pentest-api-deep
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePentest API Deep
API深度渗透测试
Purpose
测试目的
Perform dedicated API-specific vulnerability testing beyond basic BOLA/GraphQL coverage. Addresses Broken Function Level Authorization (BFLA), mass assignment, rate limiting, excessive data exposure, and unsafe consumption per OWASP API Security Top 10 (2023).
执行超越基础BOLA/GraphQL覆盖范围的专属API漏洞测试。针对2023版OWASP API安全Top10中的BFLA、批量赋值、速率限制、过度数据暴露和不安全第三方API调用问题进行检测。
Prerequisites
前置条件
Authorization Requirements
授权要求
- Written authorization with API testing scope explicitly included
- API documentation (OpenAPI/Swagger specs, GraphQL schema) if available
- Test accounts at multiple privilege levels (user, admin, service account)
- Rate limit awareness — confirm acceptable request volume with target owner
- 书面授权,需明确包含API测试范围
- API文档(若有,如OpenAPI/Swagger规范、GraphQL schema)
- 多权限级别测试账号(普通用户、管理员、服务账号)
- 速率限制认知——与目标方确认可接受的请求量
Environment Setup
环境搭建
- Postman or Insomnia for manual API exploration
- Burp Suite with API-specific extensions
- GraphQL Voyager for schema visualization
- grpcurl for gRPC service testing
- Postman或Insomnia:用于手动API探索
- 带有API专属扩展的Burp Suite
- GraphQL Voyager:用于schema可视化
- grpcurl:用于gRPC服务测试
Core Workflow
核心工作流
- API Discovery: Enumerate endpoints via OpenAPI/Swagger specs, GraphQL introspection, gRPC reflection, traffic analysis. Discover undocumented endpoints with Kiterunner.
- BFLA Testing: Access admin-only API functions as regular user. HTTP method switching (GET→DELETE). Test function-level authorization gaps distinct from object-level (BOLA).
- Mass Assignment: Send extra fields in POST/PUT (role, isAdmin, balance). Check response objects for leaked internal fields (WSTG-INPV-20).
- Rate Limiting & Resource: Test missing rate limits, GraphQL depth/complexity abuse, pagination abuse, regex DoS via API input.
- Excessive Data Exposure: Compare API responses across privilege levels. Identify fields returned but not displayed in UI. Test verbose error responses.
- Unsafe Consumption: SSRF through upstream API calls, injection through trusted-but-tainted API response data.
- API Versioning: Old API versions with weaker controls, version header manipulation, deprecated endpoint access.
- API发现:通过OpenAPI/Swagger规范、GraphQL自省、gRPC反射、流量分析枚举端点。使用Kiterunner发现未文档化的端点。
- BFLA测试:以普通用户身份访问仅管理员可用的API功能。切换HTTP方法(如GET→DELETE)。测试与对象级权限漏洞(BOLA)不同的功能级权限缺口。
- 批量赋值测试:在POST/PUT请求中发送额外字段(如role、isAdmin、balance)。检查响应对象是否泄露内部字段(符合WSTG-INPV-20标准)。
- 速率限制与资源测试:测试缺失的速率限制、GraphQL深度/复杂度滥用、分页滥用、通过API输入的正则表达式DoS攻击。
- 过度数据暴露测试:对比不同权限级别下的API响应。识别返回但未在UI中展示的字段。测试详细错误响应。
- 不安全第三方API调用测试:通过上游API调用触发SSRF,以及通过受信任但已被污染的API响应数据注入攻击。
- API版本测试:测试存在较弱控制的旧版API、版本头篡改、访问已弃用端点。
OWASP API Security Top 10 (2023) Coverage
OWASP API安全Top10(2023)覆盖情况
| Category | Test Focus | Status |
|---|---|---|
| API1 Broken Object Level Authorization | IDOR via API params | ✅ |
| API2 Broken Authentication | Token/key weaknesses | ✅ |
| API3 Broken Object Property Level Authorization | Mass assignment, excessive data | ✅ |
| API4 Unrestricted Resource Consumption | Rate limits, complexity | ✅ |
| API5 Broken Function Level Authorization | BFLA, method switching | ✅ |
| API6 Unrestricted Access to Sensitive Business Flows | Automation abuse | ✅ |
| API7 Server Side Request Forgery | API-triggered SSRF | ✅ |
| API8 Security Misconfiguration | CORS, headers, versioning | ✅ |
| API9 Improper Inventory Management | Shadow APIs, deprecated versions | ✅ |
| API10 Unsafe Consumption of Third-Party APIs | Upstream injection | ✅ |
| 类别 | 测试重点 | 状态 |
|---|---|---|
| API1 Broken Object Level Authorization | 通过API参数的IDOR | ✅ |
| API2 Broken Authentication | Token/密钥弱点 | ✅ |
| API3 Broken Object Property Level Authorization | 批量赋值、过度数据暴露 | ✅ |
| API4 Unrestricted Resource Consumption | 速率限制、复杂度 | ✅ |
| API5 Broken Function Level Authorization | BFLA、方法切换 | ✅ |
| API6 Unrestricted Access to Sensitive Business Flows | 自动化滥用 | ✅ |
| API7 Server Side Request Forgery | API触发的SSRF | ✅ |
| API8 Security Misconfiguration | CORS、请求头、版本控制 | ✅ |
| API9 Improper Inventory Management | 影子API、已弃用版本 | ✅ |
| API10 Unsafe Consumption of Third-Party APIs | 上游注入 | ✅ |
Tool Categories
工具类别
| Category | Tools | Purpose |
|---|---|---|
| API Discovery | Kiterunner, Swagger UI, GraphQL Voyager | Endpoint enumeration |
| Parameter Discovery | Arjun, x8, ParamSpider | Hidden parameter detection |
| Fuzzing | ffuf, Burp Intruder, custom scripts | Mass assignment, BFLA |
| GraphQL | graphql-cop, InQL, BatchQL | GraphQL-specific attacks |
| gRPC | grpcurl, grpc-tools | gRPC reflection and testing |
| Rate Testing | custom aiohttp scripts, Turbo Intruder | Rate limit verification |
| 类别 | 工具 | 用途 |
|---|---|---|
| API发现 | Kiterunner、Swagger UI、GraphQL Voyager | 端点枚举 |
| 参数发现 | Arjun、x8、ParamSpider | 隐藏参数检测 |
| 模糊测试 | ffuf、Burp Intruder、自定义脚本 | 批量赋值、BFLA测试 |
| GraphQL测试 | graphql-cop、InQL、BatchQL | GraphQL专属攻击 |
| gRPC测试 | grpcurl、grpc-tools | gRPC反射与测试 |
| 速率测试 | 自定义aiohttp脚本、Turbo Intruder | 速率限制验证 |
References
参考资料
- - Tool function signatures and parameters
references/tools.md - - Attack pattern definitions and test vectors
references/workflows.md
- - 工具函数签名与参数
references/tools.md - - 攻击模式定义与测试向量
references/workflows.md