...

Security by feature

# API

  • verify if documentation is up to date (white box testing)
    • verify if only what is need is implemented, all unnecessary options should be removed
  • verify how API will behave during boundary condition parameter tests
  • verify how API will behave during parameter fuzzing / parameter tampering
  • verify how API will behave during parameter enumeration
  • verify is backed data validation is on the place
  • manual code analysis (white box testing)
  • static code analysis (white box testing)
  • be a hacker, imagine how to use API as a malicious user
  • verify that appropriate logging is implemented, all warning and error events have to be store in log file
  • verify that API is protected against
    • sql-injection
      • manual test
      • sqlmap scan
    • command injection
    • XSS
    • path traversing
    • and other OWASP TOP 10
  • verify that API available only via HTTPS
  • check response headers, for example Server header can be remove
  • check if Content-Security-Policy header is present
  •  authentication
    • JWT
      • check is JWT secret is log enough
      • check is JWT secret is unique for each application instance
  • verify that proper error handling is implemented
  • verify that system will reject / omit all additional parameters (e.g query parameters, fields in body)
  • If you are parsing XML files
    • make sure entity parsing is not enabled to avoid XXE (XML external entity attack).
    • make sure entity expansion is not enabled to avoid Billion Laughs/XML bomb via exponential entity expansion attack.
  • OWASP REST Security Cheat Sheet
  • API security testing – tips to prevent getting pwned
  • API Security Checklist

# File upload

  • verify if documentation is up to date (white box testing)
  • upload very big file
  • upload file with unexpected extension
  • upload file with unexpected content type
  • upload malicious file
  • manual code analysis (white box testing)
  • static code analysis (white box testing)
  • be a hacker, imagine how to use File upload as a malicious user