API Testing Checklist
Checkpoints: 1. Older APIs versions tend to be more vulnerable and they lack security mechanisms. Leverage the predictable nature of REST APIs to find old versions. Saw a call to 'api/v3/login'? Check if 'api/v1/login' exists as well. It might be more vulnerable. 2. Never assume there’s only one way to authenticate to an API! Modern apps have many API endpoints for AuthN: `/api/mobile/login` | `/api/v3/login` | `/api/magic_link`; etc. Find and test all of them for AuthN problems. 3. Remember how SQL Injections used to be extremely common 5-10 years ago, and you could break into almost every company? BOLA (IDOR) is the new epidemic of API security. 4. Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design) Reference Link: https://apidock.com/ruby/Kernel/open 5. Found SSR...