API Assessment Pre-requisites
To conduct an efficient and in-depth API assessment, the tester will need the following before the start of the assessment:
A list of all methods/endpoints in scope for the assessment
Ideally, an API collection (such as Postman or SoapUI) will be provided which possesses a valid template for each request and all parameters
Documentation detailing the overall API functionality and showing all parameters for each of the methods/endpoints in scope
If an API collection cannot be provided, example valid requests for each method/endpoint using all available parameters will be required
Instructions on how to authenticate to the service. An example pre-made working request is also recommended (e.g a CURL command) so the penetration tester can quickly identify access issues prior to the beginning of the assessment.
In the event the API method/endpoints require valid data such as IDs or banking information to operate successfully, test data will need to be provided
Please Note
If an API collection and valid example requests cannot be provided, requests will be manually built during testing using the API documentation. This may significantly increase the time taken to carry out the assessment and reduce the number of tests that can be performed during the time frame of the test.
If API documentation is also not available, it is unlikely the tester will be able to create successful requests. In this scenario, the assessment would not provide suitable coverage of the API service(s) in scope. Further to this, all parameters or functionality not detailed in API collections, documentation, or supplied requests will not be included in the test as the tester will likely be unaware of their existence.