API Security 思维导图

最近API安全概念停火的，正好前一阵在Twitter上看到一个API安全的思维导图，感觉很全面，在这里稍微总结下。

API Security

https://dsopas.github.io/MindAPI/play/

一、框架识别

1.API框架种类

(1) REST APIs

RESTful 、OData

(2) GraphQL

这里有一个关于GraphQL的测试项目

https://github.com/nicholasaleks/graphql-threat-matrix

(3) SOAP

SOAP 很熟悉了，也就是WebService，开源的Service框架有Apache CXF、以及Apache AXIS1 2等

(4) XML-RPC

以更简单的 XML 格式传输数据,这里很容易联想到Apache OFbiz XML-RPC 反序列化漏洞

(5) JSON-RPC

以JSON格式化方式传输数据

(6) gRPC-Protobuf

可以从header头、Content-Type、以及Access-control-expose-headers 响应头

2.API框架简介相关文档

https://smartbear.com/blog/soap-vs-rest-whats-the-difference/

https://www.odata.org/documentation/

https://www.howtographql.com/basics/1-graphql-is-the-better-rest/

https://www.smashingmagazine.com/2016/09/understanding-rest-and-rpc-for-http-apis/

https://www.soapui.org/docs/rest-testing/working-with-rest-services/

https://cloud.google.com/blog/products/api-management/understanding-grpc-openapi-and-rest-and-when-to-use-them

https://openapi.tools/

二、一些框架自带URL特征

三、如何黑盒进行API信息收集

这里主要列出了一些API接口测试的工具和网站及技巧

工具：Burp、mitmproxy、Wireshark、APKLeaks、APKEnum、Api-Guesser、Keyhacks

Google搜索技巧：site:target.tld inurl:api 、intitle:"index of" "api.yaml" site:target.tld、

WADL WSDL：inurl:/application.wadl、user filetype:wadl、ext:wadl、user filetype:wsd、ext:wsdl、

OData：Inurl:/%24metadata

Github：https://github.com/search?q=target.tld+%252Bapi

https://github.com/search?q=target.tld+application.wadl&type=code

https://github.com/search?q=target.tld+\*.wsdl&type=code

其他：intitle:"index of" intext:"apikey.txt" site:target.tld、allintext:"API_SECRET*" ext:env | ext:yml site:target.tld

https://github.com/dxa4481/truffleHog

https://github.com/eth0izzle/shhgit

一些API聚合以及搜索网站：

https://apilist.fun/

https://apiharmony-open.mybluemix.net/public

https://www.programmableweb.com/

https://rapidapi.com/hub

http://apis.io/

https://app.swaggerhub.com/search

https://apis.guru/

https://www.postman.com/explore/apis

https://any-api.com/

https://smart-api.info/registry

https://www.apistack.io/

https://public-apis.xyz/

API字典及枚举工具：

四、API接口测试

1.一些工具

REST APIs：https://github.com/flipkart-incubator/Astra

https://github.com/bncrypted/apidor

https://github.com/SecurityInnovation/AuthMatrix

https://github.com/PortSwigger/autorize

https://github.com/portswigger/auth-analyzer

https://github.com/ant4g0nist/Susanoo

GraphQL：https://github.com/doyensec/inql

https://gitlab.com/dee-see/graphql-path-enum

https://graphql-dashboard.herokuapp.com/

gRPC：https://github.com/trailofbits/protofuzz

2.突破身份验证

(1).身份校验类型

JWT相关测试工具：https://github.com/ticarpi/jwt\_tool

https://github.com/lmammino/jwt-cracker

https://github.com/aress31/jwtcat

https://github.com/wallarm/jwt-heartbreaker

此外JWT Checklist：https://cloud.tencent.com/developer/article/1552824

Oauth

重定向测试：?redirect_uri、XSS、CSRF

Basic 认证

3.其他测试项