API Testing



Description

When APIs are used, it good to see their responses in respect to edited requests. They may give errors that show vulnerabilities or give out information that isn’t supposed to be seen.


Examples/Methods/Results

Burp suite

The requests of every page should be captured and examined. The below example shows capturing of the below example shows captured request of showing basket.

No image found

The id and the products ID can be changed to view different results. Here it shows the error that the basketID needs to be unique (also try put negative numbers where there shouldn’t be like amount, maybe might bring negative total price).

No image found

You may change storage SQL like making a comment saying author is the admin as shown below.

No image found

API edit

When sending a request, sometimes the response API shows information that can be manipulated. In the example we have registration done, but the response says isAdmin:false.

No image found

What about if the registration was done with isAdmin forced into true by the repeater in the request. It saves the new user as an admin.

No image found

Further Readings