Wherever, whatever application store some data about sensitive information and interact with server using API methods, then it’s possible for someone to possibly hack the data from API if you have not tested before serving API to your customer thus the importance of API Testing.
API can be defined in 2 steps:
1. Authentication – Who are you
2. Authorization – What you can do
For developers its way of communication language within the application development.
My intention is bring a focus on the possible attacks on API and possible way of prevention.
Possible API Hacks:
SQL Injection : On database
Code Injection : On App
Log Injections : On user data
XPath Injection : On XML
Boundary Scan : On defined ranges
Invalid Types : On invalid input data
Malformed XML : On XML
XML Bomb : ON XML
Malicious Attachment : On Files
Cross Site Scripting : on CSS website
Custom Script : On custom parameter
Possible Prevention’s:
Requirements – The requirements document must clearly define what is main purpose and focus of the using API with end user and who access what kind of data.
Educate your development team – Its key and important to educate development team to learn and understand how they can secure API in different levels in application.
Education to testers – Normally testers also not considered to test API so deep to investigate more possible threads with API in different layers, better have R&D on API so tester can utilize resource to test them in more efficient way.
Monitoring – If something change in API design so keep updating the development all team members and testers to avoid the risks.