process used to map out the threats to an API provider.
Threat actor
adversary or attacker of the API.
Token handling
The storage of tokens, the method of transmitting tokens across a network, the presence of hardcoded tokens.
BOLA
Access the information of other accounts, such as payment histories, usernames, email addresses, and account numbers.
BFLA
Transfer money and actually update the account information.
API bug bounties
BugCrowd
Twitter
Apple
Microsoft
Google
Hackerone
Information Disclosure
/wp-json/wp/v2/user
Broken Object Level Authorization (BOLA)
unauthorized access
GET /api/resource/1
GET /user/account/find?user_id=15
POST /company/account/Apple/balance
POST /admin/pwreset/account/90
GET /api/resource/3
GET /user/account/find?user_id=23
POST /company/account/Google/balance
POST /admin/pwreset/account/111
Broken User Authentication
API keys, tokens, and credentials used in URLs
Rate-limit restrictions when authenticating
Verbose error messaging
Excessive Data Exposure
Test the target API endpoints and review the information sent in response.
Lack of Resources and Rate Limiting
Send a barrage of requests to the API.
If rate limiting is functioning, you should receive some sort of response informing you that you’re no longer able to make additional requests.
HTTP 429 status code
Broken Function Level Authorization (BFLA)
unauthorized actions
When a user of one role or group is able to access the API functionality of another role or group.
Accounts types
administrators
partners
merchants
public users
Functions
altering user accounts
accessing user resources
gaining access to restricted endpoints
Mass Assignment
Occurs when an API consumer includes more parameters in their requests than the application intended and the application adds these parameters to code variables or internal objects
guess parameters or fuzz them in API requests
Look for parameters involved in user account properties, critical funcs, administrative actions.