A list of useful websites, blog posts, reports tools to help you.

Learning to test APIs

Firstly, what is an API? Short for "application programming interface", an API will allow the web application to easily interact with it to perform a defined function. For example, imagine you have the following API endpoints:

  • /api/getuser - When queried with an authenticated session, this API endpoint will typically retrieve your profile information and respond with a JSON format, which the web application will then handle. The alternative to this is without an API, your user information may just be reflected in the HTML source, without any additional queries.

  • /api/getshippingaddress - Imagine you are on a shop and you've clicked Checkout, the web application uses an API to retrieve (and modify) information, so when queried with an authenticated session, this API endpoint will respond with your current selected shipping address

An API makes it "easy" for developers to scale web applications with new features as they can directly talk to the API for the information needed, rather than needing to query it from a database and handling the output on each page.

Finding API endpoints

A lot of websites will offer documentation around their API to help third party developers when building third party applications. For example, Twitters API documentation can be found here, However, this may not always be the case if the API is not intended to be used for public reasons. So where else can we find API endpoints?

Javascript files! As the web application needs to talk to the API, the endpoints for this must be made accessible to the web application, which also means it'll be accessible for us to find! This is why you will see API endpoints in javascript (.js) files as API requests are usually AJAX requests, which are made in Javascript. Simply scan discovered .js files and endpoints for common keywords such as "/api/", or other keywords relating to the application, such as editing your account information.

You can browse our guide on reading .JS files here.

Fuzzing/Scanning - Start dorking for common API keywords to see if anything interesting has been indexed: site: inurl:api. When using the web application if no /API/ queries are made, you could scan for common API directories such as /api/, Once you can determine an API exists, then it's a case of mapping out what API queries may be available. (If no information available in .js files or used on web application)

So what can you test an API for?

Developers can make a variety of mistakes when developing APIs and issues affecting them are a lot more common than you think. Below we will explore some techniques of how you can take advantage of APIs to discover security vulnerabilities.