Testing REST APIs

Documentation Requirements

• Endpoints

• Docs

• Key/Credentials

• Sample Calls

What to look for

• Unauthenticated Endpoints

• Hidden Endpoints

• Error Messages on Malformed Input

• Check Mobile APP (might be using legacy API/other Endpoints)

• HTTP/No HSTS

• Bruteforce detection (Think Password Reset Token)

• find old apis e.g. /v3 in use but /v1 exists too

Tools

• Burp + SoapUI