You're reading from Pentesting APIs A practical guide to discovering, fingerprinting, and exploiting APIs

Product type Paperback

Published in Sep 2024

Publisher Packt

ISBN-13 9781837633166

Length 290 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Maurício Harley

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1: Introduction to API Security

2. Chapter 1: Understanding APIs and their Security Landscape FREE CHAPTER

3. Chapter 2: Setting Up the Penetration Testing Environment

4. Part 2: API Information Gathering and AuthN/AuthZ Testing

5. Chapter 3: API Reconnaissance and Information Gathering

6. Chapter 4: Authentication and Authorization Testing

7. Part 3: API Basic Attacks

8. Chapter 5: Injection Attacks and Validation Testing

9. Chapter 6: Error Handling and Exception Testing

10. Chapter 7: Denial of Service and Rate-Limiting Testing

11. Part 4: API Advanced Topics

12. Chapter 8: Data Exposure and Sensitive Information Leakage

13. Chapter 9: API Abuse and Business Logic Testing

14. Part 5: API Security Best Practices

15. Chapter 10: Secure Coding Practices for APIs

16. Index

Why subscribe?

17. Other Books You May Enjoy

Authentication and Authorization Testing

Assuming you read the previous chapter or already have knowledge about Application Programming Interface (API) reconnaissance, it’s now time to dive deeper into pentesting the API. In the previous chapter, we worked through a crAPI challenge by accessing data from objects that belong to other users. This data was supposed to be protected, but crAPI didn’t do it correctly. This was an authorization flaw.

We need to investigate how APIs establish some of their most fundamental security mechanisms, which are how they authenticate and authorize their users. We will use the term AuthN to refer to authentication and AuthZ to refer to authorization just to shorten the words; this is a common practice in the literature. Weak AuthN mechanisms can usually be discovered during the initial stage of our work, which we covered in the previous chapter. After some interactions and analysis, we can discover the data structures an API applies...