API testing
- Maryam Ziaee
- Sep 16
- 2 min read
APIs (Application Programming Interfaces) enable software systems and applications to communicate and share data.
All dynamic websites are composed of APIs, so classic web vulnerabilities like SQL injection could be classed as API testing. In this topic, we'll teach you how to test APIs that aren't fully used by the website front-end, with a focus on RESTful and JSON APIs.
API recon
To start API testing, you first need to find out as much information about the API as possible to discover its attack surface.
API documentation
APIs are usually documented so that developers know how to use and integrate with them.
Discovering API documentation
Look for endpoints that may refer to API documentation, for example:
/api
/swagger/index.html
/openapi.json
Lab: Exploiting an API endpoint using documentation
In Burp's browser, log in to the application using the credentials' wiener:peter and update your email address.
In Proxy > HTTP history, right-click the PATCH /api/user/wiener request and select Send to Repeater.
Go to the Repeater tab. Send the PATCH /api/user/wiener request. Notice that this retrieves credentials for the user wiener.
Remove /wiener from the path of the request, so the endpoint is now /api/user, then send the request. Notice that this returns an error because there is no user identifier.
Remove /user from the path of the request, so the endpoint is now /api, then send the request. Notice that this retrieves API documentation.
Right-click the response and select Show response in browser. Copy the URL.
Paste the URL into Burp's browser to access the documentation. Notice that the documentation is interactive.
To delete Carlos and solve the lab, click on the DELETE row, enter carlos, then click Send request.
Comments