Firstly I'd like to apologise for the delay on releasing this blogpost this week. Over the last week I have been extremely busy with work, university and the HackTheBox university CTF.
That being said I should be more prepared with these posts and hopefully going forward I will be better at writing these throughout the week.
Building upon last week, I realised how valuable having a methodology was. That was no different this week, in fact I worked on refining it just that little bit more. My assignment was the same app as last week however, this time I was assigned to test the API for the application. When I received this, I hadn't tested an API before so it was certainly unexpected but at the same time, it is part of my job role to test to a scope.
This week had been one of the best in terms of learning. Having never touched API testing, I first set out to look for resources on common vulnerabilities and misconfigurations. As I had two to three days to work on this I decided it best on day one, to spend several hours researching this, taking notes and figuring out how to replicate what I found.
One tool that was recommended by a colleague was Postman, now up until this moment I had heard the name Postman, however I had never had to use this tool. This proved to be an absolute life saver and incredible tool that I will certainly be using in the future going forward. It allows you to make requests to an API once you map it out in order to see how it acts and responds to certain types of data.
The part of this tool that I found incredible is that you can export the request out, for example if you notice something interesting with one type of request, you can copy the request in whatever format you want. If you want a HTTP request that you can drop straight into Burp done, want a cURL request, there you go. The one that screamed out to me due to my latest ventures with Python was you can export it as python requests, automatically formatting and setting flags for you.
This was ground breaking and truly my favourite part of the week, up until now I hadn't thought about how to test APIs nor how it could be exploited further down the line. This test was truly trial by fire but you know what, it taught me so much and I highly recommend checking out API testing if you are looking at going into industry for web app testing.
Right so as per I'll just touch on my takeaways after going on and on about Postman for the majority of the post.
Firstly, don't go into this area thinking everything is going to be super exciting. Though I enjoyed my first experience with API testing, I can already see that it will be boring later on as if they are configured correctly, it is a complete walk in the part in terms of testing, but it also leads you to rapidly realise that it's not that eventful.
Postman is an absolute life saver! If like me you are fairly lazy in terms of manual things, postman is amazing. Don't get me wrong you could use Burp Suite and the many features you can utilise for it. However, Postman has one purpose and that is to test APIs. I can't recommend taking a look at this enough!
The final takeaway that was impactful and again, I highly recommend to anyone starting out. If you have time to test something like I did on this, and you don't really know what you're doing. Don't be scared to set aside a period of time at the beginning to learn the basics, and common misconfigurations.
Honestly spending those hours on the first day of being assigned this instead of stressing out about having to find something. First ask yourself one simple question, "with my current skillset, am I going to find something" if your answer is no to that. Then hey go upskill for a small amount of time and go back. It will certainly help you out in the long term!