Broken Object Level Authorization/IDOR:

1) Change object values in GET method,perform bruit force

Broken Authentication:
1) Observe if new auth token/barer token is generated after every loggin
2) Remove authorization token and hit all the APIS and observe the response.
3) Replace the auth tokens for 2 users and observe the response.
4) Analyze,decode tokens,rebuild JWT tokens
5) Change ,remove, replace tokens and observe response/error message
6) Check the Expiration time of the token
7) Perform brute force on login page.
8) Weak passwords acceptance.
9) Default credentials are in use.

Broken Object Property Level Authorization= Mass Assignment+Excessive Data Exposure

Excessive Data Exposure: Observe every API call and see if excess data is returned than the required one.

Mass Assginment:
1) Add appropriate values in parameter list, and those should be replicated in response.e.g. "admin" : "true"
e.g. Login with 'user' role and 'admin' role,identify which all attributes are passed in both the user role.
Values which are passed for 'admin' role, pass them thorugh 'user' role and observe the reponse.
If for any functionality if 'is enabled'=false is set then make it as a true and observe thereposnse.
2) Add one valu multiple time. e.g.:{
"username": "attacker",
"username": "attacker123",
"username": "attacker456",
"email": "[email protected]",
"isAdmin": true
}

Unrestricted Resource Consumption (Lack of resources and rate limiting):

1) Brute force attack on the requests and observe the response for every API call you should get 429:Too Many Request error
number of calls.

Broken Function level Authorization /Testing for dangerous methods:

1) Change method type from GET to PUT/DELETE and observe if respective action is taking place.
2) Login with normal user and try to hit the endpoin of admin user or Use auth token of normal user to admin endpoint.
3) Try changing the endpoints from account to accouns,user to /users,/account_all,/user_all,/admin,/administrator etc.

Unrestricted access to sensitive business flows:

Identify sensitve/core functionalietis of application and perform brute force on it:
e.g.: 1) Banking application: fund transfer,getting account details,submitting feedbacketc.
2) E-commerse application : placing an order.
30 Third party service such as OTP generation for which application is being charged for every OTP egeneration etc.
SSRF:
1) Accessing Internal Resources: To Test SSRF try to retrieve sensitive files, such as /etc/passwd or configuration files. e.g.:
http://localhost/admin
2) Accessing Metadata Endpoints: Cloud service providers often expose metadata endpoints that provide information about th
environment.
e.g.: SSRF URL (AWS EC2 metadata endpoint): http://169.254.169.254/latest/meta-data/
3) Exploiting Trusted Services: If the application makes requests to trusted external services or APIs.
e.g.: SSRF URL (Abusing a trusted API): http://trusted-api.com/admin/deleteUser?id=123
4) Port Scanning and Service Enumeration: SSRF URL (Port scanning): http://target.example.com:22'

Security Misconfigurations:
1) Check for Cross-Origin Resource Sharing (CORS) Misconfigurations:Add Origin header and check for Access-Control-Allow-
Access-Control-Allow-Crdentials header in response
2) Improper SSL/TLS Configuration: Misconfigured SSL/TLS settings, such as using weak cipher suites, expired certificates etc.
3) Test for Insecure File Uploads by provideing double extensions file,.src,.exe files etc.,try uploading a very big file.
4) Observe error messages thourghout the testing for if Error messages include stack traces, or expose other sensitive informa
should be correct.
5) Cache control directives are not sent to clients.
e.g.Cache-Control: no-store
Pragma: no-cache
6) Check for all the security headers in response.
e.g.: Content-Security-Policy:"default-src 'self"
X-Content-Type-Options:"nosniff"
X-Frame-Options:"DENY" or "SAMEORIGIN"
Strict-Transport-Security:"max-age=31536000"

Improper Inventory Management (Imrpoper Asset Management):

1) Check if any versions are appearing in the Endpoint,swagger collection and in response

Unsafe Consumption of APIs:

Ask questions about the APIs security posture,previously pentest and its finding etc.

Other Pentest Scenarios:

Authenticated activities without authentication (same as web)
Convert Content-Type: applicaton/Json to text/HTML and add XSS payloads
CRLF Injection:
1) Add %0d%0aTest in the request and if application is vulnerable to CRLF, Test word is reflected in the response
e.g.: GET /Vapi/api5/getuser.php%0d%0aTest HTTP/1.1
Checking for content type XML/JSON supports?:
1) Convert body parameter to XML/JSON and observe is you are getting response accordingly
Buffer Overflow:
1) Test for a very big input.e.g.: 5-6 lines of random text in username field etc.
Fuzzed Input:
1)
1) Give
Change simple mathematicle
the host expression
and observe in thefield
the Location inputinfiled e.g.:username: 4+5+6(it shouldn’t get executed)
response.
2)Add X-Forwarded-Host:
Directory traversal : demo.testfire.net below the main host
1) /../../ in API endpoint or go one folder back and observe the reponse.
Testing for Directory Listing:
1) Modify endpoint by removing all the sub folder names and observe the response.
Injection:
1) Injection: Perform brute force for SQL, XSS payloads and other injections on API qury parameters
Missing Input Validation:
1) Input XSS scripts into fields like username, mobile number, and email ID. These fields should reject special characters such a
2) Ensure that input fields only accept data corresponding to their types. For instance, mobile number fields should only accep
characters, while username fields should not accept numbers.

API functionality specific testing:

1) Accoring to API calls functionlity perfomr additional test scenarios on api.
E.g: OTP testing: test all OTP scenarios.
File upload: test all file uplaod scenarios.
Done

NA

Done

Done