API Testing

API Testing¶

Change Version in endpoints /api/v3/login -> /api/v1/login
Try other verbs
Try parameters in Headers and bodies
Replace UUIDs with Integers
Try multiple parameters of the same name /api/profile?user_id=guest&user_id=admin
Try Wild Cards
- /api/users/*
- /api/users/%
- /api/users/_
- /api/users/.
- /api/users/.*

Test URLS for command injection | nslookup burp.test

Test staging and QA envs for differences

Check Content types¶

Switch different content types
- x-www-form-urlencoded: user=test
- application/json: {"user": "test"}
- application/xml: <user>test</user>

Add Arrays to POST data:
- username[]=John
- username[$neq]=test

JSON Testing¶

Test Json datatypes
{"username": "John"}
{"username": true}
{"username": null}
{"username": 1}
{"username": [true]}
{"username": ["John", true]}
{"username": ["$neq", "test"]}

Test Parameter Polution
- {"user_id": "guest", "user_id": "admin"}

XML Testing¶

Check XXE