API Testing

Return Home

vAPI

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.

crAPI

completely ridiculous API (crAPI) will help you to understand the ten most critical API security risks. crAPI is vulnerable by design, but you’ll be able to safely run it to educate/train yourself.

crAPI is modern, built on top of a microservices architecture. When time has come to buy your first car, sign up for an account and start your journey. To know more about crAPI, please check crAPI’s overview.

Kontra OWASP Top 10 for API

KONTRA’s OWASP Top 10 for API is a series of free interactive application security training modules that teach developers how to identify and mitigate security vulnerabilities in their web API endpoints.

REST Assured: Penetration Testing REST APIs Using Burp Suite: Part 1 – Introduction & Configuration

Hello and welcome to our 3-part blog series where we will take a dive into the technical aspects of conducting exhaustive penetration tests against REST API services and generating reports based on what tests were performed and what our findings are. Due to the subject matter being relatively technical, I’m taking some assumptions in the reader’s knowledge base in that they’ll be at least familiar with the concepts behind conducting penetration testing and vulnerability analysis. That said, if you happen to have a RESTful API service that you’re looking to conduct a penetration test against, then make sure to stick with us as we dig into the specifics for how to make sure you leave no stone unturned. Part 1 will be covering the dos and don’ts of configuring and optimizing our scan engine to make sure we’re set for success. Part 2 will consist of the actual penetration testing itself, and Part 3 will be on formatting our results and generating a detailed report. I hope this series will be helpful to my fellow security enthusiasts of all skill levels. Please feel free to reach out to me or comment below if you ever have any questions or comments on Burp Suite and I’ll make sure to help in any way I can. Now let’s get started!

REST Assured: Penetration Testing REST APIs Using Burp Suite: Part 2 – Testing

Welcome back! In part 1 of REST Assured blog series, we discussed the definitions and history behind APIs, and we reviewed the proper configuring of Burp Suite for conducting security testing against them. In Part 2 of the blog, we’re going to be getting into the fun part: Testing.

REST Assured: Penetration Testing REST APIs Using Burp Suite: Part 3 – Reporting

Welcome back to the Penetration Testing REST API blog series for Part 3: Reporting. While often overlooked by security professionals, compiling reports is almost always required among penetration testers post-testing. That’s why today we’re going to review how to put all of our findings together and have a thorough paper trail.

API Penetration Testing : Things To Be Noted

High level API testing methodology.

API Pentesting Tricks

HackTricks for Web API Pentesting.

Cracking REST APIs

REST, or Representational State Transfer, just refers to the protocol with which the whole Web works. No big. We are used to using REST with a browser, but there is more to it - we can write programs with REST. The problem is that writing properties and functions using the web’s transfer protocol open them up to all of the security weaknesses of the web, and we know there are a few of those. Finding those bugs is just half of the battle - fixing them is a whole other story. You’ll need the details, and you’ll get them here.

How to Hack APIs in 2021

Crowdsource hackers Hakluke and Farah Hawa have joined forces on this guest blog on how hackers and defenders can (safely) hack APIs to help make the Internet safer.