API Security Testing

Overview

Testing Scope

1. Authentication and Authorization

• Token validity verification
• Token expiration handling
• Permission control
• Role permission verification

2. Input Validation

• Parameter type verification
• Data length restrictions
• Special character handling
• SQL injection protection
• XSS protection

3. Business Logic

• Workflow verification
• State transition
• Concurrency control
• Business rules

4. Error Handling

• Error information leakage
• Stack trace exposure
• Sensitive information disclosure

Testing Methods

1. API Discovery

# 使用目录扫描
gobuster dir -u https://target.com -w api-wordlist.txt

# 使用Burp Suite被动扫描
# 浏览应用，观察API调用

# 分析JavaScript文件
# 查找API端点定义

2. Authentication Testing

# 测试无效Token
GET /api/user
Authorization: Bearer invalid_token

# 测试过期Token
GET /api/user
Authorization: Bearer expired_token

# 测试无Token
GET /api/user

# 使用jwt_tool
python jwt_tool.py <JWT_TOKEN>

# 测试算法混淆
python jwt_tool.py <JWT_TOKEN> -X a

# 测试密钥暴力破解
python jwt_tool.py <JWT_TOKEN> -C -d wordlist.txt

3. Authorization Testing

# 用户A访问用户B的资源
GET /api/user/123
Authorization: Bearer user_a_token

# 应该返回403

# 普通用户访问管理员接口
GET /api/admin/users
Authorization: Bearer user_token

# 应该返回403

4. Input Validation Testing

POST /api/search
{
  "query": "test' OR '1'='1"
}

POST /api/execute
{
  "command": "ping; id"
}

POST /api/parse
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>

5. Rate Limiting Testing

import requests

for i in range(1000):
    response = requests.get('https://target.com/api/endpoint')
    print(f"Request {i}: {response.status_code}")

Tool Usage

Postman

1. Import API documentation
2. Configure authentication
3. Create test cases
4. Run automated tests

Burp Suite

1. Configure API endpoints
2. Set up authentication
3. Run active scan
4. Analyze results

OWASP ZAP

# API扫描
zap-cli quick-scan --self-contained \
  --start-options '-config api.disablekey=true' \
  http://target.com/api

REST-Attacker

# 扫描OpenAPI规范
rest-attacker scan openapi.yaml

Common Vulnerabilities

1. Authentication Bypass

• Weak token generation
• Predictable tokens
• Token signature not verified

2. Privilege Escalation

• Insecure Direct Object References
• Unverified resource ownership

3. Information Disclosure

• Detailed error messages
• Stack traces
• Sensitive data exposure

4. Injection Vulnerabilities

• SQL injection
• NoSQL injection
• Command injection
• XXE

5. Business Logic

• Price manipulation
• Quantity restriction bypass
• State modification

Test Checklist

Authentication Testing

• Token validity verification
• Token expiration handling
• Weak token detection
• Token replay attack

Authorization Testing

• Horizontal privilege testing
• Vertical privilege testing
• Role permission verification
• Resource access control

Input Validation

• SQL injection testing
• XSS testing
• Command injection testing
• XXE testing
• Parameter pollution

Business Logic

• Workflow verification
• State transition
• Concurrency control
• Business rules

Error Handling

• Error information leakage
• Stack trace exposure
• Sensitive information disclosure

Protection Measures

Recommended Solutions

1. Authentication
   • Use strong tokens
   • Implement token refresh
   • Verify token signatures
2. Authorization
   • Role-based access control
   • Resource ownership verification
   • Principle of least privilege
3. Input Validation
   • Parameter type verification
   • Data length restrictions
   • Whitelist validation
4. Error Handling
   • Unified error responses
   • Do not disclose detailed information
   • Log error details
5. Rate Limiting
   • Implement API rate limiting
   • Prevent brute-force attacks
   • Monitor abnormal requests

Notes

• Only conduct in authorized testing environments
• Avoid impacting API services
• Note differences between different API versions
• Pay attention to request frequency during testing