What is API ???
API is Application Programming Interface.
An API is a mechanism that allows two software components to communicate with each other using a set of definitions and protocols. For example, a banking software system contains money and transaction data.
API Testing is a software testing type that validates Application Programming Interfaces (APIs). The purpose of API Testing is to check the functionality, reliability, performance, and security of the programming interfaces. Use software to send calls to the API, get output, and note down the system’s response. API tests are very different from GUI Tests and won’t concentrate on the look and feel of an application.
APIs are divided into several types, including the following.
- Public API
- Private API
- And Other
Commonly encountered types of APIs is Rest API and GraphQL API
If referring to the owasp, there is an explanation of how to and objective instructions
Testing GraphQL
Summary : GraphQL has become very popular in modern APIs. It provides simplicity and nested objects, which facilitate faster development. While every technology has advantages, it can also expose the application to new attack surfaces. The purpose of this scenario is to provide some common misconfigurations and attack vectors on applications that utilize GraphQL. Some vectors are unique to GraphQL (e.g. Introspection Query) and some are generic to APIs (e.g. SQL injection).
Examples in this section will be based on a vulnerable GraphQL application poc-graphql, which is run in a docker container that maps localhost:8080/GraphQL as the vulnerable GraphQL node.
Test Objectives
- Assess that a secure and production-ready configuration is deployed.
- Validate all input fields against generic attacks.
- Ensure that proper access controls are applied.
How to Test
Testing GraphQL nodes is not very different than testing other API technologies.
In this session, I will try to install DVGA on my own PC.
DVGA Link on Github :
And I installed DVGA in docker, coincidentally the operating system I use is windows 11
How to Install Docker in WSL without Docker Desktop GUI on linux WSL Windows ?
You can read this Article blog :
If you have installed DVGA on the local computer, open it in the browser and it will display the following
And try to setting in Burpsuite :
Try to access this pages
and view the response in Burpsuite :
lo and behold, Burpsuite captures the /graphql response from the DVGA website
Now, Try to see /graphql in Burpsuite and send to Repeater :
You can freely explore this DVGA for Hacking API practice to test your intuition.
That’s All from me, please apologize if there is a lot of writing that is lacking, thank you very much
And </To Be Shadow>
