Check for Common API Vulnerabilities
Number of APIs: 7
What does this collection do?
This collection will check your APIs for the following things:
Security Vulnerabilities
Security Headers
Content Secure Policy
Requirements
Define the following Variables in the Check for Common API Vulnerabilities environment.
- API's base URL you want to test in the
base_urlvariable - Suspicious or Foreign Origin for which you want to test in
malicious_originvariable - Add unauthorised subdomain URL in the
sub_domain_urlvariable - Key name that will contain the access token in
access_token_keyvariable, default isx-access-token - Valid access token to access the API in
valid_access_token_valuevariable - Expired access token in
expired_access_token_valuevariable - Other User's valid access token in
other_user_access_token_valuevariable - The key that is used to send user id OR name in the
param_keyvariable - The value in the
param_valuevariable for the key mentioned in theparam_key
Using the Collection
Once configured, run the collection within the Runner with the relevant environment selected.
Results
At the end of the run, you'll get the test results. Failed tests could mean that the API is vulnerable to an attack. Check out the Visualize tab to learn more about the test results.
-
Authentication - Check response with other users access token GET {{base_url}}
-
Security Headers - Check for Security Headers GET {{base_url}}
-
Directory Traversal - Check vulnerability for sequences stripped with superfluous URL-decode GET {{base_url}}
-
CORS Misconfiguration - Trusted Unauthorised Subdomain Test GET {{base_url}}
-
SQL Injection - SQL injection Test 1 GET {{base_url}}?{{param_key}}={{param_value}}'+OR+1=1--
-
SQL Injection - SQL injection Test 2 POST {{base_url}}
-
CSP Evaluator - Evaluate CSP POST https://csper.io/api/evaluations