REST API

Attack REST API

ko-fi

RESTful APIs are stateless, so when a consumer authenticates to these APIs, no session is created between the client and server. Instead, the API consumer must prove their identity within every request sent to the API provider’s web server.

Swagger UI
https://openapi.security/openapi.security
JSON Injection

Swagger Jacker

LogoGitHub - BishopFox/sj: A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.GitHub

CherryBomb

LogoGitHub - blst-security/cherrybomb: Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.GitHub
https://www.youtube.com/watch?v=pfrmItMLTLgwww.youtube.com

Astra

Automated Security Testing For REST API's

LogoGitHub - flipkart-incubator/Astra: Automated Security Testing For REST API'sGitHub

Automatic API Attack Tool

LogoGitHub - imperva/automatic-api-attack-tool: Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.GitHub

URL Encoding

Fullwidth or Homoglyph Characters

Mixing Encodings in Payloads

Content-Type Confusion and Polyglot Payloads

Header and Parameter Encoding Tricks

Resources

LogoHacking APIs: Attacking REST APIs Through Serialization Format ManipulationMedium

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fi

buymeacoffee

PreviousSwagger UINextImproper Asset Management

Last updated