Security by feature
2018-08-26 15:59:30
API
- verify if documentation is up to date (white box testing)
- verify if only what is need is implemented, all unnecessary options should be removed
- verify how API will behave during boundary condition parameter tests
- verify how API will behave during parameter fuzzing / parameter tampering
- verify how API will behave during parameter enumeration
- verify is backed data validation is on the place
- manual code analysis (white box testing)
- static code analysis (white box testing)
- be a hacker, imagine how to use API as a malicious user
- verify that appropriate logging is implemented, all warning and error events have to be store in log file
- verify that API is protected against
- sql-injection
- manual test
- sqlmap scan
- command injection
- XSS
- path traversing
- and other OWASP TOP 10
- sql-injection
- verify that API available only via HTTPS
- check response headers, for example Server header can be remove
- check if Content-Security-Policy header is present
- authentication
- JWT
- check is JWT secret is log enough
- check is JWT secret is unique for each application instance
- JWT
- verify that proper error handling is implemented
- verify that system will reject / omit all additional parameters (e.g query parameters, fields in body)
- If you are parsing XML files
- make sure entity parsing is not enabled to avoid XXE (XML external entity attack).
- make sure entity expansion is not enabled to avoid Billion Laughs/XML bomb via exponential entity expansion attack.
- OWASP REST Security Cheat Sheet
- API security testing - tips to prevent getting pwned
- API Security Checklist
File upload
- verify if documentation is up to date (white box testing)
- upload very big file
- upload file with unexpected extension
- upload file with unexpected content type
- upload malicious file
- manual code analysis (white box testing)
- static code analysis (white box testing)
- be a hacker, imagine how to use File upload as a malicious user