API Testing and API Hacks

Wherever, whatever application store some data about sensitive information and interact with server using API methods, then it’s possible for someone to possibly hack the data from API if you have not tested before serving API to your customer thus the importance of API Testing.

API can be defined in 2 steps:
1. Authentication – Who are you
2. Authorization – What you can do

For developers its way of communication language within the application development.

My intention is bring a focus on the possible attacks on API and possible way of prevention.

Possible API Hacks:

SQL Injection : On database
Code Injection : On App
Log Injections : On user data
XPath Injection : On XML
Boundary Scan : On defined ranges
Invalid Types : On invalid input data
Malformed XML : On XML
XML Bomb : ON XML
Malicious Attachment : On Files
Cross Site Scripting : on CSS website
Custom Script : On custom parameter
API Testing

 

 

 

 

 

 

 

 

 

Possible Prevention’s:

Requirements – The requirements document must clearly define what is main purpose and focus of the using API with end user and who access what kind of data.

Educate your development team – Its key and important to educate development team to learn and understand how they can secure API in different levels in application.

Education to testers – Normally testers also not considered to test API so deep to investigate more possible threads with API in different layers, better have R&D on API so tester can utilize resource to test them in more efficient way.

Monitoring – If something change in API design so keep updating the development all team members and testers to avoid the risks.

About the Author

Padmaraj

As a Software Engineer with an accomplished history of driving process change and agility, I specialize in Quality Assurance and Brand Management. I am always interested in pursuing leadership opportunities where I am able to achieve excellence and create high quality client products. I enjoy managing the end-to-end build/release cycle for cutting-edge software products. I thrive in a dynamic, innovative environment where I can contribute to capabilities to support long-term vision and drive new strategic initiatives. • Passion for high quality software. Areas of interest - Penetration/Security Testing & R&D
Find out more about @padmaraj