27 lines
1.1 KiB
Markdown
27 lines
1.1 KiB
Markdown
# API Pentesting
|
|
|
|
## Tricks
|
|
|
|
#### Play with routes
|
|
|
|
`/files/..%2f..%2f + victim ID + %2f + victim filename`
|
|
|
|
## Owasp API Security Top 10
|
|
|
|
Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)
|
|
|
|
## API Security Checklist
|
|
|
|
{% embed url="https://github.com/shieldfy/API-Security-Checklist" %}
|
|
|
|
## List of possible API endpoints
|
|
|
|
[https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)
|
|
|
|
## Tools
|
|
|
|
[https://github.com/imperva/automatic-api-attack-tool](https://github.com/imperva/automatic-api-attack-tool): Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
|
|
|
|
[https://github.com/flipkart-incubator/Astra](https://github.com/flipkart-incubator/Astra): Another tool for api testing
|
|
|