0% found this document useful (0 votes)

229 views2 pages

API Security CheckList

This document contains a checklist of 31 API security testing techniques organized into categories for verb tampering, request parameter issues, content type testing, environment testing, and Google dorks. It suggests trying different HTTP methods, wrapping and duplicating IDs, changing data types, testing non-production environments, and searching for exposed API documentation.

Uploaded by

LEO RC

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

229 views2 pages

API Security CheckList

Uploaded by

LEO RC

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2

✅

Checklist
API Security
API Security

31 Days of API Security Testing

To change versions: api/v3/login → api/v1/login

Check other AuthN endpoints: /api/mobile/login → /api/v3/login /api/magic_link

Verb Tampering: GET /api/trips/1 → POST /api/trips/1 POST /api/trips DELETE /api/trips/1

Try Object IDs in HTTP headers and bodies, URLs tend to be less vulnerable.

Try Numeric IDs when facing a GUID/UUID GET /api/users/6b95d962-df38 → GET /api/users/1

Wrap ID with an array: {"id":111} → {"id":[111]}

Wrap ID with a JSON object: {"id":111} → {"id":{"id":111}}

HTTP Parameter Pollution: /api/profile?user_id=legit&user_id=victim /api/profile?user_id=victim&user_id=legit

JSON Parameter Pollution: {"user_id":legit,"user_id":victim} {"user_id":victim,"user_id":legit}

Wildcard instead of ID /api/users/1 → /api/users/* /api/users/% /api/users/_ /api/users/.

Ruby application HTTP parameter containing a URL → Pipe as the first character and then a shell command.

Developer APIs differs with mobile and web APIs. Test them separately.

Change Content-Type to application/xml and see if the API parse it.

Non-Production environments tend to be less secure (staging/qa/etc.) Leverage this fact to bypass AuthZ,
AuthN, rate limiting & input validation.

Export Injection if you see Convert to PDF feature.

Expand your attack surface and test old versions of APKs IPAs.

Misc

Google Dorks

site:target.tld inurl:api
site:target.tld intitle:"index of" "api.yaml"
site:target.tld inurl:/application.wadl
site:target.tld ext:wsdl inurl:/%24metadata
site:target.tld ext:wadl
site:target.tld ext:wsdl

Checklist 1
user filetype:wadl
user filetype:wsdl

Check different Content-Types

x-www-form-urlencoded --> user=test

application/json --> {"user": "test"}
application/xml --> <user>test</user>

If it's regular POST data try sending arrays, dictionaries

username[]=John
username[$neq]=lalala

If JSON is supported try to send unexpected data types

{"username": "John"}
{"username": true}
{"username": null}
{"username": 1}
{"username": [true]}
{"username": ["John", true]}
{"username": {"$neq": "lalala"}}

