name: api-security-testing description: Professional skills and methodology for API security testing version: 1.0.0

API Security Testing

Overview

API security testing is an essential part of ensuring the security of API interfaces. This skill provides methods, tools, and best practices for API security testing.

Testing Scope

1. Authentication and Authorization

Test items:

• Token validity verification
• Token expiration handling
• Permission control
• Role permission verification

2. Input Validation

Test items:

• Parameter type validation
• Data length limits
• Special character handling
• SQL injection protection
• XSS protection

3. Business Logic

Test items:

• Workflow validation
• State transitions
• Concurrency control
• Business rules

4. Error Handling

Test items:

• Error message leakage
• Stack traces
• Sensitive information exposure

Testing Methods

1. API Discovery

Identify API endpoints:

# Use directory scanning
gobuster dir -u https://target.com -w api-wordlist.txt

# Use Burp Suite passive scanning
# Browse application, observe API calls

# Analyze JavaScript files
# Find API endpoint definitions

2. Authentication Testing

Token testing:

# Test invalid Token
GET /api/user
Authorization: Bearer invalid_token

# Test expired Token
GET /api/user
Authorization: Bearer expired_token

# Test without Token
GET /api/user

JWT testing:

# Use jwt_tool
python jwt_tool.py <JWT_TOKEN>

# Test algorithm confusion
python jwt_tool.py <JWT_TOKEN> -X a

# Test key brute force
python jwt_tool.py <JWT_TOKEN> -C -d wordlist.txt

3. Authorization Testing

Horizontal privileges:

# User A accessing User B's resources
GET /api/user/123
Authorization: Bearer user_a_token

# Should return 403

Vertical privileges:

# Regular user accessing admin interface
GET /api/admin/users
Authorization: Bearer user_token

# Should return 403

4. Input Validation Testing

SQL injection:

POST /api/search
{
  "query": "test' OR '1'='1"
}

Command injection:

POST /api/execute
{
  "command": "ping; id"
}

XXE:

POST /api/parse
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>

5. Rate Limit Testing

Test rate limits:

import requests

for i in range(1000):
    response = requests.get('https://target.com/api/endpoint')
    print(f"Request {i}: {response.status_code}")

Tool Usage

Postman

Create test collection:

1. Import API documentation
2. Set authentication
3. Create test cases
4. Run automated tests

Burp Suite

API scanning:

1. Configure API endpoints
2. Set authentication
3. Run active scanning
4. Analyze results

OWASP ZAP

# API scan
zap-cli quick-scan --self-contained \
  --start-options '-config api.disablekey=true' \
  http://target.com/api

REST-Attacker

# Scan OpenAPI specification
rest-attacker scan openapi.yaml

Common Vulnerabilities

1. Authentication Bypass

Token validation flaws:

• Weak Token generation
• Predictable Token
• Token signature not verified

2. Privilege Escalation

IDOR:

• Direct object references
• Resource ownership not verified

3. Information Disclosure

Error messages:

• Detailed error messages
• Stack traces
• Sensitive data

4. Injection Vulnerabilities

Common injections:

• SQL injection
• NoSQL injection
• Command injection
• XXE

5. Business Logic

Logic flaws:

• Price manipulation
• Quantity limit bypass
• State modification

Testing Checklist

Authentication Testing

• Token validity verification
• Token expiration handling
• Weak Token detection
• Token replay attack

Authorization Testing

• Horizontal privilege testing
• Vertical privilege testing
• Role permission verification
• Resource access control

Input Validation

• SQL injection testing
• XSS testing
• Command injection testing
• XXE testing
• Parameter pollution

Business Logic

• Workflow validation
• State transitions
• Concurrency control
• Business rules

Error Handling

• Error message leakage
• Stack traces
• Sensitive information exposure

Protective Measures

Recommended Solutions

1. Authentication

   • Use strong Tokens
   • Implement Token refresh
   • Verify Token signature

2. Authorization

   • Role-based access control
   • Resource ownership verification
   • Principle of least privilege

3. Input Validation

   • Parameter type validation
   • Data length limits
   • Whitelist validation

4. Error Handling

   • Unified error responses
   • Do not expose detailed information
   • Record error logs

5. Rate Limiting

   • Implement API rate limiting
   • Prevent brute force attacks
   • Monitor abnormal requests

Notes

• Only perform testing in authorized test environments
• Avoid impacting APIs
• Note differences across API versions
• Pay attention to request frequency during testing