Check for Common API Vulnerabilities
Number of APIs: 7
What does this collection do?
This collection will check your APIs for the following things:
Security Vulnerabilities
Security Headers
Content Secure Policy
Requirements
Define the following Variables in the Check for Common API Vulnerabilities environment.
- API's base URL you want to test in the
base_url
variable - Suspicious or Foreign Origin for which you want to test in
malicious_origin
variable - Add unauthorised subdomain URL in the
sub_domain_url
variable - Key name that will contain the access token in
access_token_key
variable, default isx-access-token
- Valid access token to access the API in
valid_access_token_value
variable - Expired access token in
expired_access_token_value
variable - Other User's valid access token in
other_user_access_token_value
variable - The key that is used to send user id OR name in the
param_key
variable - The value in the
param_value
variable for the key mentioned in theparam_key
Using the Collection
Once configured, run the collection within the Runner
with the relevant environment selected.
Results
At the end of the run, you'll get the test results. Failed tests could mean that the API is vulnerable to an attack. Check out the Visualize
tab to learn more about the test results.
-
Authentication - Check response with other users access token GET {{base_url}}
-
Security Headers - Check for Security Headers GET {{base_url}}
-
Directory Traversal - Check vulnerability for sequences stripped with superfluous URL-decode GET {{base_url}}
-
CORS Misconfiguration - Trusted Unauthorised Subdomain Test GET {{base_url}}
-
SQL Injection - SQL injection Test 1 GET {{base_url}}?{{param_key}}={{param_value}}'+OR+1=1--
-
SQL Injection - SQL injection Test 2 POST {{base_url}}
-
CSP Evaluator - Evaluate CSP POST https://csper.io/api/evaluations