Before we start security testing for an API, it’s really important to understand the scope of testing. After the scope is mapped, it’s time to either take a look at documentation or just capture all the API requests and responses and analyze it to get a better understanding of its functionality.
Now, once the API’s are mapped, it’s time to start testing for security vulnerability:
Fuzz the API: Test the API with special characters and see how it responds. Send unexpected inputs to find out how input validation is happening.
Tools:
Burpsuite: Burp Suite is a web application security testing tool that can be used to test APIs as well. It allows testers to intercept, inspect and modify the traffic between the client and the server.
Postman: This is a popular tool used by developers for API development and testing. It provides a user-friendly interface for testing API endpoints and allows testers to create custom requests and view responses.
Injection attacks: These attacks occur due to lack of input sanitization which can lead to unintended consequences like data breaches, denial of service attacks, or other security threats.
Broken Authentication: This vulnerability is caused by improper implementation of authentication and session management mechanisms. Authentication flaws can allow an attacker to gain access to a user's account or system. This can lead to unauthorized access and data breaches.
Broken Access Control: Due to missing access control mechanism allowing unauthorized access to resources.
Security misconfiguration: This vulnerability arises due to configurations which makes it easier to attack an API.
No rate limit: This vulnerability arises due to lack of restrictions on the number of requests an API can send within a certain timeframe. It is important to note that many API calls are charged per request. So in case of successful rate limit attack, an attacker can execute Denial Of Service (DOS) attack and affect the organization's finances.
IDOR: Due to lack of authorization and input sanitization, an attacker can access or manipulate an object in the application directly without any proper authorization.