Полезные подсказки по тестированию Web API:
https://github.com/smodnix/31-days-of-API-Security-Tips/blob/master/README.md
Думаю, можно даже использовать как чеклист.
Для примера:
-API TIP: 4/31-
Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design)
-API TIP:25/31-
Found an "export to PDF" feature? There's a good chance the developers use an external library to convert HTML --> PDF behind the scenes. Try to inject HTML elements and cause "Export Injection".
Learn more about Export Injection: https://medium.com/@inonst/export-injection-2eebc4f17117
https://github.com/smodnix/31-days-of-API-Security-Tips/blob/master/README.md
Думаю, можно даже использовать как чеклист.
Для примера:
-API TIP: 4/31-
Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design)
-API TIP:25/31-
Found an "export to PDF" feature? There's a good chance the developers use an external library to convert HTML --> PDF behind the scenes. Try to inject HTML elements and cause "Export Injection".
Learn more about Export Injection: https://medium.com/@inonst/export-injection-2eebc4f17117