Example 04 - Check for Common API Vulnerability
Number of APIs: 7
What does this collection do?
This collection checks your APIs for the following security issues:
Security Vulnerabilities
Security Headers
Requirements
Define the following variables in the Example 04 - Check for Common API Vulnerabilities environment.
| Variable | Description |
|---|---|
base_url | Base URL of the API to test |
malicious_origin | Suspicious or foreign-origin URL to test |
sub_domain_url | Unauthorized subdomain URL to test |
access_token_key | Name of the key that contains the access token (the default name is x-access-token ) |
valid_access_token_value | Valid access token for accessing the API |
expired_access_token_value | Expired (invalid) access token to test |
other_user_access_token_value | Access token that is valid but belongs to another user |
param_key | Key that is used to send the user ID or name |
param_value | Value for the key mentioned in the param_key variable |
Using the collection
To schedule the collection runs, create a new monitor with the Example 04 - Check for Common API Vulnerabilities environment selected.
Results
At the end of the run, you'll get the test results. Failed tests could mean that the API is vulnerable to an attack.
-
CORS Misconfiguration - Trusted Unauthorised Subdomain Test GET {{base_url}}
-
Security Headers - Check for Security Headers GET {{base_url}}
-
Authentication - Check response with other users access token GET {{base_url}}
-
Directory Traversal - Check vulnerability for sequences stripped with superfluous URL-decode GET {{base_url}}
-
SQL Injection - SQL injection Test 1 GET {{base_url}}?{{param_key}}={{param_value}}'+OR+1=1--
-
SQL Injection - SQL injection Test 2 POST {{base_url}}
-
CSP Evaluator - Evaluate CSP POST https://csper.io/api/evaluations