If XML is supported, check for XXE

Gathered By: HolyBugx

Checklist 2

API Pentesting
No ratings yet
API Pentesting
27 pages
API Security Testing PDF
100% (1)
API Security Testing PDF
24 pages
DevOps. How To Build Pipelines With Bitbucket Pipelines + Docker Container + AWS ECS + JDK 11 + Maven 3?
From Everand
DevOps. How To Build Pipelines With Bitbucket Pipelines + Docker Container + AWS ECS + JDK 11 + Maven 3?
John Edward Cooper Berg
No ratings yet
Fall 2019 PEE I LAB 5
0% (1)
Fall 2019 PEE I LAB 5
25 pages
The Ultimate API Security Audit & VAPT Checklist
No ratings yet
The Ultimate API Security Audit & VAPT Checklist
9 pages
API Testing Checklist
No ratings yet
API Testing Checklist
7 pages
Hackanythingfor Blogspot Com 2020 07 Api Testing Checklist HTML
No ratings yet
Hackanythingfor Blogspot Com 2020 07 Api Testing Checklist HTML
5 pages
31 Days of API Security
No ratings yet
31 Days of API Security
2 pages
API Scenario Checklist-Old
No ratings yet
API Scenario Checklist-Old
14 pages
API Penetration Testing Checklist 17208Fjfjffjfjfj
No ratings yet
API Penetration Testing Checklist 17208Fjfjffjfjfj
4 pages
API Security Checklist
No ratings yet
API Security Checklist
4 pages
Apis Fuzzing For Bug Bounty: Tools
No ratings yet
Apis Fuzzing For Bug Bounty: Tools
7 pages
API Scenario Checklist - Latest
No ratings yet
API Scenario Checklist - Latest
5 pages
API Pentesting Testcases
No ratings yet
API Pentesting Testcases
2 pages
Github Com Inonshk 31 Days of API Security Tips
No ratings yet
Github Com Inonshk 31 Days of API Security Tips
8 pages
Byteblogger Week1 Reoport - Mansi Karpe
No ratings yet
Byteblogger Week1 Reoport - Mansi Karpe
11 pages
API
No ratings yet
API
37 pages
API Security Testing Approach
No ratings yet
API Security Testing Approach
7 pages
Web Attacks From Zero To Hero
No ratings yet
Web Attacks From Zero To Hero
66 pages
API Security-Developers Checklist-Hacktivists University
No ratings yet
API Security-Developers Checklist-Hacktivists University
13 pages
Api Testing
No ratings yet
Api Testing
9 pages
API Pentesting Notes 1722248626
No ratings yet
API Pentesting Notes 1722248626
11 pages
Q
No ratings yet
Q
3 pages
How To Hack API in 60 Minutes or API Threats Simulation With Open-Source Tools
No ratings yet
How To Hack API in 60 Minutes or API Threats Simulation With Open-Source Tools
16 pages
API Security Testing
No ratings yet
API Security Testing
4 pages
Apimike Com Api Penetration Testing Checklist
No ratings yet
Apimike Com Api Penetration Testing Checklist
4 pages
Unit 3
No ratings yet
Unit 3
111 pages
API Security Testing
No ratings yet
API Security Testing
1 page
Advavce Task 4
No ratings yet
Advavce Task 4
8 pages
API Testing Guide 1730023081
No ratings yet
API Testing Guide 1730023081
18 pages
API Testing Checklist
No ratings yet
API Testing Checklist
11 pages
API Security Testing Guide
No ratings yet
API Security Testing Guide
2 pages
Webcast 116220 PDF
No ratings yet
Webcast 116220 PDF
76 pages
A Study On API Security Pentesting
No ratings yet
A Study On API Security Pentesting
108 pages
What Is An API?: Integration of An E-Commerce Site With Payment Infrastructure
No ratings yet
What Is An API?: Integration of An E-Commerce Site With Payment Infrastructure
9 pages
FOR One API Security Testing Training For Bug Hunters and InfoSec
No ratings yet
FOR One API Security Testing Training For Bug Hunters and InfoSec
7 pages
API Testing by Rahul Rai Shrivastava
No ratings yet
API Testing by Rahul Rai Shrivastava
11 pages
API Pentesting Mindmap While Trying To Attack
No ratings yet
API Pentesting Mindmap While Trying To Attack
1 page
Assignment For Content Writer at Alphabin - Shreyas Kulkarni
No ratings yet
Assignment For Content Writer at Alphabin - Shreyas Kulkarni
10 pages
API Pentesting
No ratings yet
API Pentesting
17 pages
Pentest Book: Pentesting Web Checklist Recon Phase
No ratings yet
Pentest Book: Pentesting Web Checklist Recon Phase
9 pages
API Security Project: Kick Off
No ratings yet
API Security Project: Kick Off
26 pages
Bug Bounty Methodology
No ratings yet
Bug Bounty Methodology
75 pages
Api Security
100% (1)
Api Security
5 pages
Manual Testing Overview
No ratings yet
Manual Testing Overview
9 pages
Unit - III - WEB SECURE API
No ratings yet
Unit - III - WEB SECURE API
34 pages
Mastering-API-Data-Extraction-A-Comprehensive-Guide 2024
No ratings yet
Mastering-API-Data-Extraction-A-Comprehensive-Guide 2024
6 pages
API Penetration Testing
No ratings yet
API Penetration Testing
15 pages
API Security
No ratings yet
API Security
1 page
API Security Testing Comprehensive
No ratings yet
API Security Testing Comprehensive
1 page
APIs Questions
No ratings yet
APIs Questions
4 pages
API Testing
No ratings yet
API Testing
2 pages
Api Testing Notes
No ratings yet
Api Testing Notes
15 pages
API Audit Presentation
