API Security Testing - Notes
API Security Testing - Notes
API Security Testing - Notes
fi
g
API Integratio
Allowing to write code that interacts with other vendors’ code online
is known as API Integration.
Public APIs
• When APIs were invented, APIs were only used connect different
software components running in same Device.
• With increasing age of Internet more Public APIs/Open APIs are
available.
• Public APIs are outward facing and accessible over the Internet.
• If you are searching ights online. You get lters choose like
departure city and date, etc. In order to book your ight, you
interact with the airline’s website to access their database and see
if any seats are available on those dates and what the costs might
be.
• However, what if you are not using the airline’s website.
• The travel service, in this case, interacts with the Airline’s API.
• The API is the interface that, can be asked by that online travel
service to get information from the airline’s database to book
seats, baggage options, etc. The API then takes the airline’s
response to your request and delivers it right back to the online
travel service, which then shows you the most updated, relevant
information.
fl
:
fi
fl
Types of API
fi
fi
:
● Advantages to Developer
fi
y
fi
g
● API does not have GUI. API will only have Request and
Response.
● Con guration of API Calls will be complex for Penetration Tester
● Scope of API Penetration Testing will be less compared to Web
Application Penetration Testing and Mobile Application
Penetration Testing
● Server will only process request when all headers and
parameters are in place. Otherwise Application will receive 500
Server Error.
fi
● Burp-suite (https://portswigger.net/burp/communitydownload
fi
.
fi
fi
n
fi
.
fi
S
fi
n
• Go to General Ta
• Disable SSL Veri catio
fi
b
Collection les are a group of API requests that are already saved in the
le and can be arranged into folders. Any number of folders can be
created inside a collection
Putting similar requests into folders and collections helps the client in
better organisation and documentation of their requests
All the APIs requests can be stored and saved within a collection, and
these collections can be shared amongst the team in the Postman
workspace
fi
l
fi
fi
s
fi
fi
b
A web service is any piece of software that makes itself available over
the internet and uses a standardised messaging system.
Web services are not tied to any one operating system or programming
language—Java can talk with Perl; Windows applications can talk with
Unix applications
Once Installed take request of WSDL Web service from Firefox to Burp-
suite. Right click on it and select option Parse WSDL
.
Go to Postman tool and click on Import. Go to Raw Text and Paste Curl
Command