CybersecurityChecklist/APIpentest.md at main · Afrochemist/CybersecurityChecklist · GitHub

38 lines (33 loc) · 510 Bytes

API pentest checklist

Recon
- Passive
  - google
  - github
  - postman
  - other API sites
- Active
  - nmap
  - ffuf
  - wfuzz
  - kiterunner
  - amass
- Vulnerability Scans
  - nikto
  - owasp zap
Endpoint Collection
- Public
- Private
- Partner
Vulnerabilities
- Phase One:
  - BOLA
  - BFLA
  - BUA
  - BOPLA
- Phase Two:
  - Injections Attacks
  - Security Misconfiguration
- Phase Three:
  - Improper Inventory Management
  - Insufficient Logging & Monitoring
  - Rate Limiting