No ratings yet
API Audit Presentation
9 pages
Testing Soap and Rest
No ratings yet
Testing Soap and Rest
7 pages
(Application Programming Interface) : API Testing
No ratings yet
(Application Programming Interface) : API Testing
12 pages
Bug Bounty Exploit Checklist
No ratings yet
Bug Bounty Exploit Checklist
2 pages
Restfulapi Net Security Essentials
No ratings yet
Restfulapi Net Security Essentials
18 pages
Procudures
No ratings yet
Procudures
3 pages
WSDL Tutorials - Herong's Tutorial Examples
From Everand
WSDL Tutorials - Herong's Tutorial Examples
Herong Yang
No ratings yet
How to a Developers Guide to 4k: Developer edition, #3
From Everand
How to a Developers Guide to 4k: Developer edition, #3
Xinc Cyberwizard
No ratings yet
Training Fuzzy Deep Neural Network With Honey Badger Algorithm For Intrusion Detection in Cloud Environment
No ratings yet
Training Fuzzy Deep Neural Network With Honey Badger Algorithm For Intrusion Detection in Cloud Environment
17 pages
Package-A: Supply & Erection Schedule (R1) : New 33 KV Overhead Line by Panther Conductor - Total Qty. 412 CKM
No ratings yet
Package-A: Supply & Erection Schedule (R1) : New 33 KV Overhead Line by Panther Conductor - Total Qty. 412 CKM
55 pages
PDF Principios de Economia Bernanke 2 Compress
No ratings yet
PDF Principios de Economia Bernanke 2 Compress
111 pages
Type-A Personality and Job Satisfaction: Two Scales For Job Stress and Health Psychology Research
No ratings yet
Type-A Personality and Job Satisfaction: Two Scales For Job Stress and Health Psychology Research
13 pages
Simple Machines Model Set, Wooden
No ratings yet
Simple Machines Model Set, Wooden
46 pages
Cost Quiz 3
No ratings yet
Cost Quiz 3
5 pages
Openness: The Big Five Personality Traits
No ratings yet
Openness: The Big Five Personality Traits
3 pages
CORDIS Project 783132 en
No ratings yet
CORDIS Project 783132 en
21 pages
0 Rudra Devbrat 2000 English Grammar Exercises With Answers
No ratings yet
0 Rudra Devbrat 2000 English Grammar Exercises With Answers
217 pages
Hydrostatics Worksheet
No ratings yet
Hydrostatics Worksheet
2 pages
©montessori For Everyone 2018 Triangle Stars Triangles
No ratings yet
©montessori For Everyone 2018 Triangle Stars Triangles
3 pages
BDC Using Session Method.: Go sm35
No ratings yet
BDC Using Session Method.: Go sm35
4 pages
Ajol File Journals - 28 - Articles - 240868 - Submission - Proof - 240868 325 579976 1 10 20230204
No ratings yet
Ajol File Journals - 28 - Articles - 240868 - Submission - Proof - 240868 325 579976 1 10 20230204
11 pages
Team Spirit Notes
No ratings yet
Team Spirit Notes
4 pages
List of Accredited Org. SY 2021 22
No ratings yet
List of Accredited Org. SY 2021 22
8 pages
Cell Reselection
100% (1)
Cell Reselection
41 pages
JD - Tax Manager
No ratings yet
JD - Tax Manager
3 pages
Introduction To Communications Toolbox in Matlab 7
No ratings yet
Introduction To Communications Toolbox in Matlab 7
97 pages
Easa Ad 2021-0177R2 1
No ratings yet
Easa Ad 2021-0177R2 1
5 pages
Service: Manual
100% (1)
Service: Manual
73 pages
Relief Cartridge Valves
100% (2)
Relief Cartridge Valves
16 pages
BRO Mass Comparators e PDF
No ratings yet
BRO Mass Comparators e PDF
32 pages
RailLok Clip BG15 - 2016-06 Rev0
No ratings yet
RailLok Clip BG15 - 2016-06 Rev0
2 pages
2017 uPVC Manual
No ratings yet
2017 uPVC Manual
78 pages
JFUE-Wahid Alfarizki Combustion
No ratings yet
JFUE-Wahid Alfarizki Combustion
15 pages
UCD 115 Instrumental Analysis: UC Davis
No ratings yet
UCD 115 Instrumental Analysis: UC Davis
73 pages
Contact Through The Veil (By RICK STRASSMAN, M.D.) PDF
100% (3)
Contact Through The Veil (By RICK STRASSMAN, M.D.) PDF
9 pages
03 Rcaplan - Capa Plan 01
No ratings yet
03 Rcaplan - Capa Plan 01
2 pages
2nd T REVISION + AK
No ratings yet
2nd T REVISION + AK
13 pages

API Security CheckList

Uploaded by

API Security CheckList

Uploaded by

✅

31 Days of API Security Testing

To change versions: api/v3/login → api/v1/login

Check other AuthN endpoints: /api/mobile/login → /api/v3/login /api/magic_link

Wrap ID with an array: {"id":111} → {"id":[111]}

Wrap ID with a JSON object: {"id":111} → {"id":{"id":111}}

HTTP Parameter Pollution: /api/profile?user_id=legit&user_id=victim /api/profile?user_id=victim&user_id=legit

JSON Parameter Pollution: {"user_id":legit,"user_id":victim} {"user_id":victim,"user_id":legit}

Wildcard instead of ID /api/users/1 → /api/users/* /api/users/% /api/users/_ /api/users/.

Change Content-Type to application/xml and see if the API parse it.

Export Injection if you see Convert to PDF feature.

Check different Content-Types

x-www-form-urlencoded --> user=test

If it's regular POST data try sending arrays, dictionaries

If JSON is supported try to send unexpected data types

If XML is supported, check for XXE

Gathered By: HolyBugx

You might also like