We have a server that is running a REST API on port 443. I'd like to make sure it's secure by doing various pen tests on it. I'm used to doing offensive testing on a webpage where I can see code, and URLs, and find forms to test. But I'm completely blind when testing an API. I don't even know what are valid URLs to test against. Is there any good documentation on how to do this, perhaps using Kali Linux?
Asked
Active
Viewed 3.3k times
23
-
1Astra is one which I came across: > Astra can be used by security engineers or developers as an integral > part of their process, so they can detect and patch vulnerabilities > early during development cycle. Astra can automatically detect and > test login & logout (Authentication API), so it's easy for anyone to > integrate this into CICD pipeline. Astra can take API collection as an > input so this can also be used for testing apis in standalone mode. https://github.com/flipkart-incubator/Astra – codegagan Apr 23 '18 at 05:59
1 Answers
25
REST Security and API Security are excellent topics of research.
This question and the answers provide good starting points to find great tools and techniques to test these interfaces -- API Security Testing Methodologies
If I were you, I'd avoid testing a REST interface or an API's security remotely, or via a black-box technique such as dynamic app security testing. What you want is to analyze the design decisions (this blog post is a great reference with .NET code examples and component recommendations) and/or perform a secure code review. One tool that I commonly use to perform secure code reviews is Find Security Bugs. For analyzing components, there is OWASP Dependency Check (with multiple language support), bundler-audit for Ruby, Retire.js (or Snyk.io) for JavaScript, and OWASP SafeNuGet for .NET projects.
