REST API Testing Guide

  1. Determine the list of potential vulnerabilities applicable to the application (for example, do you have resources such as images that might expose directory cross-attacks?)
  2. Order items according to your risk. You can use the OWASP Top Ten Websites to better understand the risks associated with each type of vulnerability.
  3. The engineering requirements and sessions that trigger the attack and send it to the system, preferably inside and outside the network.
  4. If there is unauthorized access to the system, please submit a vulnerability report and correct the problem again.
  1. Should the API use TLS/SSL?
  2. Can the certificate be accessed via HTTPS?
  3. Which authorization groups can be used for different resources in the application? What is the authentication process?
  4. Are you using the external provider OAUTH?
  5. What is the attack surface of the API? Where can an attacker break into the application?
  • Is it possible to use HTTP and HTTPS to access resources?
  • Do all endpoints require authentication?
  • Support uploading files. What if you upload a potentially malicious file of the MIME type expected by the application?
  • If a web application using API ​​embeds custom information (such as a name) in the page, what if you provide HTML/JS elements?
  • Can you access the resources of unauthorized tokens?

We Design, Build and Manage complex, scalable, resilient, secure, cost-optimized and mission-critical enterprise applications for Fortune 500s.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Vulnerability Assessment and Penetration to Linux OS with Nessus

Backing Darkblock — a creator & user-driven content access rights management protocol

Spiceware PII CDE to support Node.js Platform

{UPDATE} Shopping Cart Hero 5 Hack Free Resources Generator

What Is A Buffer Overflow Attack And How To Prevent It?

Protecting Uploaded Files with PGP in Java

The Future of Ads: New Ways to Track

Remember Studying Algorithms in High School? They Were Scary Then; Now They Dominate Us!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mobifly

Mobifly

We Design, Build and Manage complex, scalable, resilient, secure, cost-optimized and mission-critical enterprise applications for Fortune 500s.

More from Medium

Conference Call App

Gamification in dashboard design

TDD — Test Driven Development

How to increase corporate cards sales 10 times with the help of CX