Common API Vulnerabilities Checks

Number of APIs: 2

About this collection

This collection will check your APIs for the following things:

Security Vulnerabilities

• CORS Misconfigurations
• Directory Traversal
• SQL Injection
• Authentication

Security Headers

• Content-Security-Policy
• X-Frame-Options
• Strict-Transport-Security
• X-XSS-Protection

Content Secure Policy

Using the collection

Step 1: Define the following Variables in the Check for Common API Vulnerabilities as a collection variable.

• API's base URL you want to test in the base_url variable
• Suspicious or Foreign Origin for which you want to test in malicious_origin variable
• Add unauthorised subdomain URL in the sub_domain_url variable
• Key name that will contain the access token in access_token_key variable, default is x-access-token
• Valid access token to access the API in valid_access_token_value variable
• Expired access token in expired_access_token_value variable
• Other User's valid access token in other_user_access_token_value variable
• The key that is used to send user id OR name in the param_key variable
• The value in the param_value variable for the key mentioned in the param_key

Step 2: Once configured, run the collection within the Runner with the relevant environment selected.

Step 3: View the test results. Failed tests could mean that the API is vulnerable to an attack. Check out the Visualize tab to learn more about the test results.

1. Security Headers - Check for Security Headers GET {{base_url}}

2. Authentication - Check response with other users access token GET {{base_url}}