API Testing

Definitions

OWASP API top-10

All of these are taken directly from APISecUniversity.

Broken Object Level Authorization

Broken Authentication

Broken Object Property Level Authorization

Unrestricted Resource Consumption

Broken Function Level Authorization

Unrestricted Access to Sensitive Business Flows

Server-Side Request Forgery

Security Misconfigurations

Improper Inventory Management

Unsafe Consumption of APIs

API Authentication

Types of authentication

Basic Authentication

Uses the HTTP Authorization header with the "Basic" scheme
Base-64 encoded value of the username:password

API Keys

No standard way of presenting the API key
Username and password at once
Only machine identity

TLS Authentication

Using mutual TLS for authentication
Both parties present certificates to authenticate themselves
Conveys machine identities

OAuth and OpenID Connect

OAuth is a delegation protocol
- API access is the main goal
OpenID Connect is an Identity layer on top of OAuth
- Defines user authentication metadata
- Can control authentication
- Federation

OAuth

OAuth is a delegation protocol

4 actors

Resource Owner
- "The user"
Client
- 3rd party application
Authorization Server
- The server that handles the delegation auth
Resource Server
- Stores the resource owner's data - "the API"
OAuth delegates access to applications on a user's behalf
Delegation != authorization

API Recon

Check for:

Passive API recon

Perform recon without touching the target.

Google dorking

# Basic

$target api
$target docs
$target developers
$target graphql

# intitle
intitle:"api" site:target.com

# inurl
inurl:"/api/v1" site:target.com
inurl:"/api/v2/" site:target.com

GitHub

Check github for leaked secrets