Wiki
  • Introduction
  • 👾Penetration Testing
    • Application Security
      • Mobile App Security
        • Android Application Testing
          • Security Checklist
          • SSL Pinning Bypasses
          • Non-Proxy Aware Applications
            • Setting up VPN Server
            • Bypasses
          • Common Proxying Issues
          • Android Local Storage Checks
          • Android Task Hijacking
          • Kiosk Mode / Breakout Testing
          • Magisk on GenyMotion
        • iOS Application Testing
          • iOS Testing Using Objection
          • IPA Analysis Using MobSF
          • iOS Jailbreak Bypass
          • Decrypting iOS Apps
          • iOS Reverse Engineering
          • Jailbreak Detection Bypasses
          • iOS Local Storage Checks
          • Installing IPA
          • ATS Auditing
          • iOS Jailbreaking
          • Frida Pinning Bypasses
          • iOS Jailbreaking
        • Code Security
        • Frida on Windows
      • Web Application Security
        • Web Shells
        • CSV Injection
        • Measure Response Time using CURL
        • OSINT
          • EyeWitness
        • GraphQL Hacking
      • API Security
        • Security Checklist
        • Postman and Burp
        • CURL via BurpSuite
        • SOAP API Pentesting
    • Infrastructure Security
      • Network Infrastructure
        • Red Team Powershell Scripts
        • Mounting NFS Shares
        • Password Cracking/Auditing
        • Remote Access Sheet
        • Password Cracking Using Hashcat
        • Calculate IP Addresses from CIDR
        • Grep IP addresses or IP Ranges from a File
        • Default Credentials Checking
        • Check SSL/TLS Certificates
        • Log a terminal session
        • Unauthenticated Mongo DB
        • Microsoft SQL Server (MSSQL)
        • NTP Mode 6 Vulnerabilities
        • BloodHound
        • AD Offensive Testing
        • CrackMapExec
        • Select all IP addresses in Sublime Text
        • Convert CIDRs to an IP address list
        • Microsoft Exchange Client Access Server Information Disclosure
        • Web Server HTTP Header Internal IP Disclosure
        • smbclient.py
        • GetUserSPNs.py
        • Get-GPPPassword.py
        • SMBMap
        • Mounting Shares
        • mitm6
        • AD Attacks
        • Weak IKE Security Configurations
        • Locked BIOS Password Bypass
      • Wireless Security
        • Cached Wireless Keys
        • Aircrack Suite
    • SSL/TLS Security
    • Secure Code Review
      • Python
      • Semgrep
        • Semgrep to HTML Report
    • Cloud Security
      • Cloud Penetration Testing
    • Social Engineering
      • Simulated Phishing
        • GoPhish
    • Tool Usage
      • Docker
      • Split
      • PhantomJS
      • Aquatone
      • Tmux
      • Ipainstaller
      • Public IP From Command Line
      • Wifite
      • IKE Scan
      • Grep
      • Pulling APKs
      • Bitsadmin
      • Drozer
      • Iptables
      • Python Web Server
      • Crackmapexec
      • Impacket
      • Nessus
      • Adding SUDO User
      • Nmap
      • Metasploit Payloads
      • SMTP Open Relay
      • SQLMap
      • Screen
      • Remove All After Colon
      • Remove Old Linux Kernels
      • CURL
      • Hashcat
      • Secure Copy Protocol (SCP)
      • SSH & PGP Tools
      • IP Calculator
      • BloodHound
      • Netcat File Transfer
      • OpenVAS
      • BurpSuite
      • Exiftool
      • Python Virtual Environments
    • Errors and Solutions
      • Kill Process On Specific Port
      • Kill SSH Port Forwarding
      • SSH Key
      • Expanding Disk on Kali VM
    • Scoping
      • Scoping Questionnaires
        • Mobile App Testing
    • OSINT
      • Dark Web OSINT
      • Certificate Chain Check
      • EyeWitness - Web Service Screenshot
      • Tor to Browse Onion Links
      • DarkDump - Scan Dark Web for Onion Links
      • Domain related File Search
      • Google Dorking
      • IP / Network Blocks owned by a Company
  • ⌨️Programming
    • Automation
      • Running a Service at Boot
      • Network Connectivity Cron
    • Python
      • Adding Columns in Pandas
      • Copy Entire Column Data To New Column Pandas
      • Loading Progress Bar
      • Reorder Columns in Pandas
      • Filename with Date/Time Stamp
      • Command Line Arguments
      • Changing Date Format
      • Removing Index Column Pandas
      • Regex - Remove HTML Tags
      • Column Header Mapping
  • 🌐Miscellaneous
    • Scripts
      • Clickjacking Checker
      • Bulk WHOIS
      • SMB Signing Check
      • FDQN to IP Address
      • Grep IP Addresses
      • Nessus Parser
      • Build Review Audit
      • Nessus Merger
      • Nmap2CSV
      • Remove Audio From Videos
    • Favourite Reads/Links
    • Hacking Posters
    • Windows Developer VMs
    • Windows Workspaces
    • GitHub Pages
    • Interview Prep
      • Senior Penetration Tester
    • CVSS Formula
    • Android Rooting
      • Lineage OS 18.1 on OnePlus X
      • TWRP Recover on OnePlus X
      • Magisk Rooting
    • Presentation Slides
      • BlackHat - USA [2022]
  • 🐞Vulnerability Wiki
    • 🌐APPLICATION LEVEL
      • 🔒AUTHENTICATION
        • Authentication Bypass
        • Lack of Password Confirmation
        • 2FA Code Brute-forceable
        • Lack of Verification
        • Lack of Throttling on Form Submissions
        • Lack of Rate Limiting on Login
        • Weak Password Complexity Rules
        • 🖥️SESSION MANAGEMENT
        • 🔑ACCESS CONTROL
      • 🔢INPUT VALIDATION
      • ➗CRYPTOGRAPHY
      • 📉LOGGING
      • 📕DATA PROTECTION
      • 📲COMMUNICATION
      • 👨‍💻MALICIOUS CODE
      • 💡LOGIC
      • 🗄️FILE UPLOAD
      • ⚙️API ISSUES
      • 🔍CONFIGURATIONS
    • 💾INFRASTRUCTURE LEVEL
      • ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524)
      • ASP.NET Debug Mode Validation
Powered by GitBook
On this page
  • Authentication
  • JSON Web Tokens (JWT)
  • Open Authorization (OAuth)
  • Access
  • Input
  • Processing
  • Output
  • Continuous Integration (CI) and Continuous Delivery (CD)

