Update web-api-pentesting.md

2025-10-10 18:36:50 +00:00 · 2025-10-04 11:08:00 +02:00 · 2025-10-04 11:08:00 +02:00 · 2220ccfef2
commit 2220ccfef2
parent 373bbd0af0
1 changed files with 0 additions and 11 deletions
--- a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
+++ b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
@ -75,17 +75,6 @@ Impact to assess
 - Data corruption via non-idempotent restarts: Forcing concurrent runs of migrations/workers can create race conditions and inconsistent partial states (silent data loss, broken analytics).
 - DoS via worker/DB starvation: Repeatedly triggering heavy jobs can exhaust worker pools and database connections, causing tenant-wide outages.

-Detection heuristics
-
- Look for sensitive semantics in procedure names: `*migrations*`, `*admin*`, `*status*`, `*retry*`, `*featureFlags*`, `*tenants*`, `*jobs*`.
- Compare responses across roles: If a basic user can successfully call state-changing admin endpoints, you likely have BFLA/BOLA.
- Check for missing server-side RBAC/ABAC in middleware. Input validation with Zod is orthogonal to authorization.
-
-Notes for remediation (for dev teams you report to)
-
- Introduce an explicit `adminProcedure` or equivalent middleware that enforces role/permission checks on all sensitive routers (`list`/`all`, `status`, `retry`, etc.).
- Add rate limiting and idempotency/locking around maintenance endpoints to limit blast radius.
-
 ### **Tools and Resources for API Pentesting**

 - [**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.