4 min to read

API Security Resources & setup

Complete Resources from scratch to Advanced and setup of environment for Noobs.

Featured image

API Pentesting stands as most emerging and crucial asset for evolving security requirements. In this article, You could expect Resources to setup API Pentest environment from scratch using Postman & Burp / OWASP Zap proxy, Relevant Key points to understand API and it’s diversities, Common vulnerabilities in API and it’s Impacts, methodologies to replicate attacks, OWASP Top 10 for API, 31-days of API Security based learning and hints, Relevant People to follow on twitter, Video based resources and Youtube channels to follow, Books and More.

All the resources I post here aren’t completely mine and credits goes to the creators/Authors and I am extremely thankful to the community for creating the resources.

The Best resource to get started ( It Personally helped me a lot ) Is by Mr.Saumya prakash rana -

API Security Testing-1

It discusses about

Before we go ahead, You will need to understand how to use POSTMAN and how it works, along with how to create API calls if it is not provided in documentation. I would like you to go through the following playlist to get greater clarity before proceeding ahead. Postman Beginner tutorials

At this point, Your environment is setup for API penetration testing and Interception will happen via Burp suite. To get more clarity on burp suite or Owasp Zap proxy you could follow below links.

The Article below contains advanced attack process- API Security Testing-2

It discusses about

By Now you would have basic gist of general security loopholes and methodologies. Before we proceed further, It is important that you watch the following videos and Understand the contents of it in depth to gain more clarity. API Security 101 by Sadako

Bad API, hAPI Hackers! by jr0ch17

Hidden in Plain Site: Disclosing Information via Your APIs - Peter Yaworski

Courtesy - BugCrowd

Automating API Penetration Testing using fuzzapi

Courtesy - OWASP

By Now you have Environment setup, you have good knowledge of Basic and common attack vectors and you have pretty good idea about different approaches and methodologies used by experts. Let’s look at the OWASP Top 10 List 2019. It Discusses about top 10 most critical risks for API and all relevant references to understand and analyze threats.

OWASP top 10 - 2019

Link to Official PDF here

Definately take a look at the list and try to understand each of them.

This Discusses about -

Before we proceed further, I would like you to read this and look back as part of recursive learning and analyze the methodology. It talks of “API Protection — What You Need To Know In The New API Economy”

This Article also speaks of top risks of APIs and their usage, which you could optionally go through.

Let us now discuss 31 Days of API

31 Days of API Security

Tips for 31 days of API Security

It is highly reccomended to follow up with above two links to get sound knowledge and manageable experience to excel in field of API Security.

Before We move ahead, I would like you to read an Amazing article on “Most Critical API Vulnerability — BOLA (Broken Object Level Authorization)” from Here

Definately go through Gold Resource to Understand via Live vulnerabilities from Popular platforms

Books for API Sec

People to follow

I would be open to any suggesions,Ideas and Improvements. You could comment below for suggesting any changes and modifications or anything to add further to the content. I am thankful to individual creators of each of the contents. Thank you for reading.

Happy Hacking :)