Was this helpful?

  1. Penetration Testing
  2. Application Security
  3. API Security

Security Checklist

This security checklist consists of security countermeasures when designing, testing, and releasing your API.

PreviousAPI SecurityNextPostman and Burp

Last updated 4 years ago

Was this helpful?

Authentication

  • Avoid using Basic Auth header and use standard authentication instead, for example, , or similar alternative authentication mechanisms

  • Avoid creation of your own 'Authentication', 'Encryption', 'Password Generation' or 'Storage' mechanisms and use strong and robust standards already in place

  • Implement the use of Max Retry and jail features in on all login functionality

  • Ensure to encrypt all sensitive data

JSON Web Tokens (JWT)

  • Use a random and complicatedJWT Secretto ensure the token cannot be brute-forced

  • Don't extract the algorithm from the header. Force the algorithm in the backend HS256 or RS256

  • Ensure that the TTL and RTTL which refer to 'Time To Live', are as short as possible

  • Don't store sensitive data in the JWT payload. These payloads can be decoded using resources like

Open Authorization (OAuth)

  • Always validate redirect_uri server-side to allow only whitelisted URLs

  • Ensure that communication is exchanged for code and not tokens and do not allow responses in tokens for example, response_type=token

  • Use state as the parameter with a random hash to prevent CSRF on the authentication process

  • Define the default scope, and validate scope parameters for each application

Access

  • Throttle request by limiting them to avoid DDoS and brute-force attacks

  • Use HTTPS on server-side to avoid MiTM attacks

  • Use HSTS header with SSL to avoid SSL Strip attack

  • For private APIs, only allow access from whitelisted IPs/hosts

Input

  • Use the proper HTTP method according to the operation, for example, use GET, requests for 'reading' data, POST requests for 'creation' of data, PUT and PATCHrequest to 'update or replace' the data and DELETE, to 'remove' data

  • Ensure to respond with 405 Method Not Allowed if a requested method isn't appropriate for the requested resource

  • Validate content-type on request Accept header for content negotiation to allow the supported format for example application/xml, application/json and respond with 406 Not Acceptable response if not matched

  • Validate content-type of posted data as you accept for example application/x-www-form-urlencoded, multipart/form-data, application/json, etc.

  • Validate user input to avoid common vulnerabilities in reference with the OWASP Top Ten such as SQL Injection, Cross-Site Scripting (XSS), Remote Code Execution amongst a list of others

  • Don't use any sensitive data such as credentials, security tokens or API keys in the URLs and only use an Authorization Header

  • Use an API Gateway service to enable caching, Rate Limit policies (e.g. Quota, Spike Arrest, or Concurrent Rate Limit) and deploy APIs resources dynamically.

Processing

  • Check if all the endpoints are protected behind authentication to avoid broken authentication process

  • Use of resource identifiers should be avoided. It is recommended to use /web/purhcase instead of /web/0098/purchase

  • Don't auto-increment identifiers and instead use UUID instead

  • If you are parsing XML files, make sure entity parsing is not enabled to avoid XXE attacks

  • If you are parsing XML files, make sure entity expansion is not enabled to avoid XML bomb via exponential entity expansion attack

  • Use a CDN for file uploads

  • If you are dealing with a large amount of data, use Workers and Queues to process as much as possible in the background and return response quickly to avoid HTTP Blocking.

  • Ensure to set the DEBUG mode to OFF

Output

  • Ensure that the X-Content-Type-Options: nosniff header is set

  • Ensure that the X-Frame-Options: deny header is set

  • Send the Content-Security-Policy: default-src 'none' header

  • Ensure that the fingerprinting headers such as X-Powered-By, Server, X-AspNet-Version, etc are removed promptly before an application or service goes into production

  • Force the use of content-type for your response. If you return application/json, then your content-type response is application/json

  • Don't return sensitive data like 'Credentials' or 'Security Tokens'

  • Return the proper status code according to the operation completed for example200 OK, 400 Bad Request, 401 Unauthorized, 405 Method Not Allowed, etc.

Continuous Integration (CI) and Continuous Delivery (CD)

  • Audit your design and implementation with unit/integration tests coverage

  • Use a code review process and disregard self-approval

  • Ensure that all components of your services are statically scanned by AV software before pushing to production, including vendor libraries and other dependencies

  • Design a rollback solution for deployments

👾
JWT
OAuth
JWT Debugger