stackoom
  简体   繁体   中英

How to do security testing for API

 原文  2019-12-17 09:27:42       api/ security/ sql-injection/ sqlmap/ wapiti

Question

I have API like

"/getXXXX?ABC=X7TRYUV&Ab_DEF=true&Ab_XYZ=true&Ab_ExZ=ZXTY"

How can I check the vulnerability of the request parameters?

What type of strings I can pass?

I ran the API in Wapiti and SQLMAP tool but found no issue. manually i have tested it with by manipulating "Ab_ExZ=ZXTY" to 'CHR(91%2d1)'XTY

and It filter out the result as correct parameter where it should not filter out.

Thanks, Bibek

1 answers

solution1
 0  2019-12-17 09:48:28

Unfortunately the answer to your question is it depends. There is a lot of useful information about injection style attacks available from OWASP . The exact strings that you should use depend on the underlying technology of your solution and the characters eg terminating characters that are significant at each stage the data is processed.

A starting point for testing injection is to try to terminate the statement / command. For example in Oracle PL/SQL the characters '; will work by the quote closing the string entry and the semi colon terminating the command. If the query is prone to injection attacks this will most likely give you an error from the database for a malformed query.

Obviously other databases will have slightly different syntax. Also worth considering is the underlying OS. If the input to the API is ending up being executed at the command line, is it Windows or Linux based? This will change the syntax that you want to try.

Finally, if data is being stored where is it then rendered? If it becomes rendered in a Web UI you can try inputing <b> obviously if your API allows this to be stored and then displayed to the user without being escaped you will see text in bold. This would indicate a second order injection attack. (The actual risk is when the data is retrieved rather than being sent).

I strongly recommend taking a look at the injection information available on OWASP's site. Including theWebGoat examples where you can have a go at trying injection style testing against a deliberately vulnerable web site. The principles will translate nicely to the API testing.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Api automation,Load testing and Security testing Do one project How is api testing different from regular testing? How to implement Android API security? How do I build a full-functional RESTful API using Java Spring security API testing in C# - how do I compare entire JSON response in 1 assertion? How do we use both 'request.headers' and 'requestpathParam' in Serenity BDD API testing? How do I run cucumber tests when testing an rest or graphql API SSL: How to balance API performance with security? How to easily comply with these API security requirments How to implement API security for local and remote requests?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM