{"id":12554,"date":"2023-01-31T08:42:10","date_gmt":"2023-01-31T08:42:10","guid":{"rendered":"https:\/\/www.webtechmantra.com\/?p=12554"},"modified":"2023-01-31T08:42:12","modified_gmt":"2023-01-31T08:42:12","slug":"api-penetration-testing","status":"publish","type":"post","link":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/","title":{"rendered":"API Penetration Testing: What you should know"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_61 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#Its_All_About_APIs\" title=\"It\u2019s All About APIs\">It\u2019s All About APIs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#Dont_Let_the_Unreachable_%E2%80%9CBest%E2%80%9D_Defeat_the_Actual_%E2%80%9CGood%E2%80%9D\" title=\"Don\u2019t Let the Unreachable \u201cBest\u201d Defeat the Actual \u201cGood\u201d\">Don\u2019t Let the Unreachable \u201cBest\u201d Defeat the Actual \u201cGood\u201d<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#What_about_the_%E2%80%9CShift-Left%E2%80%9D_idea\" title=\"What about the \u201cShift-Left\u201d idea?\">What about the \u201cShift-Left\u201d idea?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#Its_the_Same_Just_Different\" title=\"It\u2019s the Same, Just Different\">It\u2019s the Same, Just Different<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#Common_Ground\" title=\"Common Ground\">Common Ground<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#Where_is_API_pentesting_different\" title=\"Where is API pentesting different?\">Where is API pentesting different?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#Attackers_and_Defenders\" title=\"Attackers and Defenders\">Attackers and Defenders<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#What_are_some_common_API_vulnerabilities\" title=\"What are some common API vulnerabilities?\">What are some common API vulnerabilities?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#Presentation_of_Findings\" title=\"Presentation of Findings\">Presentation of Findings<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Its_All_About_APIs\"><\/span>It\u2019s All About APIs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Software delivery is all about APIs; organizations are increasing the use of APIs in applications and services. Without proper testing and security practices, threat actors can easily take down a service or access critical data.<\/p>\n\n\n\n<p>Because APIs can be accessed in multiple ways, their vulnerabilities may be exploited without the company ever realizing the breach has happened (e.g., hiding within normal traffic flows).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Dont_Let_the_Unreachable_%E2%80%9CBest%E2%80%9D_Defeat_the_Actual_%E2%80%9CGood%E2%80%9D\"><\/span>Don\u2019t Let the Unreachable \u201cBest\u201d Defeat the Actual \u201cGood\u201d<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Securing APIs requires a layered approach (traditionally called \u201cdefense-in-depth\u201d&nbsp;&nbsp;approach). One part of this defense is penetration testing.&nbsp;<\/p>\n\n\n\n<p>Is it the best approach? No. And it\u2019s not a cheap or all-encompassing approach. But is it important? Vitally so.<\/p>\n\n\n\n<p>While there\u2019s no one-control-to-rule-them-all, don\u2019t let the seeming complexity detract from what can actually be done to secure your internet presence.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_about_the_%E2%80%9CShift-Left%E2%80%9D_idea\"><\/span>What about the \u201cShift-Left\u201d idea?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>As a\u00a0<a href=\"https:\/\/blog.postman.com\/shift-left-with-spectral-rules\/\" target=\"_blank\" rel=\"noreferrer noopener\">Postman article<\/a>\u00a0puts it, \u201cShifting left is especially crucial to the API lifecycle because APIs are usually produced and consumed by different teams.\u201d\u00a0<\/p>\n\n\n\n<p>But to tame attempts\u00a0<a href=\"https:\/\/salt.security\/blog\/api-security-fundamentals\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">to make &#8220;especially crucial&#8221; equate to &#8220;the sole factor&#8221;:<\/a>\u00a0\u201cStandard pre-production testing can find some gaps in API security best practices, but they won\u2019t uncover vulnerabilities rooted in API business logic gaps.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Its_the_Same_Just_Different\"><\/span>It\u2019s the Same, Just Different<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The API penetration testing process is not quite the same as web application pentesting. APIs present more attack vectors, and they\u2019re at an increased risk of abuse due to their ease of discovery, access from multiple endpoints, constant changes (or lack of updating), and neglect in inventorying.<\/p>\n\n\n\n<p>There are several similarities, though.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Common_Ground\"><\/span>Common Ground<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Some common elements:<\/p>\n\n\n\n<ul>\n<li>Methodology\n<ul>\n<li>Pentesters have guided processes that they follow. If you\u2019re scoping out testers, ask what their methodology is.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Permission, Planning, and Scoping<ul><li>Always give and get permission and the specifics before proceeding. Is it a blackbox, whitebox, or gray box testing? What specific resources are to be tested? When and for how long can testing occur? Who\u2019s the contact person? What\u2019s the due date? What occurrences are in and out of scope \u2013 e.g., \u201cCan I DoS the app?\u201d or \u201cMay I log in with the credentials I find, or just report them?\u201d&nbsp;<\/li><\/ul>\n<ul>\n<li>And double-check endpoints before testing. Sometimes people write things incorrectly, and an IP that\u2019s one number off may be a completely different org, and that spells trouble!<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Recon and Enumeration\n<ul>\n<li>Find out all that can be found out about the target resources before actively testing. The more the tester knows, the better the results.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Where_is_API_pentesting_different\"><\/span>Where is API pentesting different?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>There are some aspects that make API pentesting distinct from web app testing.<\/p>\n\n\n\n<p>After recon, read any available documentation.&nbsp;&nbsp;This is similar to web server testing, but API documentation is often more precise and tells how the API is designed and gives specific guidance. NOTE: this is an inherent aspect of many APIs that makes them both beneficial to a company and valuable targets \u2013 everyone knows how they work.<\/p>\n\n\n\n<p>Check for WAFs. These will introduce an extra layer of protection for APIs and can throw off a tester. But these can be circumvented because WAFs check for problems in requests, and API attacks won\u2019t always have malformed requests. They\u2019ll appear legitimate because the actual purpose of the testing is to work with the API context for a low-and-slow, not brute force, exploit.<\/p>\n\n\n\n<p>Discover (if not disclosed in initial meetings): How are the APIs authenticated? What is the architecture? Is there rate limiting? [[pen testing aimed at APIs will do a lot more &#8211; will look for business logic flaws and use the OWASP API Top 10 list of attack types to try to run these styles of attack]]<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Attackers_and_Defenders\"><\/span>Attackers and Defenders<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>For those who play a defensive role in their organizations, checklists are our friends. Use them to help identify vulnerabilities and take the appropriate steps to patch them. Checklists are also great for tracking the progress of patches being applied and making sure that every resource is updated with the latest versions of software.<\/p>\n\n\n\n<p>But attackers are opportunistic and don\u2019t use checklists; they\u2019re looking to break in by taking apart. In other words,\u00a0<a href=\"https:\/\/github.com\/JohnLaTwC\/Shared\/blob\/master\/Defenders%20think%20in%20lists.%20Attackers%20think%20in%20graphs.%20As%20long%20as%20this%20is%20true%2C%20attackers%20win.md\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">\u201cDefenders think in lists. Attackers think in graphs.\u201d<\/a>\u00a0They want to get in and get out fast with as little risk as possible \u2013 not perform a thorough audit of everything on the network. Attackers are looking for nodes with their connections and dependencies (think neo4j).<\/p>\n\n\n\n<p>Pentesters, and defenders trying to make life harder for criminals for pentesters, need to approach APIs the same way: what are the connections? Please don\u2019t misunderstand: when performing corporate testing, checklists are necessary. There are so many aspects (e.g., regulatory compliance, adherence to security standards) that something will be missed without a checklist. But the end goal is not compliance or filling checkboxes; the goal is reasonably securing APIs against abuse (whether intentional or not).<\/p>\n\n\n\n<p>Here&#8217;s\u00a0<a href=\"https:\/\/github.com\/Cyber-Guy1\/API-SecurityEmpire\/blob\/main\/assets\/API%20Pentesting%20Mindmap.pdf\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">an example<\/a>\u00a0\u2013 an API pentesting mindmap &#8211; of an approach that combines stages, tools, specific items, and general guidance of numerous concepts to help one through a pentest.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_are_some_common_API_vulnerabilities\"><\/span>What are some common API vulnerabilities?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>OWASP maintains the famous\u00a0<a href=\"https:\/\/owasp.org\/www-project-api-security\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">API Top Ten list<\/a>. While there are certainly more than 10, starting with securing and testing against the first few will help testers and defenders. Because the OWASP page has both explanations, sample scenarios, and prevention techniques, I won\u2019t repeat those here. But I will give an overview of the top three.<\/p>\n\n\n\n<ol type=\"1\" start=\"1\">\n<li>Broken Object Level Authorization\n<ol type=\"a\" start=\"1\">\n<li>Unauthorized data access to objects can lead to account takeover. Accounts should only have access to view account information that they need to see.&nbsp;<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Broken User Authentication\n<ol type=\"a\" start=\"1\">\n<li>If controls such as rate limiting and blocking excessive login attempts are not implemented, an attacker could try 999,999 times to get the right SMS code until access is granted.<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Excessive Data Exposure\n<ol type=\"a\" start=\"1\">\n<li>When looking at an API response, is only the necessary information provided? Seeing too much information leads to seeing sensitive information.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Presentation_of_Findings\"><\/span>Presentation of Findings<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>There needs to be a report that can be understood by management, and it must address the relevant findings. Each org is different, and each set of findings will be different. Example: because of some open resources such as\u00a0<a href=\"https:\/\/help.venmo.com\/hc\/en-us\/articles\/210413717-Payment-Activity-Privacy\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Venmo\u2019s transactions<\/a>, testing findings may reveal that private information is visible to the public, but the company accepts the risk because it\u2019s how the API is designed.<\/p>\n\n\n\n<p>All the best on your road to securing your APIs!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It\u2019s All About APIs Software delivery is all about APIs; organizations are increasing the use<\/p>\n","protected":false},"author":1,"featured_media":12555,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[2478,3172,1675,3173],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>API Penetration Testing: What you should know<\/title>\n<meta name=\"description\" content=\"Software delivery is all about APIs; organizations are increasing the use of APIs in applications and services. Without proper testing and security practices, threat actors can easily take down a service or access critical data.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"API Penetration Testing: What you should know\" \/>\n<meta property=\"og:description\" content=\"Software delivery is all about APIs; organizations are increasing the use of APIs in applications and services. Without proper testing and security practices, threat actors can easily take down a service or access critical data.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/\" \/>\n<meta property=\"og:site_name\" content=\"WTM - Technology, Business, Finance, Digital Marketing\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/webtechmantra\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-31T08:42:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-01-31T08:42:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.webtechmantra.com\/wp-content\/uploads\/API-Penetration-Testing-What-you-should-know.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"629\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Web Tech Mantra\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@webtechmantra\" \/>\n<meta name=\"twitter:site\" content=\"@webtechmantra\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Web Tech Mantra\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/\"},\"author\":{\"name\":\"Web Tech Mantra\",\"@id\":\"https:\/\/www.webtechmantra.com\/#\/schema\/person\/c26fbe297d817255a12e5fab6fddb124\"},\"headline\":\"API Penetration Testing: What you should know\",\"datePublished\":\"2023-01-31T08:42:10+00:00\",\"dateModified\":\"2023-01-31T08:42:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/\"},\"wordCount\":1089,\"publisher\":{\"@id\":\"https:\/\/www.webtechmantra.com\/#organization\"},\"keywords\":[\"API\",\"API Penetration Testing\",\"services\",\"Testing\"],\"articleSection\":[\"Technology\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/\",\"url\":\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/\",\"name\":\"API Penetration Testing: What you should know\",\"isPartOf\":{\"@id\":\"https:\/\/www.webtechmantra.com\/#website\"},\"datePublished\":\"2023-01-31T08:42:10+00:00\",\"dateModified\":\"2023-01-31T08:42:12+00:00\",\"description\":\"Software delivery is all about APIs; organizations are increasing the use of APIs in applications and services. Without proper testing and security practices, threat actors can easily take down a service or access critical data.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.webtechmantra.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"API Penetration Testing: What you should know\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.webtechmantra.com\/#website\",\"url\":\"https:\/\/www.webtechmantra.com\/\",\"name\":\"WTM - Technology, Business, Finance, Digital Marketing\",\"description\":\"Technology, Business, Finance, Digital Marketing\",\"publisher\":{\"@id\":\"https:\/\/www.webtechmantra.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.webtechmantra.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.webtechmantra.com\/#organization\",\"name\":\"WTM - Technology, Business, Finance, Digital Marketing\",\"url\":\"https:\/\/www.webtechmantra.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.webtechmantra.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.webtechmantra.com\/wp-content\/uploads\/web-tech-mantra-logo-1-e1586874822549.png\",\"contentUrl\":\"https:\/\/www.webtechmantra.com\/wp-content\/uploads\/web-tech-mantra-logo-1-e1586874822549.png\",\"width\":250,\"height\":64,\"caption\":\"WTM - Technology, Business, Finance, Digital Marketing\"},\"image\":{\"@id\":\"https:\/\/www.webtechmantra.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/webtechmantra\",\"https:\/\/twitter.com\/webtechmantra\",\"https:\/\/www.pinterest.com\/webtechmantraofficial\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.webtechmantra.com\/#\/schema\/person\/c26fbe297d817255a12e5fab6fddb124\",\"name\":\"Web Tech Mantra\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.webtechmantra.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.webtechmantra.com\/wp-content\/litespeed\/avatar\/476c2abb5f087e24c06582c50a5d5ac6.jpg?ver=1703797815\",\"contentUrl\":\"https:\/\/www.webtechmantra.com\/wp-content\/litespeed\/avatar\/476c2abb5f087e24c06582c50a5d5ac6.jpg?ver=1703797815\",\"caption\":\"Web Tech Mantra\"},\"description\":\"Web Tech Mantra website came up with a new helpful content update on finance, technology, business, health, and more topics niche. We studied, analyzed and presented on this platform. With all our knowledge, we established a platform to build a proper and trustful rapport with the internet world. We also covered the social media world through web tech mantra, so every social media user can access the informational world through the web tech mantra.\",\"sameAs\":[\"https:\/\/webtechmantra.com\"],\"url\":\"https:\/\/www.webtechmantra.com\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"API Penetration Testing: What you should know","description":"Software delivery is all about APIs; organizations are increasing the use of APIs in applications and services. Without proper testing and security practices, threat actors can easily take down a service or access critical data.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/","og_locale":"en_US","og_type":"article","og_title":"API Penetration Testing: What you should know","og_description":"Software delivery is all about APIs; organizations are increasing the use of APIs in applications and services. Without proper testing and security practices, threat actors can easily take down a service or access critical data.","og_url":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/","og_site_name":"WTM - Technology, Business, Finance, Digital Marketing","article_publisher":"https:\/\/www.facebook.com\/webtechmantra","article_published_time":"2023-01-31T08:42:10+00:00","article_modified_time":"2023-01-31T08:42:12+00:00","og_image":[{"width":1200,"height":629,"url":"https:\/\/www.webtechmantra.com\/wp-content\/uploads\/API-Penetration-Testing-What-you-should-know.jpg","type":"image\/jpeg"}],"author":"Web Tech Mantra","twitter_card":"summary_large_image","twitter_creator":"@webtechmantra","twitter_site":"@webtechmantra","twitter_misc":{"Written by":"Web Tech Mantra","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#article","isPartOf":{"@id":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/"},"author":{"name":"Web Tech Mantra","@id":"https:\/\/www.webtechmantra.com\/#\/schema\/person\/c26fbe297d817255a12e5fab6fddb124"},"headline":"API Penetration Testing: What you should know","datePublished":"2023-01-31T08:42:10+00:00","dateModified":"2023-01-31T08:42:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/"},"wordCount":1089,"publisher":{"@id":"https:\/\/www.webtechmantra.com\/#organization"},"keywords":["API","API Penetration Testing","services","Testing"],"articleSection":["Technology"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/","url":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/","name":"API Penetration Testing: What you should know","isPartOf":{"@id":"https:\/\/www.webtechmantra.com\/#website"},"datePublished":"2023-01-31T08:42:10+00:00","dateModified":"2023-01-31T08:42:12+00:00","description":"Software delivery is all about APIs; organizations are increasing the use of APIs in applications and services. Without proper testing and security practices, threat actors can easily take down a service or access critical data.","breadcrumb":{"@id":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.webtechmantra.com\/api-penetration-testing\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.webtechmantra.com\/api-penetration-testing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.webtechmantra.com\/"},{"@type":"ListItem","position":2,"name":"API Penetration Testing: What you should know"}]},{"@type":"WebSite","@id":"https:\/\/www.webtechmantra.com\/#website","url":"https:\/\/www.webtechmantra.com\/","name":"WTM - Technology, Business, Finance, Digital Marketing","description":"Technology, Business, Finance, Digital Marketing","publisher":{"@id":"https:\/\/www.webtechmantra.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.webtechmantra.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.webtechmantra.com\/#organization","name":"WTM - Technology, Business, Finance, Digital Marketing","url":"https:\/\/www.webtechmantra.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.webtechmantra.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.webtechmantra.com\/wp-content\/uploads\/web-tech-mantra-logo-1-e1586874822549.png","contentUrl":"https:\/\/www.webtechmantra.com\/wp-content\/uploads\/web-tech-mantra-logo-1-e1586874822549.png","width":250,"height":64,"caption":"WTM - Technology, Business, Finance, Digital Marketing"},"image":{"@id":"https:\/\/www.webtechmantra.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/webtechmantra","https:\/\/twitter.com\/webtechmantra","https:\/\/www.pinterest.com\/webtechmantraofficial\/"]},{"@type":"Person","@id":"https:\/\/www.webtechmantra.com\/#\/schema\/person\/c26fbe297d817255a12e5fab6fddb124","name":"Web Tech Mantra","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.webtechmantra.com\/#\/schema\/person\/image\/","url":"https:\/\/www.webtechmantra.com\/wp-content\/litespeed\/avatar\/476c2abb5f087e24c06582c50a5d5ac6.jpg?ver=1703797815","contentUrl":"https:\/\/www.webtechmantra.com\/wp-content\/litespeed\/avatar\/476c2abb5f087e24c06582c50a5d5ac6.jpg?ver=1703797815","caption":"Web Tech Mantra"},"description":"Web Tech Mantra website came up with a new helpful content update on finance, technology, business, health, and more topics niche. We studied, analyzed and presented on this platform. With all our knowledge, we established a platform to build a proper and trustful rapport with the internet world. We also covered the social media world through web tech mantra, so every social media user can access the informational world through the web tech mantra.","sameAs":["https:\/\/webtechmantra.com"],"url":"https:\/\/www.webtechmantra.com\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/posts\/12554"}],"collection":[{"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/comments?post=12554"}],"version-history":[{"count":1,"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/posts\/12554\/revisions"}],"predecessor-version":[{"id":12556,"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/posts\/12554\/revisions\/12556"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/media\/12555"}],"wp:attachment":[{"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/media?parent=12554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/categories?post=12554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webtechmantra.com\/wp-json\/wp\/v2\/tags?post=12554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}