4 Authentication and Authorization Testing

Assuming you read the previous chapter or already have knowledge about Application Programming Interface (API) reconnaissance, it’s now time to dive deeper into pentesting the API. In the previous chapter, we worked through a crAPI challenge by accessing data from objects that belong to other users. This data was supposed to be protected, but crAPI didn’t do it correctly. This was an authorization flaw.

We need to investigate how APIs establish some of their most fundamental security mechanisms, which are how they authenticate and authorize their users. We will use the term AuthN to refer to authentication and AuthZ to refer to authorization just to shorten the words; this is a common practice in the ...

Get Pentesting APIs now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Pentesting APIs by Maurício Harley

4

Authentication and Authorization Testing

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly