Made using The OWASP Testing guide (page 211) and the API Security Top 10 2023. You can refer to it (see resources below) for detailed explainations on how to test.
Adapt it to your methodology and the context of your test.
Download this file locally from here this way you can check everything you have done.
If you need some practice for specific vulnerabilities to reproduce them in your context, I recommend portswigger's web security Academy here .
For more explainations on specific topics, if OWASP is not enough you can also use Portswigger here
Information Gathering
Conduct Search Engine Discovery and Reconnaissance for Information Leakage
Review Webserver Metafiles for Information Leakage
Enumerate Applications on Webserver
Review Webpage Comments and Metadata for Information Leakage
Identify application entry points
Map execution paths through application
Fingerprint Web Application Framework
Fingerprint Web Application
Map Application Architecture
Configuration and Deploy Management Testing
Test Network/Infrastructure Configuration
Test Application Platform Configuration
Test File Extensions Handling for Sensitive Information
Backup and Unreferenced Files for Sensitive Information
Enumerate Infrastructure and Application Admin Interfaces
Test HTTP Strict Transport Security
Test RIA cross domain policy
Identity Management Testing
Test User Registration Process
Test Account Provisioning Process
Testing for Account Enumeration and Guessable User Account
Testing for Weak or unenforced username policy
Test Permissions of Guest/Training Accounts
Test Account Suspension/Resumption Process
Authentication Testing
Testing for Credentials Transported over an Encrypted Channel
Testing for default credentials
Testing for Weak lock out mechanism
Testing for bypassing authentication schema
Test remember password functionality
Testing for Browser cache weakness
Testing for Weak password policy
Testing for Weak security question/answer
Testing for weak password change or reset functionalities
Testing for Weaker authentication in alternative channel
Authorization Testing
Testing Directory traversal/file include
Testing for bypassing authorization schema
Testing for Privilege Escalation
Testing for Insecure Direct Object References
Session Management Testing
Testing for Bypassing Session Management Schema
Testing for Cookies attributes
Testing for Session Fixation
Testing for Exposed Session Variables
Testing for Cross Site Request Forgery
Testing for logout functionality
Testing for Session puzzling
Input Validation Testing
Testing for Reflected Cross Site Scripting
Testing for Stored Cross Site Scripting
Testing for HTTP Verb Tampering
Testing for HTTP Parameter pollution
Testing for SQL Injection
Testing for NoSQL injection
Testing for LDAP Injection
Testing for ORM Injection
Testing for XML Injection
Testing for SSI Injection
Testing for XPath Injection
Testing for Code Injection
Testing for Local File Inclusion
Testing for Remote File Inclusion
Testing for Command Injection
Testing for Buffer overflow
Testing for Heap overflow
Testing for Stack overflow
Testing for Format string
Testing for incubated vulnerabilities
Testing for HTTP Splitting/Smuggling
Error Handling
Cryptography
Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
Testing for Padding Oracle
Testing for Sensitive information sent via unencrypted channels
Business Logic Testing
Test Business Logic Data Validation
Test Ability to Forge Requests
Test Number of Times a Function Can be Used Limits
Testing for the Circumvention of Work Flows
Test Defenses Against Application Mis-use
Test Upload of Unexpected File Types
Test Upload of Malicious Files
Client Side Testing
Testing for DOM based Cross Site Scripting
Testing for JavaScript Execution
Testing for HTML Injection
Testing for Client Side URL Redirect
Testing for CSS Injection
Testing for Client Side Resource Manipulation
Test Cross Origin Resource Sharing
Testing for Cross Site Flashing
Specific API vulnerabilities to look for
API1:2023 Broken Object Level Authorization
API2:2023 Broken Authentication
API3:2023 Broken Object Property Level Authorization
API4:2023 Unrestricted Resource Consumption
API5:2023 Broken Function Level Authorization
API6:2023 Unrestricted Access to Sensitive Business Flows
API7:2023 Server Side Request Forgery
API8:2023 Security Misconfiguration
API9:2023 Improper Inventory Management
API10:2023 Unsafe Consumption of APIs
Ressources
Last updated 5 months ago