Introduction

What?

Notes on techniques used for:

  • Leveraging vulnerabilities identified to successfully penetrate security controls, using mostly manual attacks with only some semi-automated support.

  • Gaining access to web services application data and/or permissions (access) not previously available.

Note: Exploitation of web services may not be possible given the security controls present, the complexity of the attack (undocumented, or not enough documentation/context), and the time allotment for testing.

Why?

To overcome the challenges to build a meaningful and sustainable API testing practice.

How?