASP | https://github.com/OWASP/crAPI |
| erev0s | https://github.com/erev0s/VAmPI |
| roottusk | https://github.com/roottusk/vapi |
API Pentesting Checklist
| Aspect | RESTful API | SOAP API | GraphQL API | Websocket API |
|---|---|---|---|---|
| Protocol | HTTP/HTTPS | HTTP/HTTPS | HTTP/HTTPS | WebSocket |
| Message Format | JSON, XML | XML | JSON | Custom binary or text-based |
| Request Methods | GET, POST, PUT, DELETE, etc. | POST | POST | Custom |
| Endpoint Structure | Multiple endpoints for different resources | Single endpoint | Single endpoint | Single endpoint |
| Query Flexibility | Fixed structure for endpoints and data retrieval | Fixed structure defined by WSDL | Flexible query structure for data retrieval | Real-time bidirectional communication |
| Data Fetching | Partial data fetching via endpoints | Predefined request/response structure | Flexible data fetching with custom queries | Real-time data updates |
| Authentication | Various methods (API keys, OAuth, JWT, etc.) | Various methods (WS-Security, Basic Auth, etc.) | Various methods (API keys, OAuth, JWT, etc.) | Custom authentication schemes |
| Security Protocols | HTTPS, TLS | HTTPS, TLS | HTTPS, TLS | SSL/TLS |
| Common Vulnerabilities | Injection attacks (SQLi, XSS, etc.), Broken Authentication, Insecure Direct Object References, etc. | XML External Entity (XXE) injection, SOAPAction header injection, etc. | Injection attacks, Introspection leaks, Query depth attacks, etc. | Message tampering, DoS attacks, Authorization bypass, etc. |
| Testing Considerations | Input validation, Authentication, Authorization, Error handling, Rate limiting, etc. | WSDL file disclosures, Message validation, Encryption, etc. | Query depth, Introspection, Authorization controls, etc. | Message flooding, Message validation, Encryption, etc. |
Information Gathering
- Identify the API's purpose, business logic, and functionality.
- Enumerate API endpoints and methods (GET, POST, PUT, DELETE, etc.).
- Gather information about API versioning and changes.
- Discover hidden or undocumented endpoints using fuzzing and brute force.
- Obtain API documentation, if available, and review it for insights.
Authentication Testing
- Test API authentication mechanisms, such as API keys, OAuth, JWT, or basic authentication.
- Verify if authentication tokens or credentials are securely stored on the client side.
- Test for missing or weak authentication, including default credentials.
- Assess multi-factor authentication (MFA) if used.
Authorization Testing
- Test role-based access control (RBAC) and authorization mechanisms.
- Check if users can access resources they shouldn't have permissions for.
- Test for horizontal privilege escalation by manipulating user roles.
- Verify proper enforcement of access controls, such as admin vs. regular user.
Input Validation
- Test for input validation and output encoding to prevent injection attacks.
- Check for SQL injection, Cross-Site Scripting (XSS), and other injection vulnerabilities.
- Verify if API endpoints properly validate and sanitize user inputs.
- Assess file upload endpoints for malicious file uploads.
Data Exposure
- Test for sensitive data exposure through API responses.
- Verify if the API enforces proper data encryption in transit (HTTPS).
- Check for information disclosure in error messages.
- Ensure that data, especially personally identifiable information (PII), is redacted.
Rate Limiting and Resource Exhaustion
- Test rate limiting and resource exhaustion controls.
- Check if the API is vulnerable to brute force attacks or denial-of-service (DoS) attacks.
- Test for API rate limiting bypass techniques.
- Verify if anti-automation mechanisms are in place.
JWT and OAuth Testing
- Test JSON Web Tokens (JWT) security, including signature validation.
- Check for OAuth vulnerabilities, such as authorization code, implicit grant, and client credentials issues.
- Verify if OAuth tokens are securely managed, rotated, and revoked.
- Assess OAuth token scope and permissions.
API Rate Limiting
- Test API rate limiting policies for different user roles.
- Verify if rate limiting is consistently applied across API endpoints.
- Check for bypasses or weaknesses in rate limiting controls.
- Test for API rate limiting abuse and scenarios.
Error Handling
- Test how the API handles errors and exceptions.
- Check if error messages reveal sensitive information or internal details.
- Verify that proper HTTP status codes are returned for different error scenarios.
- Assess if error messages are consistent and not overly verbose.
Webhooks and Callbacks
- Test webhooks and callback mechanisms.
- Check for security vulnerabilities in callback URLs, such as SSRF or unauthorized callbacks.
- Verify if callbacks are properly authenticated and validated.
- Test for replay attacks or callback abuse.