API Penetration Testing : Things To Be Noted
1. Understand our attack surface
Before starting with test, pen testers should have an better understanding of users, roles, resources & responses of each APIs to find cool vulnerabilities.
2. Identify more attack surface
Find more attack surface by finding the sub domains or siblings of API with different versions. Online tools like Censys.ion or Virustotal.com will be helpful. Also you can find different version of APIs manually by changing the version ID. Trying changing the version from v2 to v1. Keep an eye on the behavior of the API with different versions. Older version will be more vulnerable.
You can also expand the attack surface by making use of archive.com, to find old versions of the web-app and explore new API endpoints. Another option is to scan the .js files for find new URLs endpoints.
3. Test for different authentication methods
Most modern API are using different authentication methods for mobile and web API. Test both APIs differently and try to bypass the authentication method.
Example : /api/v3/login and /api/app/login
4. Always test IDOR
If you have an API to test, always test for IDOR. Object level authorization checks should be considered in every functions that accesses a data source using user input.
5. Test for SSRF
Test for SSRF vulnerability when API request is sending URL parameters.
6. Find GET endpoint for POST and PUT requests
During testing if you come across post or put request, try for its GET request. if success based on response try for crafted parameters to POST and PUT requests to find vulnerabilities or parameter bypass.
7. Test for XML attacks
When testing REST API try changing the content type to “application/xml” , add XML request body and see how request respond. If its throwing XML based error you can try for XML Entity Attacks.
8. Test IDs in bodies and headers
Don’t forgot to test IDs in the HTTP bodies and headers. These are more vulnerable than IDs in URL.
9. Test for broken function level authorization attacks
Try changing Delete request to Create request or Post request to Delete request
10. Bypass security functions
Try change password without entering old password or Updated the user details without entering the password. Can also try for CSRF attacks.
11. DoS
APIs do not impose any restrictions on the size resources that can be requested by the client/user. Try to send a long value this might impact the API server performance, leading to Denial of Service (DoS).
12. API security misconfiguration
Test for misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
13. Test for injection attacks
Test for SQL, NoSQL and command injections. It can trick the interpreter to execute unintended commands without proper authorization.
14. Don’t forgot to validate the response
Some of the endpoints might leak excessive data that should not be accessible by the user. Always be curious about the API responses.
15. Brute force
Using brute force technique try to bypass AuthZ, AuthN, rate limiting & input validation.