Skip to content

Latest commit

 

History

History
58 lines (49 loc) · 10.5 KB

OWASP - API Checklist.md

File metadata and controls

58 lines (49 loc) · 10.5 KB
Broken Object Level Authorization Test Name Description Tools Result Remark
CWE-284 Improper Access Control The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-285 Improper Authorization The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 Authorization Bypass Through User-Controlled Key The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Broken User Authentication Test Name Description Tools Result Remark
CWE-798 Use of Hard-coded Credentials The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
API2-2019-001 Rate limiting implementation Implement anti brute force mechanisms to mitigate credential stuffing, dictionary attack, and brute force attacks on your authentication endpoints. This mechanism should be stricter than the regular rate limiting mechanism on your API.
Excessive Data Exposure Test Name Description Tools Result Remark
CWE-213 Intentional Information Exposure A product's design or configuration explicitly requires the publication of information that could be regarded as sensitive by an administrator.
API3-2019-001 Data Validation Never rely on the client side to filter sensitive data. Review the responses from the API to make sure they contain only legitimate data.
Lack of Resources & Rate Limiting Test Name Description Tools Result Remark
CWE-307 Improper Restriction of Excessive Authentication Attempts The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
CWE-770 Allocation of Resources Without Limits or Throttling The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Broken Function Level Authorization Test Name Description Tools Result Remark
CWE-285 Improper Authorization The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Mass Assignment Test Name Description Tools Result Remark
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Security Misconfiguration Test Name Description Tools Result Remark
API7-2019-001 Ensure Debug Messages are not Enabled Ensure debug are not enabled as these messages help attackers learn about the system and plan a form of attack.
API7-2019-002 Ensure Error pages do not give away system details Application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.
API7-2019-003 Sensitive information in API URL Ensure passwords or other sensitive parameters are not passed in URLs.
API7-2019-004 Misconfiguration: Data Transmission Without Encryption Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
API7-2019-004 Misconfiguration: Insufficient Session-ID Length Ensure application is configured to use an insufficient session ID length.
OTG-CONFIG-001 Test Network/Infrastructure Configuration Understand the infrastructure elements interactions, config management for software, backend DB server, WebDAV, FTP in order to identify known vulnerabilities. Nessus
OTG-CONFIG-002 Test Application Platform Configuration Identify default installation file/directory, Handle Server errors (40*,50*), Minimal Privilege, Software logging. Browser, Nikto
OTG-CONFIG-003 Test File Extensions Handling for Sensitive Information Find important file, information (.asa , .inc , .sql ,zip, tar, pdf, txt, etc) Browser, Nikto
OTG-CONFIG-004 Backup and Unreferenced Files for Sensitive Information Check JS source code, comments, cache file, backup file (.old, .bak, .inc, .src) and guessing of filename Nessus, Nikto, Wikto
OTG-CONFIG-005 Enumerate Infrastructure and Application Admin Interfaces Directory and file enumeration, comments and links in source (/admin, /administrator, /backoffice, /backend, etc), alternative server port (Tomcat/8080) Burp Proxy, dirb, Dirbuster, fuzzdb, Tilde Scanner
OTG-CONFIG-006 Test HTTP Methods Identify HTTP allowed methods on Web server with OPTIONS. Arbitrary HTTP Methods, HEAD access control bypass and XST netcat, curl
OTG-CONFIG-007 Test HTTP Strict Transport Security Identify HSTS header on Web server through HTTP response header.
curl -s -D- https://domain.com/
grep Strict Burp Proxy, ZAP, curl
OTG-CONFIG-008 Test RIA cross domain policy Analyse the permissions allowed from the policy files (crossdomain.xml/clientaccesspolicy.xml) and allow-access-from. Burp Proxy, ZAP, Nikto
Injection Test Name Description Tools Result Remark
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Improper Assets Management Test Name Description Tools Result Remark
CWE-1059 Incomplete Documentation The documentation, whether on paper or in electronic form, does not contain descriptions of all the relevant elements of the product, such as its usage, structure, interfaces, design, implementation, configuration, operation, etc.
Insufficient Logging & Monitoring Test Name Description Tools Result Remark
CWE-223 Omission of Security-relevant Information The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
Once found try to insert logically invalid data into the application/system.
CWE-778 Insufficient Logging When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.