Automating REST Security Part 3: Practical Tests for Real-World APIs
If you have read our two previous blogposts, you should now have a good grasp on the structural components used in REST APIs and where there are automation potentials for security analysis. You've also learned about REST-Attacker, the analysis tool we implemented as a framework for automated analysis.
In our final blogpost, we will dive deeper into practical testing by looking at some of the automated analysis tests implemented in REST-Attacker. Particularly, we will focus on three test categories that are well-suited for automation. Additionally, we will look at test results we acquired, when we ran these tests on the real-world API implementation of the services GitHub, Gitlab, Microsoft, Spotify, YouTube, and Zoom.
Author
Christoph Heine
Overview
- Part 1: Challenges in Analyzing REST Security
- Part 2: Tool-based REST Analysis with REST-Attacker
- Part 3: Practical Tests for Real-World APIs