Introduction

What?

Notes on techniques used for:

• Leveraging vulnerabilities identified to successfully penetrate security controls, using mostly manual attacks with only some semi-automated support.

• Gaining access to web services application data and/or permissions (access) not previously available.

Note: Exploitation of web services may not be possible given the security controls present, the complexity of the attack (undocumented, or not enough documentation/context), and the time allotment for testing.

Why?

To overcome the challenges to build a meaningful and sustainable API testing practice.

How?

• Challenges

• Analyse API endpoints

• Fuzz deep and wide

• Rate limit tests

• Evasive techniques

• Attack authentication

• Exploiting authorisation

• Inject with mass assignment

• Try traditional methods