Checklist

API Checklist

To Test

https://x.com/intigriti/status/1928377914749313531

• Blind XSS in request header

XSS

• Legacy API endpoints - Replace "/api/v2" with "/api/v1", etc.

Improper Asset Management

• SSRF

SSRF

• Find more endpoints: GitHub, Dorks, Swagger, JS Files

Git DorksGoogle DorksSwagger UIWeb Enumeration

• CSRF

CSRF

• Bypass 403/401

Bypass 403 / 401

• Rate limiting & throttling checks

Rate Limiting

• JWT misconfigurations/attacks

JWT Token

• CORS Misconfiguration

CORS

• Race conditions

Race Conditons

• XXE - API is only accepting data in JSON? Try changing the content type from "application/json" to "application/xml" and test for XXE vulnerabilities

XXE / XSLT

• NoSQL injection

NoSQL injection

• Endpoint discovery & parameter tampering • Data leakage & error handling flaws • API BAC on 3 levels • SQLi • Other injection

GitHub - shieldfy/API-Security-Checklist: Checklist of the most important security countermeasures when designing, testing, and releasing your APIGitHub

API Testing and The Last MonthFrey’s CyberSec Blog

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Hacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

• Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.