Example 04 - Check for Common API Vulnerability

Number of APIs: 7

What does this collection do?

This collection checks your APIs for the following security issues:

Requirements

Define the following variables in the Example 04 - Check for Common API Vulnerabilities environment.

VariableDescription
base_urlBase URL of the API to test
malicious_originSuspicious or foreign-origin URL to test
sub_domain_urlUnauthorized subdomain URL to test
access_token_keyName of the key that contains the access token (the default name is x-access-token )
valid_access_token_valueValid access token for accessing the API
expired_access_token_valueExpired (invalid) access token to test
other_user_access_token_valueAccess token that is valid but belongs to another user
param_keyKey that is used to send the user ID or name
param_valueValue for the key mentioned in the param_key variable

Using the collection

To schedule the collection runs, create a new monitor with the Example 04 - Check for Common API Vulnerabilities environment selected.

Results

At the end of the run, you'll get the test results. Failed tests could mean that the API is vulnerable to an attack.

  1. CORS Misconfiguration - Trusted Unauthorised Subdomain Test GET {{base_url}}

  2. Security Headers - Check for Security Headers GET {{base_url}}

  3. Authentication - Check response with other users access token GET {{base_url}}

  4. Directory Traversal - Check vulnerability for sequences stripped with superfluous URL-decode GET {{base_url}}

  5. SQL Injection - SQL injection Test 1 GET {{base_url}}?{{param_key}}={{param_value}}'+OR+1=1--

  6. SQL Injection - SQL injection Test 2 POST {{base_url}}

  7. CSP Evaluator - Evaluate CSP POST https://csper.io/api/evaluations